WordPress 3.3.1 hacked

  • Billy

    (@billybrasov)


    12 years, 1 month ago

    Hello, a few days ago that I started to have problems with a hacker who hack one of my blogs. Began to enter through the images folder and now I’ve seen in the logs that have accessed through the wp-user.php file.
    I think the hacker is from Saudi Arabia because it changes my page with a page with text in Arabic and Muslim music.

    This is what I see in the log:

    [00:10:09] root@MyServer [~]# grep myusername report.txt
    /home/myusername/public_html/wp-user.php:2:eval (gzinflate(base64_decode

    [00:18:34] root@MyServer [~]# stat /home/myusername/public_html/wp-user.php
    File: `/home/myusername/public_html/wp-user.php’
    Size: 23169 Blocks: 48 IO Block: 4096 fichier régulier
    Device: 801h/2049d Inode: 26510383 Links: 1
    Access: (0644/-rw-r–r–) Uid: ( 658/myusername) Gid: ( 609/myusername)
    Access: 2012-02-28 00:17:43.000000000 +0100
    Modify: 2012-02-23 21:05:01.000000000 +0100
    Change: 2012-02-23 21:05:01.000000000 +0100

    Please help me to improve the security of my blog.
    In the last week has hacked me 4 times.
    The other time has enter through a file called al.php who uploadit to the images folder and in the log I found it this:

    /home/myusername/public_html/images/al.php
    [14:37:11] root@MyServer [/home/myusername/public_html/images]# stat /home/myusername/public_html/images/al.php
    File: `/home/myusername/public_html/images/al.php’
    Size: 23169 Blocks: 48 IO Block: 4096 fichier régulier
    Device: 801h/2049d Inode: 26543734 Links: 1
    Access: (0644/-rw-r–r–) Uid: ( 658/myusername) Gid: ( 609/myusername)
    Access: 2012-02-22 14:35:14.000000000 +0100
    Modify: 2012-02-22 00:48:16.000000000 +0100
    Change: 2012-02-22 00:48:16.000000000 +0100

    [22/Feb/2012:00:41:44 +0100] “GET /shakira-pura-energia/ HTTP/1.1” 200 12900 … etc..

    Thanks in advance!!

Viewing 7 replies - 1 through 7 (of 7 total)
  • The Hack Repair Guy

    (@tvcnet)

    12 years, 1 month ago

    If they entered through your /images folder this means one of the scripts on your website is allowing for the injection of files (like those you are finding within your images folder).

    To stop your hacker from being able to execute those files within your images folder (effectively stopping them cold!) just create a text file named:
    .htaccess

    Then put these lines of text in the file:

    # This prevents people from looking at your htaccess file.
    <Files ~ “\.htaccess$”>
    order deny,allow
    deny from all
    </Files>
    # This line turn off directory listings
    Options -Indexes
    # Makes scripts appear as text. Good for image only directories (antihacker)
    Addhandler text/plain .pl .cgi .php .py .jsp .asp .shtml .sh

    Upload the file into your /images directory.

    Enjoy!

    Thread Starter Billy

    (@billybrasov)

    12 years, 1 month ago

    Hi tvcnet, I have 2 files named .htaccess in my wordpress hosting

    One in root folder (in /public_html) with this configuration:

    # -FrontPage-

    IndexIgnore .htaccess */.??* *~ *# */HEADER* */README* */_vti*

    <Limit GET POST>
    order deny,allow
    deny from all
    allow from all
    </Limit>
    <Limit PUT DELETE>
    order deny,allow
    deny from all
    </Limit>
    AuthName mydomain.com
    AuthUserFile /home/myusername/public_html/_vti_pvt/service.pwd
    AuthGroupFile /home/myusername/public_html/_vti_pvt/service.grp
    <IfModule mod_rewrite.c>
    RewriteEngine On
    RewriteBase /
    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteRule . /index.php [L]
    </IfModule>

    # BEGIN WordPress
    <IfModule mod_rewrite.c>
    RewriteEngine On
    RewriteBase /
    RewriteRule ^index\.php$ – [L]
    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteRule . /index.php [L]
    </IfModule>

    # END WordPress

    And the other .htaccess file in the folder named “images” from “/public_html” with this configuration:

    AddType text/plain .pl .cgi .php .py .jsp .asp .shtml .sh

    # This prevents people from looking at your htaccess file.

    <Files ~ “\.htaccess$”>
    order deny,allow
    deny from all
    </Files>

    # This line turn off directory listings

    Options – Indexes

    # Makes scripts appear as text. Good for image only directories (antihacker)
    Addhandler text/plain .pl .cgi .php .py .jsp .asp .shtml .sh

    Is it OK now? Thanks!!

    The Hack Repair Guy

    (@tvcnet)

    12 years, 1 month ago

    This is not a hacked htaccess though:

    # -FrontPage-
    IndexIgnore .htaccess */.??* *~ *# */HEADER* */README* */_vti*
    <Limit GET POST>
    order deny,allow
    deny from all
    allow from all
    </Limit>
    <Limit PUT DELETE>
    order deny,allow
    deny from all
    </Limit>
    AuthName mydomain.com
    AuthUserFile /home/myusername/public_html/_vti_pvt/service.pwd
    AuthGroupFile /home/myusername/public_html/_vti_pvt/service.grp
    <IfModule mod_rewrite.c>
    RewriteEngine On
    RewriteBase /
    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteRule . /index.php [L]
    </IfModule>
    # BEGIN WordPress
    <IfModule mod_rewrite.c>
    RewriteEngine On
    RewriteBase /
    RewriteRule ^index\.php$ – [L]
    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteRule . /index.php [L]
    </IfModule>
    # END WordPress

    Thread Starter Billy

    (@billybrasov)

    12 years, 1 month ago

    Ok, that means that the htaccess file of my public_html is correct right? but the other htaccess file from images folder is it correct?

    P.S. I have disabled the contact page of my website and the cformsII plugin because I thought there was enter the hacker .. is this thing possible?

    The Hack Repair Guy

    (@tvcnet)

    12 years, 1 month ago

    Yes, looking good.

    Thread Starter Billy

    (@billybrasov)

    11 years, 12 months ago

    again I have hacked my web pages. This time I updated wordpress to the latest version is 3.3.2 and not at all served. The strange thing is that one of the pages was very new, just finish it yesterday and after a short time the whole hacker and hack it. Everything points as if the hacker has to do with any plugin Worpdress or those who use and who otherwise might not learn as fast as this new website. Please if anyone can help me. Thank you!

    Paweł Knapek

    (@adpawl)

    11 years, 12 months ago

    First – turn-off page in .htaccess file.
    Next, check files by modyfication time and look into server logs.
    Then, by FTP remove wp-admin and wp-config catalog ….and replace it by fresh copy from latest wp package. Replace all files in wp root directory.
    Remove all plugins and upload a fresh copy’s.

    Check all non-modified files eg. wp-config.php, .htaccess, in themes (if possible, replace by a fresh/backup copy) and upload folder. Find and remove malicous code in non-modified files and remove all backdoors hidden in the new, non-standard files.
    After cleaning, secure your wp – set permissions, add fixes to .htaccess, check your theme – if timthumb is used – update and secure it.
    On end, turn-on your page.

Viewing 7 replies - 1 through 7 (of 7 total)
  • The topic ‘WordPress 3.3.1 hacked’ is closed to new replies.