WordPress › Support » How do I verify & recover from a hack?

TonyVitabile
Member
Posted 2 years ago #

I've got big problems with my wordpress MU install. The site is running WP 3.0.1. A few weeks ago, the site started having trouble displaying videos that were embedded into posts in a blog using Viper's Video Quicktags. I've posted about that in the Troubleshooting forum.

Yesterday, I installed an Antivirus plug-in & a firewall plug-in. Now, when I click on the link for the "sermons" blog in the menu bar, I get a 404 error. And the 404 page that is displayed is NOT the one from my theme. Am I right in believing that my site has been hacked?

And if it is hacked, how do I recover & prevent it from happening again?

Thanks

Tony
TonyVitabile
Member
Posted 2 years ago #

OK, I just tried to go to the Sermons blog and it works now. I don't get that. I even tried going to a page that doesn't exist, and now I'm getting the 404 page in my theme.

This is NOT what happened last night!

I'm soooo confused!
Tim
Jetpack Team Lead
Posted 2 years ago #

The 404 page you see could be coming from your host, though I'm not sure why that would be the case unless something on your host's end is messed up.

You can also read http://codex.wordpress.org/FAQ_My_site_was_hacked if you think you've truly been hacked. Though I haven't heard much about 3.0.1 being directly vulnerable.
TonyVitabile
Member
Posted 2 years ago #

I've also got bbpress installed on this site & I'm wondering if that's where the damage is coming from. There are lots of spam hot tags but no posts over there. I don't go to that part of the site often.

I'm at work & I can't seem to log into either WP or bbpress on IE7 here. Further, my banner isn't displaying at all in IE7, but it used to. IT does display in Firefox & IE 8.

But I can't log into the Admin panel in Firefox here at work, either.

Something s definitely wrong!
TonyVitabile
Member
Posted 2 years ago #

I guess my last problem with not being able to reach my admin pages was a traffic issue on the host. I'm in there now.

Using my host's file manager tool, I went into the folder on the machine for the sermons blog . There was no .htaccess file. I changed the permalink structure & saved it, then changed it back. There is now an .htaccess file & a .htpasswd file. But I still can't access the video.

Here's the URL directly to one of the affected files:

http://churchonhigherground.org/worship/sermons/files/2010/04/10-0411-01.flv

When I navigate directly to this URL (I open a new tab & paste the URL into the address bar), I get a 500 Internal Server Error from the server. This is the issue I've been having for a long time now, and I don't know what to do about it.

Please help.

Tony
TonyVitabile
Member
Posted 2 years ago #

OK. I think the problem is someone has commandeered my forums. When I go into bbPress, there are 11 tags that weren't there & a number of "recently moderated items" that I didn't even see until now. And, when I go to the Posts link in bbPress, I don't see these "recently moderated items".

Time to close up bbPress.
Andrea Rennick
Customer Care at Copyblogger Media and Studiopress
Posted 2 years ago #

Now, when I click on the link for the "sermons" blog in the menu bar, I get a 404 error. And the 404 page that is displayed is NOT the one from my theme. Am I right in believing that my site has been hacked?

No, that;s not a hack.
TonyVitabile
Member
Posted 2 years ago #

Well, there's something wrong with my wordpress mu install now. I changed my password and now, when I log in, I keep getting taken back to the login page without any mention of an incorrect password or any problems. I actually had to log in on the bbPress side of my site.

I'm going to follow the instructions on recovering from a hack & see if that fixes my problems, unless someone has a better idea?

Thanks

Tony
Andrea Rennick
Customer Care at Copyblogger Media and Studiopress
Posted 2 years ago #

You could have something messed up on the bbpress side, so I;d disable that for sure.
TonyVitabile
Member
Posted 2 years ago #

Here's what I did last night.

1. My Macbook had the bad 404 page cached. I looked at it & it had an iframe that referred to http://www.dsnextgen.com/. This wasn't ever in my theme.

2. I erased all of the WPMU php, css, js, images, and other files in the /worship (Where WPMU is installed), /worship/wp-includes and /worship/wp-admin folders. I used my FTP tool to delete these files. While I was at it, I deleted all of the files for my theme, which the Antivirus plugin thought were suspicious.

Next, I had WPMU 3.0.1 installed on the macbook, so I uploaded it to the host. Next, I went through the automated download & install of WP 3.0.1. Finally, I uploaded my theme back into its folder.

I then ran the Antivirus scan of my theme. It gave all but one file a clean bill of health. 10 or 20 minutes after that, I scanned the theme files again and it marked just about every file in the theme as suspicious.

As I didn't touch any of the plug-ins, I think that one of them is infected with something & it's screwing with my theme. So I'm going to redo everything I did last night, and blow away & reinstall the plugins. But I'm going to do the plugins one at a time. And I'm only going to install the ones that my site is actually using.

Oh, about the bbPress install. I didn't do anything with it, though I think that is working OK. Still, it's attracting spammers and no one at my church is using it. So I'm going to deinstall it entirely. I'll have to delete some pages from the wordpress side, but that's no biggie.

Does anyone have any other ideas?

Thanks
Ipstenu (Mika Epstein)
Half-Elf Support Rogue & Mod
Posted 2 years ago #

I then ran the Antivirus scan of my theme. It gave all but one file a clean bill of health. 10 or 20 minutes after that, I scanned the theme files again and it marked just about every file in the theme as suspicious.

