Hacker deface wordpress in a wierd way

(@kabatak)

I am quite baffled on how the hacker was able to deface several WordPress sites but it gives me an idea.

Take note: This installation is WordPress 3.4.1 with no additional plugins or themes.

Here’s the raw access log:

125.167.118.62 - - [01/Aug/2012:14:10:50 +0800] "GET /wordpress/wp-login.php HTTP/1.1" 200 2180 "-" "Mozilla/5.0 (Windows NT 5.1; rv:12.0) Gecko/20100101 Firefox/12.0"
125.167.118.62 - - [01/Aug/2012:14:10:52 +0800] "GET /wordpress/wp-admin/css/colors-fresh.css?ver=3.4.1 HTTP/1.1" 200 36317 "http://example.com/wordpress/wp-login.php" "Mozilla/5.0 (Windows NT 5.1; rv:12.0) Gecko/20100101 Firefox/12.0"
125.167.118.62 - - [01/Aug/2012:14:10:52 +0800] "GET /wordpress/wp-admin/css/wp-admin.css?ver=3.4.1 HTTP/1.1" 200 108246 "http://example.com/wordpress/wp-login.php" "Mozilla/5.0 (Windows NT 5.1; rv:12.0) Gecko/20100101 Firefox/12.0"
125.167.118.62 - - [01/Aug/2012:14:10:55 +0800] "GET /wordpress/wp-admin/images/button-grad.png HTTP/1.1" 200 243 "http://example.com/wordpress/wp-admin/css/colors-fresh.css?ver=3.4.1" "Mozilla/5.0 (Windows NT 5.1; rv:12.0) Gecko/20100101 Firefox/12.0"
125.167.118.62 - - [01/Aug/2012:14:10:55 +0800] "GET /wordpress/wp-admin/images/wordpress-logo.png?ver=20120216 HTTP/1.1" 200 5048 "http://example.com/wordpress/wp-admin/css/wp-admin.css?ver=3.4.1" "Mozilla/5.0 (Windows NT 5.1; rv:12.0) Gecko/20100101 Firefox/12.0"
125.167.118.62 - - [01/Aug/2012:14:10:56 +0800] "GET /favicon.ico HTTP/1.1" 404 - "-" "Mozilla/5.0 (Windows NT 5.1; rv:12.0) Gecko/20100101 Firefox/12.0"
125.167.118.62 - - [01/Aug/2012:14:24:00 +0800] "POST /wordpress/wp-login.php HTTP/1.1" 302 - "http://example.com/wordpress/wp-login.php" "Mozilla/5.0 (Windows NT 5.1; rv:12.0) Gecko/20100101 Firefox/12.0"
125.167.118.62 - - [01/Aug/2012:14:24:02 +0800] "GET /wordpress/wp-admin/ HTTP/1.1" 200 47301 "http://example.com/wordpress/wp-login.php" "Mozilla/5.0 (Windows NT 5.1; rv:12.0) Gecko/20100101 Firefox/12.0"
125.167.118.62 - - [01/Aug/2012:14:24:10 +0800] "GET /wordpress/wp-includes/js/thickbox/thickbox.css?ver=3.4.1 HTTP/1.1" 200 3870 "http://example.com/wordpress/wp-admin/" "Mozilla/5.0 (Windows NT 5.1; rv:12.0) Gecko/20100101 Firefox/12.0"
125.167.118.62 - - [01/Aug/2012:14:24:10 +0800] "GET /wordpress/wp-admin/css/colors-fresh.css?ver=3.4.1 HTTP/1.1" 304 - "http://example.com/wordpress/wp-admin/" "Mozilla/5.0 (Windows NT 5.1; rv:12.0) Gecko/20100101 Firefox/12.0"
125.167.118.62 - - [01/Aug/2012:14:24:10 +0800] "GET /wordpress/wp-admin/images/wpspin_light.gif HTTP/1.1" 200 2193 "http://example.com/wordpress/wp-admin/" "Mozilla/5.0 (Windows NT 5.1; rv:12.0) Gecko/20100101 Firefox/12.0"
