WordPress.org

Ready to get started?Download WordPress

Forums

Admin - Search Plugin page - hacked/exploited (29 posts)

  1. getinked5
    Member
    Posted 2 years ago #

    I have a problem. I think i was SQL injected somehow and i can not figure out where the redirect is.

    How it happens. If you are in the admin module and go to /wp-admin/plugin-install.php and click on any link it takes me to this page wp-admin/plugin-install.php?tab=search&type=tag&s=admin which if i click on anything redirects me off my site to http://generation-internet.ru/pcollection/index.php?tab=dashboard which is a virus!

    Has anyone had this happen before. i've deleted/restored everything and narrowed it down to the database but i cant find how they encrypted the string. Any ideas?

  2. mtangazaji
    Member
    Posted 2 years ago #

    I have the same problem. Additional also our frontend-users are sporadically redirected to the russian URL named above which is fatal.

    Our server was attacked this afternoon by several foreign computers (checked logfile). All of them tried to upload files named sm3.php in the theme-directory of our active theme. Possibly malware was injected through thumb.php used by our theme for image-resizing.

    I tried the whole afternoon/evening to find a solution to completely clean our site but I still had no luck. There might be several preg_replace code spread out in several files on our server where it should not be. Another strange encrypted file found here was wp.php.

    Any ideas?

  3. James
    Member
    Posted 2 years ago #

    I have the same problem, but no idea how to resolve.
    @getinked5 I'm wondering why deleting the site and restoring didn't resolve the issue?

  4. getinked5
    Member
    Posted 2 years ago #

    Im guessing its in the datadase which is the only I haven't had time to clean out yet.

  5. getinked5
    Member
    Posted 2 years ago #

    Ill have to try reloading our theme again too

  6. vickie
    Member
    Posted 2 years ago #

    I've had the same thing this evening.

    My super helpful host (TSO) found things that shouldn't have been in .htaccess and removed them. This seems to have solved the problem (hopefully) so might be worth you checking there for anything unusual.

  7. getinked5
    Member
    Posted 2 years ago #

    Yeah my htaccess was clean

  8. Peter Butler
    Member
    Posted 2 years ago #

    If one of you wants some help getting this cleaned up, I'd be happy to have a look, and then give some instructions for everybody else having the issue. You can get in touch with me through the contact form at my site.

  9. psynix
    Member
    Posted 2 years ago #

    Just managed to clean up my partners site (well I think I have) following some of the pointers in this thread:

    1) .htaccess had been appended to with "Error 404" directives. Removed those only.
    2) Removed sm3.php and wp.php completely.
    3) Updated thumb.php to the latest version from http://timthumb.googlecode.com/svn/trunk/timthumb.php which has hopefully closed any holes.

    This seems to have solved the issue and I'm not seeing any redirects to the .ru site anymore.

    Note: I have not scanned the DB yet.

  10. vickie
    Member
    Posted 2 years ago #

    Thanks for the summary @psynix - I've now also updated timthumb.php.

    It would be really helpful if you could post how you scan the database?

    Many thanks

  11. getinked5
    Member
    Posted 2 years ago #

    i'm on vacation right now or i'd be spending more time on this. i updated my thumb page also but my seems to be only SQL injected. only when i go to my search plugin page am i seeing any errors. i'll be digging into the database more tomorrow.

  12. getinked5
    Member
    Posted 2 years ago #

    great site @peter builder. i'll hit you up later for some different reasons related to security.

  13. SilverRayn5
    Member
    Posted 2 years ago #

    The problem I'm ran into is that the .htaccess files were modified. NOTE: they do not LOOK modified at first, but you should notice scroll bars which normally are not be there. That indicates that there is a lot more text in your file than you are currently seeing.

    In case your hosting provider doesn't help. Try this solution:

    First CHMOD your .htaccess file from 444 to 644. (It appears that the files were turned 444 after the edit that caused the problem.)

    Access (edit) your .htaccess file. MAKE A COPY! Then, clear it out. Add in something like this:

    # BEGIN WordPress
    <IfModule mod_rewrite.c>
    RewriteEngine On
    RewriteBase /
    RewriteRule ^index\.php$ - [L]
    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteRule . /index.php [L]
    </IfModule>

    AddType x-mapp-php5 .php

    # protect wpconfig.php
    <Files wp-config.php>
    order allow,deny
    deny from all
    </Files>

    # disable directory browsing
    Options All -Indexes

    #Protect .htaccess itself
    <Files ~ “^.*\.([Hh][Tt][Aa])”>
    order allow,deny
    deny from all
    satisfy all
    </Files>

    # END WordPress

    You can try checking this site http://www.tipsandtricks-hq.com/cool-wordpress-htaccess-tips-to-boost-your-wordpress-sites-security-1676 or others if you want to see additional tips on how to secure your .htaccess file.

