WordPress.org

Ready to get started?Download WordPress

Forums

Hacked 5 times! :( (21 posts)

  1. Kargo
    Member
    Posted 4 years ago #

    Hey Guys, me and a few others run a music news website and over the past week we have been attacked. Our wordpress installation has been hijacked with ...PHP eval(base64_decode('JGNvZGVsb')); ? being included in all of our PHP files and many <script="http://xxxxxx/guidit.php"> being added after the </head> on our pages. After some research ive found out its a Gamburl virus. We are running the latest stable version of WordPress (2.9.2)

    We've done everything, changed FTP and login passwords, restored the site with clean files, started over with a fresh wordpress install and database and have even changed hosting company completely but no matter what we do the virus/hackers just keep coming back.

    I have the following installed;

    Microsoft Security Essentials
    SUPER Anti Spyware
    MalwareBytes
    Ashampoo Firewall

    MSE has always picked up the virus as soon as I try entering the site and find out its infected, its good at that. It has always quarantined and deleted the trojan. Ive done several scans with SUPER and MalwareBytes too.

    This morning was the 5th time we've been hacked, I just dont understand how they are getting in so easily.

    1) Changed FTP and wordpress user passwords
    2) Clean wordpress install with clean theme files
    3) Changed the database prefix from "_wp" to something else
    4) Disabled comment forms as was told SQL injections can be performed this way
    5) Secured the login form with LoginLockDown plugin
    6) Installed 'Exploit Scanner', 'Wordpress Firewall', WP Security, Anti Virus plugins.

    Followed the steps on here

    It just seems our site is being targeted time and time again by hackers that really do not want to see us online, possibly a rival site. What can I do to stop them hacking us? They seem to be doing it like a breeze. I was told to look at other systems and not use WordPress anymore but I'd rather not get rid of WP as myself and most of the writers really like it.

    Any help will be appreciated.

  2. mrmist
    Forum Janitor
    Posted 4 years ago #

    The constant factor then would be the computers that you are using locally to do uploads etc. I'd guess that one of them has been compromised.

  3. Kargo
    Member
    Posted 4 years ago #

    Thanks for the reply. I do daily scans with Microsoft Security Essentials and it doesnt pick up anything. the only other person who has FTP access does too but again it doesnt pick anything up.

  4. Roy
    Member
    Posted 4 years ago #

    Just a thought, but do you keep using the same theme? Plugins you download from the site and use again? Try to think which files are NOT clean when you started anew.

    http://smackdown.blogsblogsblogs.com/2008/06/24/how-to-completely-clean-your-hacked-wordpress-installation/

  5. Gary Bairead
    Member
    Posted 4 years ago #

    Can you post up the site url?

    Try checking the footer.php file of the theme you're using for obfuscated code via ftp (ie, don't view it through the WP editor).

    Are you using any plugins which are not available from wordpress.org?

  6. Kargo
    Member
    Posted 4 years ago #

    Hey, Ive completely wiped the wordpress just to protect the visitors of the site because we do get a lot of visits.

    Well first, the infection happened with another theme ComfyPro to be precise. so then we did a clean reinstall of wordpress and changed to a custom one and it returned. Whenever we are infected, I don't just replace the files I think are infected, I completely remove wordpress and the database and start new but after a day or two, they strike again.

    All of the plugins we download are from WordPress.org. The plugins we were using on the last clean install which we thought was secure enough were

    - WP Security Scan
    - AntiVirus
    - Login Lockdown
    - Exploit Scanner
    - WP Firewall
    - Custom Field Template
    - WP to Twitter

    We're starting to think that these hackers may be from a rival site as they dont seem to be giving up.

  7. Roy
    Member
    Posted 4 years ago #

    Something must be left among your files or in the database. If that's out of the question, you might have a hacked site on your shared server.

    We're starting to think that these hackers may be from a rival site as they dont seem to be giving up.

    It shouldn't be that easy...

  8. Shakhawat
    Member
    Posted 4 years ago #

    I was hacked with those codes too, I suggest you to cleanup you PC from virus first also your partners'. Or re-install windows.

    Possibly you are hacked by c99madshell v. 2.0 madnet edition. Backup your posts/comments from wordpress export option. DO NOT BACKUP YOUR DATABASE, cause sometimes database contain the virus. Read this topic to get more info.

    Change the cpanel/ftp pass.

  9. @Kargo: who is your host? Have you talked to them?

  10. Steve D
    Member
    Posted 4 years ago #

    I guess those of us on share-hosting services are supposed to be responsible for application-layer security now?

    Sheesh

  11. I guess those of us on share-hosting services are supposed to be responsible for application-layer security now?

    Yes. It's not easy, but there are hosting services that do get it right. My preference is for a VPS but that doesn't mean shared hosting can't work safely.

    If you can't find a shared-hosting that knows what they are doing, then seriously consider moving to a managed blog service like WordPress.COM.

  12. Steve D
    Member
    Posted 4 years ago #

    If you can't find a shared-hosting that knows what they are doing, then seriously consider moving to a managed blog service like WordPress.COM.

    I need complete commercial and creative flexibility and freedom we are selling advertising the old school way. It is a long term project. Full time.