125.167.118.62 - - [01/Aug/2012:14:24:10 +0800] "GET /wordpress/wp-admin/load-styles.php?c=1&dir=ltr&load=wp-jquery-ui-dialog&ver=3.4.1 HTTP/1.1" 200 1087 "http://example.com/wordpress/wp-admin/" "Mozilla/5.0 (Windows NT 5.1; rv:12.0) Gecko/20100101 Firefox/12.0"
125.167.118.62 - - [01/Aug/2012:14:24:09 +0800] "GET /wordpress/wp-admin/load-styles.php?c=1&dir=ltr&load=admin-bar,wp-admin&ver=3.4.1 HTTP/1.1" 200 28480 "http://example.com/wordpress/wp-admin/" "Mozilla/5.0 (Windows NT 5.1; rv:12.0) Gecko/20100101 Firefox/12.0"
125.167.118.62 - - [01/Aug/2012:14:24:11 +0800] "GET /wordpress/wp-admin/images/media-button.png?ver=20111005 HTTP/1.1" 200 3117 "http://example.com/wordpress/wp-admin/" "Mozilla/5.0 (Windows NT 5.1; rv:12.0) Gecko/20100101 Firefox/12.0"
125.167.118.62 - - [01/Aug/2012:14:24:10 +0800] "GET /wordpress/wp-includes/css/editor.css?ver=3.4.1 HTTP/1.1" 200 43861 "http://example.com/wordpress/wp-admin/" "Mozilla/5.0 (Windows NT 5.1; rv:12.0) Gecko/20100101 Firefox/12.0"
125.167.118.62 - - [01/Aug/2012:14:24:10 +0800] "GET /wordpress/wp-admin/load-scripts.php?c=1&load=jquery,utils&ver=3.4.1 HTTP/1.1" 200 37529 "http://example.com/wordpress/wp-admin/" "Mozilla/5.0 (Windows NT 5.1; rv:12.0) Gecko/20100101 Firefox/12.0"
125.167.118.62 - - [01/Aug/2012:14:24:11 +0800] "GET /wordpress/wp-admin/load-scripts.php?c=1&load=admin-bar,hoverIntent,common,jquery-color,wp-ajax-response,wp-lists,quicktags,jquery-query,admin-comments,jquery-ui-core,jquery-ui-widget,jquery-ui-mouse,jquery-ui-sortable,postbox,dashboard,thickbox,plugin-install,media-upload,word-count,jquery-ui-resizable,jquery-ui-draggable,jquery-ui-button,jquery-ui-position,jquery-ui-dialog,wpdialogs,wplink,wpdialogs-popup&ver=3.4.1 HTTP/1.1" 200 56368 "http://example.com/wordpress/wp-admin/" "Mozilla/5.0 (Windows NT 5.1; rv:12.0) Gecko/20100101 Firefox/12.0"
125.167.118.62 - - [01/Aug/2012:14:24:15 +0800] "GET /wordpress/wp-admin/images/menu-shadow.png HTTP/1.1" 200 131 "http://example.com/wordpress/wp-admin/css/colors-fresh.css?ver=3.4.1" "Mozilla/5.0 (Windows NT 5.1; rv:12.0) Gecko/20100101 Firefox/12.0"
125.167.118.62 - - [01/Aug/2012:14:24:15 +0800] "GET /wordpress/wp-admin/images/menu.png?ver=20120201 HTTP/1.1" 200 13585 "http://example.com/wordpress/wp-admin/css/colors-fresh.css?ver=3.4.1" "Mozilla/5.0 (Windows NT 5.1; rv:12.0) Gecko/20100101 Firefox/12.0"
125.167.118.62 - - [01/Aug/2012:14:24:15 +0800] "GET /wordpress/wp-includes/images/admin-bar-sprite.png?d=20111130 HTTP/1.1" 200 3999 "http://example.com/wordpress/wp-admin/load-styles.php?c=1&dir=ltr&load=admin-bar,wp-admin&ver=3.4.1" "Mozilla/5.0 (Windows NT 5.1; rv:12.0) Gecko/20100101 Firefox/12.0"
125.167.118.62 - - [01/Aug/2012:14:24:15 +0800] "GET /wordpress/wp-admin/images/arrows.png HTTP/1.1" 200 494 "http://example.com/wordpress/wp-admin/css/colors-fresh.css?ver=3.4.1" "Mozilla/5.0 (Windows NT 5.1; rv:12.0) Gecko/20100101 Firefox/12.0"
