WordPress.org

Ready to get started?Download WordPress

Forums

Possible Exploit on 2.0? (14 posts)

  1. Shelby DeNike
    Member
    Posted 8 years ago #

    3 of my friends have had their wordpress sites hacked. The hack message say that it was hacked by Tapoot or hacked by JNAZH. I am wondering is there some unsafe code in wordpress 2.0?

  2. skippy
    Member
    Posted 8 years ago #

    Can you elaborate on the result? Was it simple page defacement? Can the hosting provider(s) shed any light by way of log files?

    It's always possible that one's password is guessed, and an attacker gains access. It's also possible that another application running on their website was leveraged for access, and not WordPress.

  3. Mark (podz)
    Support Maven
    Posted 8 years ago #

    They ARE running v2.0 ?
    Who are their hosts ?
    How many users on the blog ?
    When did this happen ?
    Got any code / evidence ?
    Did they have what would be called 'strong' passwords ?

    A lot more information is needed.

  4. Shelby DeNike
    Member
    Posted 8 years ago #

    Last I knew they WERE running 2.0, 1 for sure was using a nightly and I dont think he ever upgraded to 2.0 final. I host them and was not able to find anything in the logs and none of them have SSH access at all either. 1 site was defaced with just a "hacked by JNAZH", and the other 2 had the same saying they were hacked by Tapoot and JNAZH and some of their posts were defaced. I dont THINK the passwords they used were all that simple and they 1 for sure was 8 charators in length and had a combo of numbers and letters. When I looked through the code I didn't see anything out of the ordinary, but the database looked like it had been screwed with, as in like multiople injections into the wrong areas.

  5. Mark (podz)
    Support Maven
    Posted 8 years ago #

    Do you have anything left for someone to look over ?

  6. Shelby DeNike
    Member
    Posted 8 years ago #

    what would you like? The last site i did a dump of all the wordpress directory. and a screen shot.

  7. Michael Bishop

    Posted 8 years ago #

    they are not running WP-Stats are they? there's a known security issue with v 2.0 of that plugin.

  8. Shelby DeNike
    Member
    Posted 8 years ago #

    No that was the first thing that I checked.

  9. Matt Mullenweg
    Troublemaker
    Posted 8 years ago #

    Are they on the same server?

  10. Ali_ix
    Member
    Posted 8 years ago #

    Please provide more information about your server specs.
    do you use Cpanel ?

    There are numberus ways to access to MySQL databases with some vulnarable web host managers (like older version of CPanel).

    There is no way to inject some code into DB trough WP (as i see)

    Check your Access Logs on server and see if some one tried to upload some shell script (i mean php shell script) on the server or not ;)

  11. Shelby DeNike
    Member
    Posted 8 years ago #

    Here is another one http://crystal.7pounds.net/

  12. davidchait
    Member
    Posted 8 years ago #

    You say you are hosting them? Is it possible the server was hacked and not just one account? Or do you allow remote access to SQL where they could access everything if they got through?

  13. Shelby DeNike
    Member
    Posted 8 years ago #

    remote access to SQL is shut off, and the server logs show no attempts to brute force logins etc. Also the accounts do NOT have ssh access. Latest version of cpanel was used as well. I am thinking it has to be an exploit with wordpress...

  14. Mark (podz)
    Support Maven
    Posted 8 years ago #

    sdenike - would you be prepared to allow one of the developers access so they can check things out ? I'm not saying they will do so, but such an offer if you cannot find the cause could be useful.

    If you do, send an email to security@wordpress.org with this thread title and it'll be looked at.

Topic Closed

This topic has been closed to new replies.

About this Topic

Tags

No tags yet.