WordPress.org

Ready to get started?Download WordPress

Forums

Hacks for 2.9.2 (7 posts)

  1. mike
    Member
    Posted 4 years ago #

    Is anyone else encountering hacks on 2.9.2? I have found the following across about 10 sites:

    - wp-includes/general-templates.php has been modified to include malicious code for malware
    - wp-content/plugins/akismet/rss-feed.php has been added by a hack that in turn re-directs google searches
    - write to /cgi-bin/ above public_html that redirects Google searches. I discovered this on Friday when Rackspace's Cloud Sites got about 1000 hacks at once. I think I discovered the problem for them :). That hack modified wp-blog-header.php with a simple include("") command.

    I didn't notice many of these hacks until I used Google's webmaster tools. With that, you can see what Google sees. Many of these malware and redirects only listen for Google, so you may never know about the problem. Just search

    viagra site:yourdomain.com

    I don't need to know what the 2.9.2 hole is, but I would like the admins to acknowledge something is wrong. I have spent three days constantly catching up to these hacks. The Exploit Scanner misses some of the problems and simply deleting WP and re-installing isn't working.

  2. mike
    Member
    Posted 4 years ago #

    Oh and I know a moderator is going to post something like:

    http://wordpress.org/support/topic/268083?replies=28#post-1065779

    but I have followed every single tutorial and site. I have run about 25 sites since WP was released (user 47 on the forum!), and this is the first time I have ever encountered a hack. I have exhausted the standard methods and the "delete everything and re-install" no longer works.

  3. Steve D
    Member
    Posted 4 years ago #

    Is anyone else encountering hacks on 2.9.2?

    Yes. Your not alone. I noticed all kinds of bizarre server behavior going on during the April mass attacks. It was like the hackers had total and complete control of the Hosts systems. Haven't been touched in a month now at NS. They got it under control. And, I'm to tired and exhausted to move at this point. I didn't get into this to be hunched over a computer 24/7 for months on end trying to protect myself from organized armies of overseas hackers trying to "take us out".

    Nasty situation we are in here.

  4. mike
    Member
    Posted 4 years ago #

    I can now confirm that 2.9.2 has some sort of hole in it. I made a completely clean install of 2.9.2 on Rackspace Cloud Sites. Within three days, all queries were re-directing to a Canadian pharmacy. This is very pressing. I have used WordPress since .01 and never had this problem. Trying to stay on top of these hacks is a full-time job.

  5. @mike: If you have logs and details showing how they hacked your site please send them to security@wordpress.org so we can investigate.

    Cheers

  6. mike
    Member
    Posted 4 years ago #

    Will do. My priority was removing the hack. But I suspect it will come back in a day or to. Here is a summary of what is happening:

    http://blog.sucuri.net/2010/05/seo-spam-network-details-of-wp-includes.html

    It is important to note that you can't see the code if you simply visit your site. The hacks are smart enough to check for Google IPs or referrals. So I recommend signing up for Google Webmasters:

    http://www.google.com/webmasters/

    and then using the "Labs --> Fetch as Googlebot" to check if you have been infected.

  7. I don't use Rackspace, but it seems that logs are not easily accessable; and it's more than WordPress on Rackspace An Open Letter to Rackspace Cloud Hosting | Snipe.Net

    If you already have developer tools in Safari (or use addons in Firefox and IE), you can change the user agent in your web browser to check your own or others' sites.

Topic Closed

This topic has been closed to new replies.

About this Topic