125.167.118.62 - - [01/Aug/2012:14:24:15 +0800] "GET /wordpress/wp-admin/images/icons32.png?ver=20111206 HTTP/1.1" 200 13441 "http://example.com/wordpress/wp-admin/css/colors-fresh.css?ver=3.4.1" "Mozilla/5.0 (Windows NT 5.1; rv:12.0) Gecko/20100101 Firefox/12.0"
125.167.118.62 - - [01/Aug/2012:14:24:16 +0800] "GET /wordpress/wp-admin/images/xit.gif HTTP/1.1" 200 182 "http://example.com/wordpress/wp-admin/load-styles.php?c=1&dir=ltr&load=admin-bar,wp-admin&ver=3.4.1" "Mozilla/5.0 (Windows NT 5.1; rv:12.0) Gecko/20100101 Firefox/12.0"
125.167.118.62 - - [01/Aug/2012:14:24:17 +0800] "GET /wordpress/wp-admin/images/white-grad.png HTTP/1.1" 200 210 "http://example.com/wordpress/wp-admin/css/colors-fresh.css?ver=3.4.1" "Mozilla/5.0 (Windows NT 5.1; rv:12.0) Gecko/20100101 Firefox/12.0"
125.167.118.62 - - [01/Aug/2012:14:24:16 +0800] "GET /wordpress/wp-admin/images/wp-badge.png?ver=20111120 HTTP/1.1" 200 14352 "http://example.com/wordpress/wp-admin/load-styles.php?c=1&dir=ltr&load=admin-bar,wp-admin&ver=3.4.1" "Mozilla/5.0 (Windows NT 5.1; rv:12.0) Gecko/20100101 Firefox/12.0"
125.167.118.62 - - [01/Aug/2012:14:24:18 +0800] "GET /wordpress/wp-includes/js/thickbox/loadingAnimation.gif HTTP/1.1" 200 5886 "http://example.com/wordpress/wp-admin/" "Mozilla/5.0 (Windows NT 5.1; rv:12.0) Gecko/20100101 Firefox/12.0"
125.167.118.62 - - [01/Aug/2012:14:24:19 +0800] "GET /wordpress/wp-admin/admin-ajax.php?action=dashboard-widgets&widget=dashboard_incoming_links HTTP/1.1" 200 253 "http://example.com/wordpress/wp-admin/" "Mozilla/5.0 (Windows NT 5.1; rv:12.0) Gecko/20100101 Firefox/12.0"
125.167.118.62 - - [01/Aug/2012:14:24:19 +0800] "GET /wordpress/wp-admin/admin-ajax.php?action=dashboard-widgets&widget=dashboard_primary HTTP/1.1" 200 1975 "http://example.com/wordpress/wp-admin/" "Mozilla/5.0 (Windows NT 5.1; rv:12.0) Gecko/20100101 Firefox/12.0"
125.167.118.62 - - [01/Aug/2012:14:24:19 +0800] "GET /wordpress/wp-admin/admin-ajax.php?action=dashboard-widgets&widget=dashboard_secondary HTTP/1.1" 200 2433 "http://example.com/wordpress/wp-admin/" "Mozilla/5.0 (Windows NT 5.1; rv:12.0) Gecko/20100101 Firefox/12.0"
125.167.118.62 - - [01/Aug/2012:14:24:20 +0800] "GET /wordpress/wp-admin/admin-ajax.php?action=dashboard-widgets&widget=dashboard_plugins HTTP/1.1" 200 541 "http://example.com/wordpress/wp-admin/" "Mozilla/5.0 (Windows NT 5.1; rv:12.0) Gecko/20100101 Firefox/12.0"
125.167.118.62 - - [01/Aug/2012:14:24:37 +0800] "GET /wordpress/wp-admin/theme-editor.php HTTP/1.1" 200 80407 "http://example.com/wordpress/wp-admin/" "Mozilla/5.0 (Windows NT 5.1; rv:12.0) Gecko/20100101 Firefox/12.0"
