Forums

WordPress › Support » How-To and Troubleshooting

Hack Warning (10 posts)

  1. smoothyazz
    Member
    Posted 2 years ago #

    We've been getting a LOT of reports of people who've suddenly noticed their sites have some weird stuff in the URLs. Notably "eval" and "base64_decode".

    http://wordpress.org/support/topic/307652
    http://wordpress.org/support/topic/297639
    http://wordpress.org/support/topic/307518

    So far, all of these reports (that I can find) have been on people running older versions of WordPress.

    The hack attack also works on the newest version. The reason for theses attacks are infected themes (with a link to casino sites). I am not a programmer. But be aware these malicious codes work with a html-virus which is a trojan. They can spy out your passwords and occupy your wordpress-blog and your website. They can even infect further websites as I was informed by my provider by downloading a virus. I downloaded the infected themes here:

    http://www.wordpressthemebase.com

    Infected are Header and Footer of these themes. I was warned by the Antivir-software AVIRA. After I deleted these themes, they hacked my site. So await everything evil. They are very active!

  2. Rev. Voodoo
    Volunteer Moderator
    Posted 2 years ago #

    Yeah, there are a lot of posts on here about that, including a thread I started yesterday.

    http://wordpress.org/support/topic/316011?replies=9

    Mine didn't come from a dirty theme, as I make all my own themes. But yeah, every single php file I had, on all my sites got infected....I'm still waiting to see what permanent damage was done after the cleanup

    It's truly nasty

  3. Mobster
    Member
    Posted 2 years ago #

    Why can't eval scripts be blocked all together on a server? Wouldn't that solve this problem?

    Sure it would force a few javascript plugins to rethink.

  4. smoothyazz
    Member
    Posted 2 years ago #

    Looks like the problem is more serious, as I estimated. My website is closed by the provider. He'll try to restore the files from a backup and fix the exploited files. Looks like the exploit is downloading a virus to the client PCs and infected some other websites. Anyway take good care before downloading themes from outside wordpress.org.

  5. whooami
    Member
    Posted 2 years ago #

    ... every single php file I had, on all my sites got infected.

    and THATS a sure sign of malware on a machine that you are using.

  6. Rev. Voodoo
    Volunteer Moderator
    Posted 2 years ago #

    Actually, I'm pretty sure it's not the machine I'm using. I use a laptop that's freshly formatted and very secure....and I rechecked it last night multiple ways....it's clean. The only other computer I use is at work, and that's very secure, also clean.

    One thing to check out....I believe I may have tracked the issue down on the simplemachines.org forum, if you are using an install of that software. Anything other than the latest version (1.x or 2.x) of the simplemachines forum was vulnerable to a hack that came in with a certain user. If you use simplemachines, and have a user called krisbarteo, then most likely you got hacked. You can check it out over there, but it results in the same base64_decode problem. Basically a lot of the people over on that forum noticed spammy links hidden on their forum (I never got that), but on further investigation, all their php files on their server for any site had the base64 business on it.

    So I can't even tell where my hack came in at. I noticed it first on my wordpress, but it very well may have come in through my forum.

  7. pembo210
    Member
    Posted 2 years ago #

    My site has been hacked three times in the last 2 weeks. I have all the security plugins and have changed multiple settings including chmods, auth keys, .htaccess, and admin user names. I have all the newest versions and multiple forms of protection on my local machine.
    Go Figure...

  8. Rev. Voodoo
    Volunteer Moderator
    Posted 2 years ago #

    you've gone through every folder on your host? It's a pain...

    I think I've finally got everything clean. I had a test.php file hidden 3 levels deep in my shop in a different directory.

    I just found 2 more whatever.php files in a 2008 uploads folder of a different WP install

    Those allowed people to change my main WP install....the only way I found them was by noting the timestamp of an altered file, then checking my server logs for that exact time to see what happened.

  9. melissaaggie
    Member
    Posted 1 year ago #

    What can I do if I suspect that I've been hacked? I'm desperately trying to find someone who can help me and who specializes in WordPress Blog viruses. I've scanned my blog with all of the online tools and they say that I'm clean, yet I've had three people tell me that they couldn't go to my blog because of a trojan virus warning and all of a sudden, mysterious links and plugins show up on my blog. Please help!

  10. esmi
    Theme Diva & Forum Moderator
    Posted 1 year ago #

    What to do if you think you've been hacked:
    http://codex.wordpress.org/FAQ_My_site_was_hacked
    http://wordpress.org/support/topic/268083#post-1065779
    http://smackdown.blogsblogsblogs.com/2008/06/24/how-to-completely-clean-your-hacked-wordpress-installation/
    http://ottodestruct.com/blog/2009/hacked-wordpress-backdoors/

Topic Closed

This topic has been closed to new replies.

About this Topic

Tags

No tags yet.