WordPress.org

Ready to get started?Download WordPress

Forums

[closed] hacked by hacker (49 posts)

  1. sambodhiprem
    Member
    Posted 1 year ago #

    Newby question:
    My blog has been hacked, see:

    http://alkeiyasings.com/test/blog.html
    and
    http://alkeiyasings.com/blog/

    How do I undo this hack without losing the formatting that I have already done?

    thanks!

  2. jtoronto
    Member
    Posted 1 year ago #

    There is another thread on this today and numerous posts on Twitter and the net about this hack which just started surfacing a few days ago..

    "hacked by hacker"

    To fix this you need to get the following 2 files back:
    index.php in the root folder (get it from the default WordPress install) and header.php in your themes folder (if you don't have a backup of that file you will need to start with the original from the theme). Also remove index.html which is created because the hack affects none WordPress sites as well/

    That said I think you may get hacked again because it is unclear how they are doing it at the moment.

  3. sambodhiprem
    Member
    Posted 1 year ago #

  4. sambodhiprem
    Member
    Posted 1 year ago #

  5. To fix this you need to get the following 2 files back:

    I'm sorry to say it but I'm 100% sure that that is not enough to fix it. That just addresses the symptoms which is those 2 hacked files. It does nothing close the door that the attacker came in via.

    It's an often repeated reply but you really need to start working your way through these resources:
    http://codex.wordpress.org/FAQ_My_site_was_hacked
    http://wordpress.org/support/topic/268083#post-1065779
    http://smackdown.blogsblogsblogs.com/2008/06/24/how-to-completely-clean-your-hacked-wordpress-installation/
    http://ottopress.com/2009/hacked-wordpress-backdoors/

    Additional Resources:
    http://sitecheck.sucuri.net/scanner/
    http://www.unmaskparasites.com/
    http://blog.sucuri.net/2012/03/wordpress-understanding-its-true-vulnerability.html
    http://codex.wordpress.org/Hardening_WordPress
    http://www.studiopress.com/tips/wordpress-site-security.htm

  6. sambodhiprem
    Member
    Posted 1 year ago #

    Just on a side note:
    As a novice this hack makes me feel very queazy to install any wordpress blog at all... being thrown into the cops and robber game... What are the alternatives??

  7. jtoronto
    Member
    Posted 1 year ago #

    Jan this appears to be a new hack. I know cleaning the files does not close the door but the door is not obvious yet.

    I've cleaned up many WordPress installs over the years but have not found the culprit yet on this one (which has been reported starting today on many many wp sites across multiple hosts) ... i guess if it's something new it will keep growing ... otherwise hopefully someone will be able to report what the exact backdoor is to this one ..

  8. ClaytonJames
    Member
    Posted 1 year ago #

    @sambodhiprem

    As a novice this hack makes me feel very queazy to install any wordpress blog at all

    It's definitely a pain now, but it's also an extremely valuable learning tool at this point. This (hacking) isn't an issue that happens only to WordPress, however. Every other platform out there is vulnerable at some point, and surprisingly enough some of the most common reasons for intrusions and 'hacks' are completely unrelated to vulnerabilities in the software itself.

    People with bad intent defacing index.php and header.php files really isn't anything new. It will be interesting to see what comes of it.

    In the mean time, you really should take some time to examine the resources found in the links Jan left for you. There's a ton of great information in them.

  9. The Hack Repair Guy
    Member
    Posted 1 year ago #

    Sites I've seen so far with this type hack have had installed:
    contact form 7

    So far the contact form 7 plugin has been the only common denominator I've seen in the sites I've fixed this past week. However, this is totally speculative, given how popular this plugin is, it's more likely just a coincidence.

  10. jtoronto
    Member
    Posted 1 year ago #

    None of the sites I've fixed today have Contact Form 7 ...

    The only common denominator I have seen is that they are all on Cpanel and multiple sites on the Cpanel server (under different accounts) get hacked at the same time when it happens.

    This was the case with HostPapa hosted sites which seem to have the most hacks today .. and a company called NetRegistry according to some other forum I have been following ... and a company called Syrahost ...