125.167.118.62 - - [01/Aug/2012:14:24:52 +0800] "GET /wordpress/wp-admin/css/colors-fresh.css?ver=3.4.1 HTTP/1.1" 304 - "http://example.com/wordpress/wp-admin/theme-editor.php" "Mozilla/5.0 (Windows NT 5.1; rv:12.0) Gecko/20100101 Firefox/12.0"
125.167.118.62 - - [01/Aug/2012:14:24:53 +0800] "GET /wordpress/wp-admin/load-scripts.php?c=1&load=admin-bar,hoverIntent,common,jquery-color&ver=3.4.1 HTTP/1.1" 200 5480 "http://example.com/wordpress/wp-admin/theme-editor.php" "Mozilla/5.0 (Windows NT 5.1; rv:12.0) Gecko/20100101 Firefox/12.0"
125.167.118.62 - - [01/Aug/2012:14:25:21 +0800] "GET /wordpress/wp-admin/images/white-grad-active.png HTTP/1.1" 200 223 "http://example.com/wordpress/wp-admin/css/colors-fresh.css?ver=3.4.1" "Mozilla/5.0 (Windows NT 5.1; rv:12.0) Gecko/20100101 Firefox/12.0"
125.167.118.62 - - [01/Aug/2012:14:25:21 +0800] "POST /wordpress/wp-admin/theme-editor.php HTTP/1.1" 200 47185 "http://example.com/wordpress/wp-admin/theme-editor.php" "Mozilla/5.0 (Windows NT 5.1; rv:12.0) Gecko/20100101 Firefox/12.0"
125.167.118.62 - - [01/Aug/2012:14:25:23 +0800] "GET /wordpress/wp-admin/css/colors-fresh.css?ver=3.4.1 HTTP/1.1" 304 - "http://example.com/wordpress/wp-admin/theme-editor.php" "Mozilla/5.0 (Windows NT 5.1; rv:12.0) Gecko/20100101 Firefox/12.0"
125.167.118.62 - - [01/Aug/2012:14:25:44 +0800] "GET /wordpress/wp-admin/theme-editor.php?file=404.php&theme=twentyten HTTP/1.1" 200 25912 "http://example.com/wordpress/wp-admin/theme-editor.php" "Mozilla/5.0 (Windows NT 5.1; rv:12.0) Gecko/20100101 Firefox/12.0"
125.167.118.62 - - [01/Aug/2012:14:25:47 +0800] "GET /wordpress/wp-admin/css/colors-fresh.css?ver=3.4.1 HTTP/1.1" 304 - "http://example.com/wordpress/wp-admin/theme-editor.php?file=404.php&theme=twentyten" "Mozilla/5.0 (Windows NT 5.1; rv:12.0) Gecko/20100101 Firefox/12.0"
66.249.71.183 - - [01/Aug/2012:14:25:47 +0800] "GET /wordpress/?m=201207 HTTP/1.1" 200 7669 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"
125.167.118.62 - - [01/Aug/2012:14:27:04 +0800] "GET /wordpress/wp-admin/images/button-grad-active.png HTTP/1.1" 200 284 "http://example.com/wordpress/wp-admin/css/colors-fresh.css?ver=3.4.1" "Mozilla/5.0 (Windows NT 5.1; rv:12.0) Gecko/20100101 Firefox/12.0"
125.167.118.62 - - [01/Aug/2012:14:27:04 +0800] "POST /wordpress/wp-admin/theme-editor.php HTTP/1.1" 302 - "http://example.com/wordpress/wp-admin/theme-editor.php?file=404.php&theme=twentyten" "Mozilla/5.0 (Windows NT 5.1; rv:12.0) Gecko/20100101 Firefox/12.0"
125.167.118.62 - - [01/Aug/2012:14:27:48 +0800] "GET /wordpress/wp-admin/theme-editor.php?file=404.php&theme=twentyten&scrollto=22493&updated=true HTTP/1.1" 200 150688 "http://example.com/wordpress/wp-admin/theme-editor.php?file=404.php&theme=twentyten" "Mozilla/5.0 (Windows NT 5.1; rv:12.0) Gecko/20100101 Firefox/12.0"