The odds are that either your server has been compromised or you have a bad plugin. Get rid of the plugins NOW. Dump them all and get new, fresh, copies from wordpress.org. Then secure your server.

Server Security 101.

1) Change your passwords. All of theme. From FTP and email to the Database and your WP admin password. Do it NOW.

2) NEVER access your site's backend insecurely. SFTP, SSH only.

3) Read this: http://codex.wordpress.org/Hardening_WordPress#File_permissions
TonyVitabile
Member
Posted 2 years ago #

I have changed the passwords of all administrator accounts on the site. I deleted all wordpress executables in the /worship, /worship/wp-includes, and /worship/wp-admin folders. I deleted all plugins and themes.

I then downloaded a fresh copy of wp 3.0.1. I then uploaded it back into the /worship folder. I recovered wp-config.php from a backup and copied that over the default one that comes with WP. I then uploaded Akismet & a plug-in that I wrote and the various themes I have installed on my macbook development copy of the site.

After doing all of that, I downloaded & installed the Firewall 2 and
Antivirus plugins. Then I downloaded other plugins that the site uses like NextGen Image Gallery and Vipers Video Quicktags.

I'm happy to say that the antivirus no longer reports any problems with my theme files. So it looks like the security issues are resolved, for now.

However, I'm not 100% out of the woods yet. NextGen Image Gallery cannot access any of the images in its galleries. And the site still can't serve up most of the videos on my site. I'm going to try tonight to download one of the videos using FTP & see if it will play on my macbook. If it will, then I know the files are ok & there's still some other issue going on.

The videos all have 755 permissions. I know that three of them get served up fine, so it could be that the problem is with the video files themselves. I don't know how they could have gotten corrupted, but it's possible.

I think I have backups for these files on a backup drive at home. Hopefully the problem is the files & I do have the backups.
TonyVitabile
Member
Posted 2 years ago #
It's 5 hours later & I just did a virus scan on my theme & now 2 files are flagged as suspicious. It flags the following line in 2 different files:

<?php include(TEMPLATEPATH . '/sidebar2.php'); ?>

The word "include" is highlighted in yellow.

Can anyone tell me how this thing works & why an PHP include statement can be suspicious? The files affected are 404.php & archive.php.

I just installed 2 plugins right before I ran this check. Perhaps one of those 2 is infected with something?

Also, this is the .htaccess file in the blogs.dir folder for one of my blogs:
```
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /worship/sermons/
RewriteRule ^index\.php$ - [L]
RewriteRule (.*) /worship/sermons/index.php?uamfiletype=attachment&uamgetfile=$1 [L]
</IfModule>
```
I can't find a file called index.php in /worship/wp-content/5/files, which is the folder that maps to /worship/sermons. where should it be?

Ipstenu (Mika Epstein)
Half-Elf Support Rogue & Mod
Posted 2 years ago #

This <?php include(TEMPLATEPATH . '/sidebar2.php'); ?> is a perfectly normal call for a theme to make.

This

<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /worship/sermons/
RewriteRule ^index\.php$ - [L]
RewriteRule (.*) /worship/sermons/index.php?uamfiletype=attachment&uamgetfile=$1 [L]
</IfModule>

I've never seen before...

Andrea Rennick
Customer Care at Copyblogger Media and Studiopress
Posted 2 years ago #

Did you install a plugin for sermons? I know there's WP-specific one for this.
vitabile
Member
Posted 2 years ago #

ipstenu:

I think that may have come from a plugin I had installed called User Access manager. When I first built the site, I wanted a "members only" area & I used that plug-in to set it up. Now I'm suspicious of it as that was one of the plug-ins I installed this afternoon, just before the antivirus scan flagged those lines as suspicious.

The thing is, those lines were there this morning & it didn't complain about them, either.

I'm going to delete the .htacces file & see what happens.

Andrea_r:

I wrote a plug-in to do searches of the posts in the sermons blog. Each video is in a post of it's own; I record information in the post's meta data using a form included in the plug-in, and it scans the meta data using criteria you specify in another form. It works, but I didn't find anything that could do what I wanted when I was looking, so I built it.

Tony
TonyVitabile
Member
Posted 2 years ago #
Update:

It's been another 24 hours & the theme is still getting a clean bill of health from the antivirus. That problem seems to be solved. Thank you everyone for your help!

Now, the one problem I do still have is that a large number of my videos still won't play. Most of them, in fact. I think the files themselves somehow got corrupted. I come to this conclusion because:
1. There are a few videos that do play
2. Any problems with the software from things like viruses or hacks have been solves or ruled out
3. There are only 2 .htaccess files on the site & if some videos play, the odds on their being a problem with them is small.
I've also posted in the Plugins and Hacks forum for Viper's Video Quicktags. I've uploaded the two .htaccess files there and I'm waiting for Viper to confirm if there's anything wrong with them. I don't think so, though, as 3 videos & several MP3s do play. Or the MP3s did before I deleted the audio plugin I was using. That's another plugin I suspect of maybe being compromised.

Thanks again everyone for your help.

Tony

Topic Closed

This topic has been closed to new replies.

WordPress.org

Forums

How do I verify & recover from a hack? (17 posts)

Topic Closed

About this Topic

Tags

Code is Poetry