    No solid answers yet ..

  11. jtoronto
    Member
    Posted 1 year ago #

  12. ClaytonJames
    Member
    Posted 1 year ago #

    Are you suggesting to us that the use of cPanel qualifies as a common denominator for these hacked sites?

  13. The Hack Repair Guy
    Member
    Posted 1 year ago #

    Right, though 20 twitter posts in a week doesn't exactly describe an incoming WordPress apocalypse...

  14. jtoronto
    Member
    Posted 1 year ago #

    No one said apocalypse.

    There's a trickle of info coming in on this hack which escalated today. Obviously hasn't affected many people. But enough to warrant talking about it. It seems if your WordPress site was hosted on the aforementioned hosts you were likely to run into this hack today.

    I sense sarcasm from you guys .. whereas I'm just trying to throw some observations out there to see if they click with others who are dealing with this as well.

    Since there's no traces in log files it would be nice to know how it happened is all.

  15. sambodhiprem
    Member
    Posted 1 year ago #

    In order to find the baddies I'd like to table:

    On Nov 7th I installed a new WordPress blog (3.4.2) on an account hosted by Hostpapa. No plugins were installed, I created two posts and left it like that.
    So my blog was hacked when it was still fresh off the shelve, without having a 'history'...

    My cash would be on the Hostpapa plus latest version of WordPress horse - not a happy marriage...

  16. tarun04104
    Member
    Posted 1 year ago #

    My website is hacked (again)

    It only shows a smiley and this is second time in the last six months.

    Kindly help me out. My developer (friend) is no more interested in fixing this up for me and I am unable to find enough information on the Internet to fix this up.

    http://www.tarungoel.in is the URL of the website.

  17. secconsult
    Member
    Posted 1 year ago #

  18. tarun04104
    Member
    Posted 1 year ago #

    Thanks for these links. The problem is however related to Angela or the Smiley With No Name. When I open the smiley(image) in a new tab, the URL says this: http://stats.wordpress.com/g.gif?host=www.tarungoel.in&rand=0.959444040665403&v=ext&j=1%3A1.8.2&blog=34837231&post=0&ref=

    Now the point here is this: Others with Angela Issue have reported smiley on the right/left or bottom. My smiley is just where it should not be, at the content area with no content visible at all.

    After going through these links, I even tried editing the CSS Sheet but no use.

  19. gcaleval
    Member
    Posted 1 year ago #

    Just popping in because most routine references provided on all WP security questions include the Sucuri scanner. From personal experience I can conclusively state that Sucuri's free scanner provides many false "clean" reports. It cannot, must not, be relied on to tell you a site is free of malicious code.

    In one instance I pointed it straight at the malicious file, that is entered the full path to a known defacement script and it still came back clean.

    I don't question the effectiveness of the paid version, but I think it is unwise for experienced WordPress admins to keep citing this reference in the list of things compromised sites should use.

  20. pcsoko
    Member
    Posted 1 year ago #

    Ugh.. I tried the solutions posted above and all I get is a blank website now...I've reinstalled the wordpress and the theme, but all I get is a blank website now.

    the website is http://www.disabilitytaxservice.ca

    Any help would be greatly appreciated.

  21. ClaytonJames
    Member
    Posted 1 year ago #

    See http://www.disabilitytaxservice.ca/blog/

    This appears to be your current issue: Fatal error: Call to undefined function language_attributes() in /home/disa8773/public_html/wp-blog-header.php on line 25

    Whatever files are located in root that normally serves the blog located in the sub-directory named "blog", probably need to be repaired. If you have something in root other than WordPress files, those need to be repaired. Reference: Using a pre-existing subdirectory install

  22. pcsoko
    Member
    Posted 1 year ago #

    Clayton, Thank you so much for getting back to be so quickly and taking the time to respond. Being in business for myself and being a do-it-yourself kind of person is stressful enough, without these major issues arising.

    Everything works again. I honestly, can't thank you enough. I'll actually be able to rest easy tonight instead of staying up troubleshooting.

    Thank you!!