125.167.118.62 - - [01/Aug/2012:14:27:59 +0800] "GET /wordpress/wp-admin/css/colors-fresh.css?ver=3.4.1 HTTP/1.1" 304 - "http://example.com/wordpress/wp-admin/theme-editor.php?file=404.php&theme=twentyten&scrollto=22493&updated=true" "Mozilla/5.0 (Windows NT 5.1; rv:12.0) Gecko/20100101 Firefox/12.0"
125.167.118.62 - - [01/Aug/2012:14:28:53 +0800] "GET /wordpress/v HTTP/1.1" 404 - "-" "Mozilla/5.0 (Windows NT 5.1; rv:12.0) Gecko/20100101 Firefox/12.0"
125.167.118.62 - - [01/Aug/2012:14:28:54 +0800] "GET /wordpress/v HTTP/1.1" 404 - "-" "Mozilla/5.0 (Windows NT 5.1; rv:12.0) Gecko/20100101 Firefox/12.0"
125.167.118.62 - - [01/Aug/2012:14:28:56 +0800] "GET /wordpress/wp-content/themes/twentyten/404.php HTTP/1.1" 200 41843 "-" "Mozilla/5.0 (Windows NT 5.1; rv:12.0) Gecko/20100101 Firefox/12.0"
125.167.118.62 - - [01/Aug/2012:14:28:59 +0800] "GET /wordpress/wp-content/themes/twentyten/404.php?x=img&img=sort_asc HTTP/1.1" 200 85 "http://example.com/wordpress/wp-content/themes/twentyten/404.php" "Mozilla/5.0 (Windows NT 5.1; rv:12.0) Gecko/20100101 Firefox/12.0"
125.167.118.62 - - [01/Aug/2012:14:28:59 +0800] "GET /wordpress/wp-content/themes/twentyten/404.php?x=img&img=ext_lnk HTTP/1.1" 200 572 "http://example.com/wordpress/wp-content/themes/twentyten/404.php" "Mozilla/5.0 (Windows NT 5.1; rv:12.0) Gecko/20100101 Firefox/12.0"
125.167.118.62 - - [01/Aug/2012:14:28:59 +0800] "GET /wordpress/wp-content/themes/twentyten/404.php?x=img&img=small_dir HTTP/1.1" 200 498 "http://example.com/wordpress/wp-content/themes/twentyten/404.php" "Mozilla/5.0 (Windows NT 5.1; rv:12.0) Gecko/20100101 Firefox/12.0"
125.167.118.62 - - [01/Aug/2012:14:29:00 +0800] "GET /wordpress/wp-content/themes/twentyten/404.php?x=img&img=ext_diz HTTP/1.1" 200 1034 "http://example.com/wordpress/wp-content/themes/twentyten/404.php" "Mozilla/5.0 (Windows NT 5.1; rv:12.0) Gecko/20100101 Firefox/12.0"
125.167.118.62 - - [01/Aug/2012:14:29:00 +0800] "GET /wordpress/wp-content/themes/twentyten/404.php?x=img&img=change HTTP/1.1" 200 290 "http://example.com/wordpress/wp-content/themes/twentyten/404.php" "Mozilla/5.0 (Windows NT 5.1; rv:12.0) Gecko/20100101 Firefox/12.0"
125.167.118.62 - - [01/Aug/2012:14:29:00 +0800] "GET /wordpress/wp-content/themes/twentyten/404.php?x=img&img=download HTTP/1.1" 200 161 "http://example.com/wordpress/wp-content/themes/twentyten/404.php" "Mozilla/5.0 (Windows NT 5.1; rv:12.0) Gecko/20100101 Firefox/12.0"
125.167.118.62 - - [01/Aug/2012:14:29:00 +0800] "GET /wordpress/wp-content/themes/twentyten/404.php?x=img&img=ext_php HTTP/1.1" 200 1125 "http://example.com/wordpress/wp-content/themes/twentyten/404.php" "Mozilla/5.0 (Windows NT 5.1; rv:12.0) Gecko/20100101 Firefox/12.0"
