WordPress.org

Ready to get started?Download WordPress

Forums

blog hacked, please help!! (16 posts)

  1. jerm
    Member
    Posted 6 years ago #

    i've been seeing codes like these at the footer of my blogs:

    [Moderator: example removed - Akismet classes your post as spam with it included]

    see: techfresh.net for example (i may have removed them by the time you read this though).

    does anyone know how anyone could do this to us? i removed xmlrpc.php on that domain and it still has the code.

    please help, this is messing with our adsense ads.

  2. jerm
    Member
    Posted 6 years ago #

    my question might've sounded silly but i seriously need some help.

    anyone?!

    please?

  3. whooami
    Member
    Posted 6 years ago #

    I looked at your blog earlier and saw nothing .. you indicated that you might be removing whatever "it" was by the time someone looks.

    Assuming thats the case, how can anyone here provide you any help? We dont know what you saw.

  4. jerm
    Member
    Posted 6 years ago #

    it was a bunch of spamming links. i copied and pasted it here but someone (or something) moderated the code. basically someone injected a bunch of codes in my index.php files. i looked all over the place and the only possible explanation i found was xmlrpc. any ideas?

  5. jerm
    Member
    Posted 6 years ago #

  6. whooami
    Member
    Posted 6 years ago #

    ideas? sure, I have tons of them but they're not related to this topic.

    whats the permissions of your theme files? first place to look.

    I can rattle off the standard reply, but its not going to contain anything different than whats already been stated elsewhere.

    http://wordpress.org/search/hacked?forums=1

    Regarding your earlier post, a moderator moderated it-- thats what they do.

  7. whooami
    Member
    Posted 6 years ago #

  8. jerm
    Member
    Posted 6 years ago #

    exactly why i'm wondering, cuz it's supposed to be fixed right? so what else could cause someone to have cross site inject abilities over my files?

  9. whooami
    Member
    Posted 6 years ago #

    You're jumping to alot of conclusions.. and youre not addressing the first thing I suggested.

    It doesnt take a big exploit to edit a file that has wide open permissions.

    I've not time, Im sorry, to reiterate what's already been said elsewhere (as I pointed out above). If you are not content with what I have provided via the link above, you can always L@@K at your own server logs.

  10. shadow
    Member
    Posted 6 years ago #

    I moderated the links on your original post, as your post was stuck in the Akismet spam filter.

  11. jerm
    Member
    Posted 6 years ago #

    i made sure my template files were all 644. index.php was still compromised. this happened again today. maybe i'm jumping into conclusions, i'm no coder so i'm a bit lost.

  12. jerm
    Member
    Posted 6 years ago #

    ok my bad i wasn't being vey clear. the index.php files that were hacked (injected with lines of spamming codes) were both the one in the document root and the one in my theme folder. some of those files were 666 but the rest were 644 and still got hacked (i have 10+ domains and they were all hacked).

    my host blames cpanel but if cpanel was compromised then why didn't the intruder mess up anything else?

  13. JeremyVisser
    Member
    Posted 6 years ago #

    I'm sorry, jerm, but there are many entrance points that a cracker could use, and unless you are capable of analysing your own server logs, or trusting somebody else with your login/password, it is unlikely that you will be able to find out how the cracker got in.

    Having said that, please follow common sense by doing some basic steps that should throw a cracker off your tail:

    1. Change all your passwords. Your cPanel password. Your WordPress password. Maybe even the login password to your PC.
    2. Make sure you're running WordPress 2.3. (Which I presume you are, judging by what you wrote at the top of this thread.
    3. Check the plugins you're running. Many WordPress plugins are poorly coded, and could have been the entrance point. I can see a list of all the plugins you're running on your blog (possibly a security nightmare), which means a cracker could have been reading the very same list.
    4. Are you running anything other than WordPress on the site? Perhaps crackers gained access via an outdated copy of phpMyAdmin.
    5. Your host says they blame cPanel. Er, if your host is running an insecure version of cPanel, I'd protest by changing hosts. (Unless you or I have misunderstood your host.)
    6. Don't use FTP to upload files to your hosting account. With FTP, your username/password are transmitted across the Internet in plain text, and anybody with a packet sniffer between you and your host can see the password. I highly recommend you use SSH instead. (...which works great with cPanel.)
  14. JeremyVisser
    Member
    Posted 6 years ago #

    jerm, you could gain valuable knowledge by reading other threads about the same topic.

  15. jerm
    Member
    Posted 6 years ago #

    thanks jeremy, you're right no one can seem to pin the problem down to any specific hole. i've done everything that you listed plus a few more and things seem fine for the time being.

    what happens if i don't put back xmlrpc.php though? am i missing out on something i don't know?

  16. djchuang
    Member
    Posted 6 years ago #

    I got hacked yesterday too, at http://www.djchuang.com - ruined all kinds of index.php files. File permission was CHMOD 644, so my password must've been hacked, right?

    (going in right now into my Dreamhost panel to change passwords)

Topic Closed

This topic has been closed to new replies.

About this Topic