WordPress.org

Ready to get started?Download WordPress

Forums

Infections, hacks and viruses: How spread (or not) (7 posts)

  1. LDMartin1959
    Member
    Posted 1 year ago #

    The company I work for has a number of sites. Recently there has been a rash of malware infections and hacks on some of the sites. The attacks are either alien PHP code being places on the sites and in files, or JavaScript scripts being placed into pages.

    The boss is all beside himself, having us run repeated virus scans on all our computers. Since the hosting computers are not on our local system I am thinking that running virus scans on our computers is not going to tell us anything and as a consequence I think we are spending a great deal of time chasing phantoms. I am hoping to convince him we need to look elsewhere for the source of the infections/hacks. To that end, I would appreciate some assistance. I am not an expert in PHP or JavaScript so please correct me if I am wrong on any of these points, but this is my understanding:

    1) simply logging into the WP-Admin panel would not infect a site with a PHP or JavaScript infection, even if there is an infected file on the computer we are logging with because the PHP script to infect the site would have to be run within the PHP server on the computer actually hosting the site in order to accomplish the infection and a JavaScript file would not be able to write to the server without having FTP access;

    2) logging into the server via an FTP account using FTP client software would not infect a site with a PHP or JavaScript infection, even if there is an infected file on the computer we are logging with because the PHP script to infect the site would have to be run within the PHP server on the computer actually hosting the site in order to accomplish the infection and a JavaScript file would not be able to write to the server without having FTP access, and logging in via an FTP client would not grant the necessary FTP access to JavaScript or PHP;

    3) Windows style viruses (executable file which can run within the operating system and does not need a local server to operate) do not presently exist which will infect a WordPress site with a PHP or JavaScript infection of any type.

    Do I have any of these details incorrect?

    Thank you.

  2. jonradio
    Member
    Posted 1 year ago #

    Yes, I believe that your three points are correct. But here is something to consider: what if your infected Windows Desktop has a malware bot that looks for FTP credentials and sends them to a hacker database on the Internet? Then any hacker with access to the hacker database on the Internet potentially has access to anywhere you have FTP credentials, including your servers.

    There was a spate of this activity about two years ago. Don't know how things are now.

    On the other hand, if all the Windows Desktops have one of the major anti-malware products running all the time, with current virus signature updates, then this scenario is not very likely.

  3. jonradio
    Member
    Posted 1 year ago #

    This is a good place to start reading:
    http://codex.wordpress.org/FAQ_My_site_was_hacked

  4. LDMartin1959
    Member
    Posted 1 year ago #

    But here is something to consider: what if your infected Windows Desktop has a malware bot that looks for FTP credentials and sends them to a hacker database on the Internet? Then any hacker with access to the hacker database on the Internet potentially has access to anywhere you have FTP credentials, including your servers.

    jonradio, point taken. This is not the type of infection the boss is looking for. He has made it clear that he is looking for a virus that is residing on the local computers and actually placing the code on the site as we log in. Regardless, all of the computers are clean. Or at least, MicroSoft Security Essentials reports that the Windows Machines are clean, and Sophos reports my Mac as being clean. It is doubtful in my mind that this is what we are dealing with. I'm thinking along the lines of "code injection" I believe it is called via forms. I've read this is a fairly common means of this sort of maliciousness.

    Thanks for the info.

  5. jonradio
    Member
    Posted 1 year ago #

    Open Source software poses a unique challenge. Because source code is available, there is usually widespread knowledge of security issues as they are fixed in newer versions.

    That is why it is essential to be up to date with all Open Source software, in terms of running the current Version. Oddly, security fixes are generally the most urgent in the lowest level updates. For example, 3.4 to 3.4.1 of WordPress.

  6. MickeyRoush
    Member
    Posted 1 year ago #

    @ LDMartin1959

    There are hundreds if not thousands of ways to hack someone's pc or a website. What if you had a keylogger on one of your computers/Mac? Then they could have your login credentials. Then they could log in, use your theme/plugin editor to put in code.

    What if your server is not secure? They symlink your server to read your wp-config. Set up a dummy phpmyadmin (oops I may have that wrong, it's past my bedtime) and hack your database.

    Also, I clean Windows PC's from malware for a living. MSE is not enough. It helps, but there are a lot of tools that will catch things it misses and tools to catch things the other tools miss. There is no one overall supreme tool.

    You really need to look at your server logs. Including any SFTP/FTP logs. When observing your regular server logs examine all "Post entries.

    Have you confirmed that none of your themes and/or plugins have vulnerabilities? Are any of them using the timthumb script or variant thereof?

    I would definitely start with your server logs.

  7. LDMartin1959
    Member
    Posted 1 year ago #

    MickeyRoush:

    What if you had a keylogger on one of your computers/Mac?

    I understand that, which is why we run security software on our computers -- to detect these things before they can do damage.

    What if your server is not secure?

    I am not an expert -- or even reasonably experienced -- in the server area. We use fairly well-known and fairly respected hosting companies for our sites so I would think that they have the server configurations rather secure.

    Also, I clean Windows PC's from malware for a living. MSE is not enough.

    I realize that MSE is not the greatest thing since sliced bread. But we also have a computer guy on staff who seems to know about these things and has a host of other tools he uses to check these things. MSE is just the standard AV/Security program that acts as sorta the initial sentry.

    You really need to look at your server logs. Including any SFTP/FTP logs. When observing your regular server logs examine all "Post entries.

    I'm not exactly sure how we would get to those on the commercial hosting services we use -- as I said, the server area really isn't my strong suit. But we have people who should know how to do that and (hopefully) will share that information with me. I'll have them check them out. I do know enough to have asked them to check the file creation date/time to try to help pinpoint when these things are happening. Now, if they would just do it...

    Have you confirmed that none of your themes and/or plugins have vulnerabilities? Are any of them using the timthumb script or variant thereof?

    I don't know about the timthumb script. We have been keeping our plug-ins as updated as we can. As far as the themes, that is a bit of an issue since most of them are using custom, 1-off themes.

Topic Closed

This topic has been closed to new replies.

About this Topic