125.167.118.62 - - [01/Aug/2012:14:29:00 +0800] "GET /wordpress/wp-content/themes/twentyten/404.php?x=img&img=ext_css HTTP/1.1" 200 134 "http://example.com/wordpress/wp-content/themes/twentyten/404.php" "Mozilla/5.0 (Windows NT 5.1; rv:12.0) Gecko/20100101 Firefox/12.0"
125.167.118.62 - - [01/Aug/2012:14:29:00 +0800] "GET /wordpress/wp-content/themes/twentyten/404.php?x=img&img=ext_txt HTTP/1.1" 200 132 "http://example.com/wordpress/wp-content/themes/twentyten/404.php" "Mozilla/5.0 (Windows NT 5.1; rv:12.0) Gecko/20100101 Firefox/12.0"
125.167.118.62 - - [01/Aug/2012:14:29:00 +0800] "GET /wordpress/wp-content/themes/twentyten/404.php?x=img&img=ext_png HTTP/1.1" 200 175 "http://example.com/wordpress/wp-content/themes/twentyten/404.php" "Mozilla/5.0 (Windows NT 5.1; rv:12.0) Gecko/20100101 Firefox/12.0"
125.167.118.62 - - [01/Aug/2012:14:29:00 +0800] "GET /wordpress/wp-content/themes/twentyten/404.php?x=img&img=arrow_ltr HTTP/1.1" 200 88 "http://example.com/wordpress/wp-content/themes/twentyten/404.php" "Mozilla/5.0 (Windows NT 5.1; rv:12.0) Gecko/20100101 Firefox/12.0"
125.167.118.62 - - [01/Aug/2012:14:29:27 +0800] "GET /wordpress/wp-content/themes/twentyten/404.php?x=ls&d=%2Fhome%2Fexample%2Fpublic_html%2F&sort=0a HTTP/1.1" 200 10844 "http://example.com/wordpress/wp-content/themes/twentyten/404.php" "Mozilla/5.0 (Windows NT 5.1; rv:12.0) Gecko/20100101 Firefox/12.0"
125.167.118.62 - - [01/Aug/2012:14:29:28 +0800] "GET /wordpress/wp-content/themes/twentyten/404.php?x=img&img=ext_htaccess HTTP/1.1" 200 117 "http://example.com/wordpress/wp-content/themes/twentyten/404.php?x=ls&d=%2Fhome%2Fexample%2Fpublic_html%2F&sort=0a" "Mozilla/5.0 (Windows NT 5.1; rv:12.0) Gecko/20100101 Firefox/12.0"
125.167.118.62 - - [01/Aug/2012:14:29:32 +0800] "GET /wordpress/wp-content/themes/twentyten/404.php?x=img&img=ext_zip HTTP/1.1" 200 577 "http://example.com/wordpress/wp-content/themes/twentyten/404.php?x=ls&d=%2Fhome%2Fexample%2Fpublic_html%2F&sort=0a" "Mozilla/5.0 (Windows NT 5.1; rv:12.0) Gecko/20100101 Firefox/12.0"
125.167.118.62 - - [01/Aug/2012:14:30:13 +0800] "POST /wordpress/wp-content/themes/twentyten/404.php?x=ls&d=%2Fhome%2Fexample%2Fpublic_html%2F&sort=0a HTTP/1.1" 200 11877 "http://example.com/wordpress/wp-content/themes/twentyten/404.php?x=ls&d=%2Fhome%2Fexample%2Fpublic_html%2F&sort=0a" "Mozilla/5.0 (Windows NT 5.1; rv:12.0) Gecko/20100101 Firefox/12.0"
125.167.118.62 - - [01/Aug/2012:14:30:15 +0800] "GET /wordpress/wp-content/themes/twentyten/404.php?x=img&img=ext_html HTTP/1.1" 200 1125 "http://example.com/wordpress/wp-content/themes/twentyten/404.php?x=ls&d=%2Fhome%2Fexample%2Fpublic_html%2F&sort=0a" "Mozilla/5.0 (Windows NT 5.1; rv:12.0) Gecko/20100101 Firefox/12.0"
125.167.118.62 - - [01/Aug/2012:14:33:19 +0800] "GET / HTTP/1.1" 200 3336 "-" "Mozilla/5.0 (Windows NT 5.1; rv:12.0) Gecko/20100101 Firefox/12.0"