  23. jtoronto
    Member
    Posted 1 year ago #

    1. HostPapa has quietly set the permissions on all wp-config files to 600 (rw-------)
    - This most likely means that the hackers were somehow able to access wp-config files across the server once they compromised one account if the files were word readable.

    2. By Default a world readable config file 644 (rw-r--r--) should not be an issue because the home directory of each account is supposed to have basedir protection enabled and be inaccessible by any other user.

    3. NetRegistry (another host who got hit with the same "hacked by hacker" hack) has indicated that once one account on the server got compromised (through a legitimate WordPress vulnerability) the hacker was able to use a Cpanel symlink issue with .htaccess files to read the wp-config files of every other account on the server.

    This Cpanel issue is discussed in detail on the Cpanel forum and if you scroll to the last couple of days you can read posts that are probably from HostPapa or NetRegistry admins who describe exactly what happened.

    http://forums.cpanel.net/f185/how-prevent-creating-symbolic-links-non-root-users-202242.html

  24. NetRegistry (another host who got hit with the same "hacked by hacker" hack) has indicated that once one account on the server got compromised (through a legitimate WordPress vulnerability)

    *Jan sets phasers to SKEPTICAL and aims at NetRegistry*

    I'm all for hosts saving face (that has it's limits BTW) but an insecure host who is Doing It All Wrong™ is not a WordPress vulnerability.

    If they or anyone have a legitimate proof of concept exploit for the current version of WordPress then they really need to report that to security [ at ] wordpress.org as explained at this link.

  25. esmi
    Forum Moderator
    Posted 1 year ago #

    As always, a server is only as secure as it's weakest script. :/

  26. ClaytonJames
    Member
    Posted 1 year ago #

    @pcsoko

    You're welcome! The site looks great and it all seems to be running smoothly again.

  27. mvandemar
    Member
    Posted 1 year ago #

    As always, a server is only as secure as it's weakest script. :/

    Well... that's not entirely true. :P In many hosts all of the users run under a jailed environment, where one account getting hacked does not affect the others. What is going on with these hosts is not a script vulnerability. Even if there were some accounts running older insecure versions of WordPress, using Bing's cache I was able to verify that many that got hit were running 3.4.1 or 3.4.2 when they were hit.

  28. esmi
    Forum Moderator
    Posted 1 year ago #

    What is going on with these hosts is not a script vulnerability.

    We may have to agree to disagree on that. I agree that if the sites had been correctly sandboxed on the server, the hack wouldn't have been so widespread. But the hackers gained initial access via just 1 insecure site - maybe someone using an old version of WP or a theme with an old insecure copy of something like tiumthumb. Once in, the poor server config meant that they were able to then access all sites directly - irrespective of what version of WP they were using. By all counts, some Joomla sites got hit too. so it looks like, as soon as the hackers had server access, they went after all of the big open source run sites.

    But just one old or insecure site gave them the access in the first place. :-)

  29. mvandemar
    Member
    Posted 1 year ago #

    But just one old or insecure site gave them the access in the first place. :-)

    You don't know that though. You stated that a server is only as secure as it's weakest script, but it doesn't take a script vulnerability for someone to access a shared server. It could be someone with ftp access getting a virus on their machine, it could be a weak password, a malicious web developer angry at not getting paid... or hell, someone could just sign up for a new account on the same server. These are shared hosting accounts where anything could happen to one single account, they should all be firewalled from one another, period.

  30. ClaytonJames
    Member
    Posted 1 year ago #

    @mvandemar

    As always, a server is only as secure as it's weakest script. :/

    I can only speak for myself here, but I'm inclined to interpret that in a broader context, rather than focusing only on whatever scripts reside in an public_html directory.

    I think it might apply perfectly in discussions where security issues are likely to center on server and service administration, and I think your last statement may add support to that thought.

    These are shared hosting accounts where anything could happen to one single account, they should all be firewalled from one another, period.

    Wouldn't those be hosting and server administration issues - rather than web-app vulnerability issues?

Topic Closed

This topic has been closed to new replies.

About this Topic