    I will probably need to go to dedicated hosting of some kind the issue there though is cost and diligently managing the burn rate of my investment capital. I am financing this project and I don't have a money tree in the back yard. The only hope at this point is NS "get's it together" and provides the kind of security customers-end users deserve. If they can't secure their shared hosting they shouldn't even be in the business. Actually this is a wake up call for all of us.
    There are lots of loose ends that need to be addressed here. Irresponsible blogging is also emerging as a threat now. WordPress probably should have full time reps teaching and educating these Hosting Services getting into the WordPress game "how to do it right". The WordPress product brand suffers and takes a credibility hit from this kind stuff happening.

  13. At the risk of totally going off the OP (and maybe this should be in wptavern space) but here goes.

    WordPress probably should have full time reps teaching and educating these Hosting Services getting into the WordPress game "how to do it right".

    That's a nice sentiment, but this is a volunteer open source effort. You, me, and the rest of the volunteers really are it.

    Some hosts get it and some don't. Commercial Darwinism can't happen soon enough.

    The WordPress product brand suffers and takes a credibility hit from this kind stuff happening.

    I think the "brand" suffers from the lack of understanding of roles and responsibility. WordPress.ORG is just another collection of PHP scripts running on a server. The server portion can be (maybe) addressed by WordPress.ORG but that's moving into a space that is outside of the applications space.

    That's best served by plugins (also maybe) or another script to report on the posture of the server you are running on.

    Just my opinion.

  14. Steve D
    Member
    Posted 4 years ago #

    Well as far as Commercial Darwinism I don't think of everything as "competition". You can succeed outside of that realm of duality.

    Anyway open source is good stuff as long we don't "self destruct" from out of control complexity in the process. Anyway the common thread here is people are getting hacked from the inside. On Hosting Servers that reside in the Top Ten largest providers. We can harden and apply top notch security all we want but if the Host doesn't have it together forget it. Then the issue of FTP-SFTP. End users need to know how to securely use this stuff. Like filezilla for example. And at this point I can imagine some shared-hosting blogger's might not even know all that much about their own personal computer security. No offense intended but if your not even running a basic firewall antivirus program and your using easy FTP or something ouch!

    I could on and on and on but I won't.

  15. kitsonas
    Member
    Posted 4 years ago #

    I will suggest a different approach to your problem:
    How many people have administration privileges in your site? They are all of them trustworthy? Are they cautious enough to secure their passwords? Are able to keep their computers "clean"? Next time you re-install wordpress do it from a clean-formated pc and keep the administration role only for yourself. If you can, switch to ubuntu/linux for enhanced security.

  16. Kargo
    Member
    Posted 4 years ago #

    OK, since I was hacked for the 5th time I have kept WordPress removed from my server. I would really appreciate it if you guys could guide me through what to do. Ive tried out some other CMS's as was told to move away from WordPress, but I just keep coming back.. none of the others do it for me. I really do not want to have to stop using WordPress as it does everything I need and more.

    So, currently I have a clean server. Here is the theme I intend to upload, If anyone could scan it and give me the all clear before I get started I would be much appreciated. http://www.sendspace.com/file/1fopvz

    Thanks

  17. You really need to look at the root of the issue: who is your host? What security problems do they have? Have you told your host you've been hacked? Are you on Windows or Linux? Are you shared or running your own VPS?

    And: who has access to your server and admin PCs?

  18. Kargo
    Member
    Posted 4 years ago #

    My host is http://www.otthosting.com but I was also hacked when I was on another host last week. I actually changed hosting companies thinking it was the host's server but then a few days later my site was attacked on a new server.

    The servers are shared and are on Linux as far as im aware. Its only our directory that is being affected, our host checked the other sites on his server including those also using wordpress and they were clean.

    I am the only person who has access to my PC and only 2 people, myself and the site's other administrator have access to FTP. we have both been tearing our hair out trying to stop these hacks.

  19. otthosting is one of many resellers who buys from hostcentric. Find a host who is not a reseller: http://wordpress.org/hosting/ It's easy to search these forums for feedback on them.

    You really need to know what you are running linux or windows - in order to figure out the problem. And you need a host that will provide logs and more help than just checking "his server."

  20. dvwp
    Member
    Posted 4 years ago #

    maybe try setting up a new wordpress blog elsewhere on your server, while keeping your current set-up alive.

    use only the default theme, and current, new copies, of the plug ins you use, and a new database.

    post some new content.

    see if the site gets hit.

    if it lives for awhile switch it to your current theme and see if you get hit.

    we call this a 'drone site.' one you're hoping gets hit so you can find out how.

    it helped us narrow down the nino plas virus situation when it hit us.

    best of luck.

  21. Inspired2Write
    Member
    Posted 4 years ago #

    Kargo,
    What about uploaded images on your site? I didn't see if you mentioned checking those, or checking for images you didn't upload. They could contain hidden codes.

    Did you look in your log files to see if you can identify their entry?

    Also, to check your themes you can install the plugin 'TAC' for theme authentication, to identify if a theme is safe or not. Hope things get resolved for you soon!

Topic Closed

This topic has been closed to new replies.

About this Topic