As you can see the hacker directly logs in to WP in one attempt meaning he already already knows the login details. We can argue he really knows it or he was able to edit the wp_users before logging in. But what intrigues me is the need to edit the “404.php” file then insert their own editor by using eval(gzinflate(base64_decode())), when he can simply edit “index.php” instead. If he simply edited index.php antivirus will not detect it but instead he chose to leave his tracks behind.

Anyone else experienced this?

Viewing 5 replies - 1 through 5 (of 5 total)

wagging
(@wagging)

11 years, 8 months ago

Yes I have…
latest has been:

/blog/404testpage4525d2fdc

Why are they hacking this way?

Thread Starter kbtk
(@kabatak)

11 years, 8 months ago

I can’t tell if this was a vulnerability with WordPress or third party plugins or web server. I hope a pro can shed a light.

wagging
(@wagging)

11 years, 8 months ago

I hope a pro can shed some light… I have been hacked this way for the last 5 weeks… I have the whole kit of plugins related to security, you name it I have it…however it always starts with attacks making 404 errors…then considering I have been hacked… the first thing they do is play around with the security plugins so that they no longer alert you…
Right now I am paying for a new security monitor… which seems to be holding them at bay for the last 4 days. However I am watching my live stats today and they are at it again making 404 errors. Usually with pages that start with
http://www.example.com/wp-admin/ (then add) bogus web page, code, scrip, get… over and over again in bursts at about 100’s of 404’s coming in seconds per page.
Totally strange

Moderator Jan Dembowski
(@jdembowski)

Forum Moderator and Brute Squad

11 years, 8 months ago

Sadly, that’s not an uncommon occurrence and many servers do get hacked. As a result, the following links are offered up:

You need to start working your way through these resources:
http://codex.wordpress.org/FAQ_My_site_was_hacked
http://wordpress.org/support/topic/268083#post-1065779
http://smackdown.blogsblogsblogs.com/2008/06/24/how-to-completely-clean-your-hacked-wordpress-installation/
http://ottopress.com/2009/hacked-wordpress-backdoors/

Additional Resources:
http://sitecheck.sucuri.net/scanner/
http://www.unmaskparasites.com/
http://blog.sucuri.net/2012/03/wordpress-understanding-its-true-vulnerability.html
http://codex.wordpress.org/Hardening_WordPress
http://www.studiopress.com/tips/wordpress-site-security.htm

Which is a lot to digest, but once you’ve gotten your server and installation deloused and then hardened you’ll be alright.

Or you could go the commercial route and consider a service such as Sucuri. I’ve not used them but they are recommended and there are other vendors out there as well.

the_nuts
(@the_nuts)

11 years, 7 months ago

Hi,

I had the same problem, site defaced in the same way, and the only way to stop it was to chmod the /wp-admin/ folder to 000 or all the files to 444 and the folders to 555…

today my hosting’s support sends me this message:

ATTENTION: All WordPress users using version < 3.4.2
Dear valued customers,
Please be informed that there is a new WordPress version released –> Version 3.4.2
Kindly upgrade the WordPress to prevent any inconveneince caused in your hosting e.g defacement and hacking.
If you need any further assistance or query, feel free to contact us by submit us a support ticket at http://247livesupport.biz
Thank you.
Best regards,

do you confirm that with the new version the issue has been resolved? I’m quite scared to restore the file permissions…

Viewing 5 replies - 1 through 5 (of 5 total)

The topic ‘Hacker deface wordpress in a wierd way’ is closed to new replies.

Hacker deface wordpress in a wierd way

Tags

Topics

Topics with no replies

Non-support topics

Resolved topics

Unresolved topics

All topics