WordPress › Support » Am I hacked or what?

teknoledge
Member
Posted 3 years ago #

Today at 1:12 PM index.php, wp-admin/index.php and wp-content/index.php files changed "itself".

My guess is I was hacked but basically there is no harm done just some number buffered at the end of each page.

<?php
ob_start("security_update"); //do not remove this line - important security update!
.
.
.

                function security_update($buffer)
                {
                      $update = '4294967295';
                        if (stristr($buffer, '</html') !== FALSE)
                        {
                                return eregi_replace('</html', $update.'<html', $buffer);
                        }
                        else
                        {
                                return $buffer.$update;
                        }
                }

Anyone experienced something like this?

Jan Dembowski
Member
Posted 3 years ago #

If that's in your index.php files then, yes, you are hacked. Just for discussion which 2.6 are you on?

Read this

http://ocaoimh.ie/2008/06/08/did-your-wordpress-site-get-hacked/

And then read it again.

Read this too

http://codex.wordpress.org/Hardening_WordPress

Upgrade to the latest version if you have not already. You need to see if there are any users added to WordPress that you don't know about/don't belong there.

You need to go through your files and find where the spammy links are being added. If it's in wp-config.php or some other file, you'll need to make sure that is cleaned up before you can consider yourself good file wise. Look everywhere and use fresh copies of your WordPress installation, plugins, and themes.

Look at your posts and comments and see if there are any spammy links there. You can export your whole blog to WXR and then examine the whole thing in your favorite text editor.

Once you have cleaned up your hacked blog, harden it so this does not happen again.

Good luck.
teknoledge
Member
Posted 3 years ago #

I'm running 2.6.3. Thanks for the quick reply!
Jan Dembowski
Member
Posted 3 years ago #

I'm running 2.6.3

That's not good, that version has known security issues. If you don't want to take the 2.7 plunge yet, you should put 2.6.5 on your blog.
stormymondays
Member
Posted 3 years ago #

I'm with 2.6.5 and I just found that code in my WP.
stormymondays
Member
Posted 3 years ago #
Some more information. I may have been updated before I upgraded to 2.6.5, but I'm usually fairly quick to upgrade. I'll never know.

I've done extensive searching and I can't find any more tampering. Specifically:
- .htaccess not modified
- Users not added
- Plugins not added, no alterations in the plugins section of the database
- Can't find any other files that have been tampered with
It may have been just a "dry run" and the exploiter is waiting to attack. I don't know. I suppose the objective is to insert spam links where they please. I haven't checked the database for strange links in posts, it's going to be quite hard to do without knowing what to look for.

I'm going to install 2.7, change every password, take a very good look at every directory and hope for the best.
whooami
Member
Posted 3 years ago #

It may have been just a "dry run"

no such animal exists.
stormymondays
Member
Posted 3 years ago #

The vector was FTP, which is surprising. The attacker could have sniffed the user/password (I don't use sFTP-yet). Nothing else was touched, which is very strange indeed.

All passwords have been changed all over the place, and everything updated to WP 2.7. There could be a backdoor, but I wasn't able to find it. If there is one, I guess I'll find out soon enough.
WebMaister
Member
Posted 3 years ago #
I'm having the same identical code added to my index.php file only.
wp-admin/index.php and wp-content/index.php were not modifed.

According to the server modified date, the file was modifed on Jan/9/2009.

I'm running an old version of WordPress 2.3.3

I don't think is an hack, unless we are getting all hacked.
On Google I found other people complaining about the same identical issue, have a look at:
http://www.webmasterworld.com/php/3828975.htm

and at http://forum.joomla.org/viewtopic.php?f=144&t=355303)
It seems infact the same issue happened with Joomla in these days.
They suggest to just remove the what it seems to be the injected code:

basically the index.php file on WordPress 2.3.3 should look only like this:
```
<?php
/* Short and sweet */
define('WP_USE_THEMES', true);
require('./wp-blog-header.php');
?>
```
And it's useless that people at WordPress go on saying you must update.
Updating a WordPress blog takes time and it might result in data loss or screwed up DB if you are not very careful at what you ar doing.
Since at WordPress seem to have fun making new releases almost every month, we can not pass our life updating the blog.

Cheers!
UseShots
Member
Posted 3 years ago #

I don't see the full code snippet so I can only guess.

That looks like an attempt to insert something just before the closing /html tag. Very popular technique to insert malicious scripts and hidden iframes.

Ant this can be a "dry run". Automated program from a zombi computer tries to insert this code into every WordPress blog (or PHP site) and another automated program checks which sites are really vulnerable (they would contain that "update number") so that it can inject something more meaningful (and dangerous).
mrmist
Forum Janitor
Posted 3 years ago #

And it's useless that people at WordPress go on saying you must update.
Updating a WordPress blog takes time and it might result in data loss or screwed up DB if you are not very careful at what you ar doing.

Quite right. That's why you are advised to backup your database first so that you can restore if necessary.

However, the requirement to upgrade is not going to go away simply because you want an easier life. If you do not have the time to properly administer your site, then either hire someone to do it, move to a managed service, or accept that you will get hacked.
quickdirt
Member
Posted 2 years ago #

Guys, I work with a designer (I'm a programmer), and we've been having this on almost every site my partner works on but not on the ones that I work on.

I believe this is just a local virus that logs to the FTP sites it finds on your FTP client and injects code. I don't think it has anything to do with WordPress at all. As I said, we've had this happen in many different sites; some PHP, and some pure HTML sites. In the HTML only sites, it just injects javascript, but if it sees PHP then it injects PHP too.

Sucks...
risk com au
Member
Posted 2 years ago #

Hi,

Im hoping someone can help. I received a comment on my site (www.risk.com.au) from someone who has created an email address using my site name - wordpress@risk.com.au.

I'm pretty new to this and am not sure where the source of security issue is i.e. WordPress or Hosting Service?

Help!?
teknoledge
Member
Posted 2 years ago #

I figured out that this has nothing to do with wordpress, it's server/hosting security flaw that need's to be checked. The same peace of code I found on couple of .NET coded websites so it's definitely hosting related issue.
risk com au
Member
Posted 2 years ago #

Hi teknoledge - sorry for the confusion but are you resonding to the email issue (my issue) or the virus issue?
mrmist
Forum Janitor
Posted 2 years ago #

received a comment on my site (www.risk.com.au) from someone who has created an email address using my site name - wordpress@risk.com.au.

If someone leaves an anonymouse comment it may well use your site email address to send you notification.

Or, in any case, when someone leaves a comment, they can put any email address they like into the "email" field.

It's not really a security issue.
risk com au
Member
Posted 2 years ago #

Thanks Mr Mist....I am a "little" technically challenged!!!

Topic Closed

This topic has been closed to new replies.

WordPress.org

Forums

Am I hacked or what? (17 posts)

Topic Closed

About this Topic

Tags

Code is Poetry