    Once you have saved your .htaccess file, save it.

    This should now have fixed the problem above.

    -Kimberly
    http://www.silverwebdesigns.net

  14. goodevil
    Member
    Posted 2 years ago #

    Hey Kimberly,

    I fixed the permissions and editted the .htaccess file like your mentioned, thinking that would fix it. It seemed fine for an hour or two and then I saw the malicious code in there again (and the permission was again changed to 444).

    So I fixed it again, but this time I also updated the thumb.php in my theme files. I am hoping this fixes it for the long run.

    Did your .htaccess file get modified after you fixed it?

    thanks!
    april

  15. psynix
    Member
    Posted 2 years ago #

    Tried visiting your website lately Kimberly? Redirects to the .ru site at the moment.

  16. goodevil
    Member
    Posted 2 years ago #

    Psynix,

    I can't seem to locate these two files you mentioned:

    "2) Removed sm3.php and wp.php completely."

    Where would these be?

    thanks!
    april

  17. psynix
    Member
    Posted 2 years ago #

    If they exist, they'll be in your theme's directory:

    wp-content/themes/your-theme-name

  18. goodevil
    Member
    Posted 2 years ago #

    Ah, found it. It was not on my main domain, but I found it on one of the subdomains. Hopefully deleting those will do the trick. Crossing my fingers.

    Thanks Psynix.

  19. MickeyRoush
    Member
    Posted 2 years ago #

    Another suggestion is that after you've uploaded a new corrected .htaccess to make in only readable by changing it back to 444 so that no malicious script can over write it again.

    Just remember what you've done in case you change your permalink settings, or do anything that requires editing of your .htaccess, because nothing will be able to edit it while it's 444. Example: plugins like WP Super Cache.

  20. goodevil
    Member
    Posted 2 years ago #

    Thanks MickeyRoush -- good suggestion.

    1 hour and it hasn't changed yet. If I see it crop up again I will definitely fix and change to 444.

  21. rezwalker666
    Member
    Posted 2 years ago #

    Hey guys,

    Is the actual file names "thumb.php" vulnerable? I am fully aware of the whole "timthumb.php" issue, but I just scanned my themes today and found that in one of them, it is using just "thumb.php" and wondering if it's at risk.

    If it is, how can I secure it with "timthumb.php"? (Especially since the filename does not match).

  22. psynix
    Member
    Posted 2 years ago #

    @ rezwalker666 They are the same files ... just remove the old 'thumb.php' and rename the new 'timthumb.php' to 'thumb.php'.

  23. rezwalker666
    Member
    Posted 2 years ago #

    Cool beans, it worked just fine psynix. Thank you mate :D

  24. david_m
    Member
    Posted 2 years ago #

    I think that this issue with timthumb.php is the biggest in wordpress history!!!

  25. kmessinger
    Volunteer Moderator
    Posted 2 years ago #

  26. vickie
    Member
    Posted 2 years ago #

    Thanks everyone for their help here which has helped me fix my hacked site from this horrible problem - much appreciated!

  27. bigcityinformer
    Member
    Posted 2 years ago #

    Hi,
    similar problem here, the following files have been uploaded somehow to our servers theme directory:
    sm3.php
    d.php
    r1.php

    One file has 3 domains in it (the "NOT safe for work" type).

    We did not see redirects yet, but someone apparently is sending mail via our server (we got the bounced ones back - that's how we noticed).

    We will fix it now, bu t can anyone point out how the files got uploaded? does someone know the passwords for the ftp or root access?

    Thanks

  28. 82concepts
    Member
    Posted 2 years ago #

    I had some issues with the TimThumb.php exploit on multiple sites. I spent a good amount of the last week reading about how to beef up security and do a better job on my part to not let it happen again.

    Here's a couple links that definitely were helpful:

    Check your site for malicious files and content (it will show you the direct path to evil files or files that have been compromised): http://sitecheck.sucuri.net/scanner/

    http://www.tipsandtricks-hq.com/cool-wordpress-htaccess-tips-to-boost-your-wordpress-sites-security-1676
    http://codex.wordpress.org/Hardening_WordPress
    http://codex.wordpress.org/Changing_File_Permissions
    http://techspheria.com/2011/08/phpremoteview-hack-what-it-is-and-how-to-remove-it/

    This guy rewrote TimThumb this last week, many thanks to him. Lots of good articles about this situation and others on his site:
    http://markmaunder.com/

    New TimThumb:
    http://code.google.com/p/timthumb/

  29. mauigrl
    Member
    Posted 2 years ago #

    psynix I really need help with this I cant seem to get it right. Can you please help me here is my email mauigrl808@gmail.com.

Topic Closed

This topic has been closed to new replies.

About this Topic