WordPress.org

Ready to get started?Download WordPress

Forums

Site being used for DDOS?! (5 posts)

  1. JustSandN
    Member
    Posted 2 years ago #

    Hi guys n gals,

    I've been using WP for a year and everything has been peachy, until a few days ago when I got an email from Bluehost advising that my site has been taken down due to "site causing performance problems". Having been away (and recently getting engaged - Yes I'm telling everyone!) I've only just got around to getting in touch with them to find out why and I got told the following:

    Your account is being used for a ddos attack against (66.228.33.245 1under.com).The malicious script is creating numerous wget requests to the site in question. You need to remove the malicous code, remove any script s not being used and update the script s they intend to keep justsand 12119 0.0 0.0 10804 532 ? S May18 0:15 sh -c while [ 1 ]; do wget -O /dev/null --user-agent='Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)' http://www.1nder.com/sites/default/files/acquia_slate_logo.jpg; done > /dev/null 2>&1 & [b-u-rchaudhry@box438 rchaudhry]$ sudo ls -al /home1/justsand/public_html -rw-r--r-- 1 justsand justsand 15409 Apr 24 23:18 shit.php -rwxr-xr-x 1 justsand justsand 15409 Apr 24 23:23 shit.php.pgif -rw-r--r-- 1 justsand justsand 15409 Apr 24 23:18 shit.php.pgif(64) : eval()'d code

    Now I've tried doing my best "Hmmm yes, I see" face at the screen and looking all clever, but that's getting me nowhere. I deleted the offending php scripts off of the public_html server, but I'm sure it's not that simple at all. Can anyone advise me how to sort all this mess out?

    The only help bluehost have provided is a rather generic:

    1. Change the Admin Email on your account.
    2. Change the Password on your account.
    3. Change the Credit Card on file on your account.
    4. Update and apply any patches, upgrades, or updates that the 3rd party vendor or web developer of your scripts may have available.
    5. Fix any loose file permissions (this may be the most common exploit vulnerability)
    6. Delete all non-system Ftp Accounts that were created, or at the very least, change the passwords to the FTP Accounts.
    7. Remove any Access Hosts by clicking the "Remote Mysql" icon and clicking the Remove Red X by each entry if there are any entries.
    8. Check your scripts for any Header Injection attacks, Sql Injection attacks, Cross-Site Scripting attacks, etc., as well as your php.ini file settings.
    9. Check your home/work computers for any viruses, trojans, or keyloggers.

    Some of these are fairly self explanatory, but others just raise further questions. Also I'd really like to know how on earth this was able to happen, I leave my assistant editor in charge for a week and I come back to all this. I'm not sure if it's worth noting that the site has one administrator, one editor, two writer accounts and one contributor. I can account for my passwords being random generated 50 digit ones, but I'm not sure about the other users - I suppose it's too early to be pointing fingers anyway.

    Thanks in advance for any light anyone can shed on this situation.

  2. WP Voyager
    Member
    Posted 2 years ago #

    Hmm, Internet security can be quite baffling at times :-)

    As for how this was allowed to happen, there are just brilliant hackers who delight in causing pain for the average website owner. There are steps you can take to protect your WordPress install from attacks (such as updating regularly, as security fixes become available), ranging from basic to complex.

    These Codex articles ought to help you "harden" your WordPress, to avoid future successful hacking attempts:
    Hardening WordPress
    FAQ's about Hacked Sites

    Try these first, and if that doesn't clear things up in your mind, try running a few Google searches. Googling never hurt anyone, and there is tons of information out there just waiting to be found!

  3. ClaytonJames
    Member
    Posted 2 years ago #

    I leave my assistant editor in charge for a week and I come back to all this.

    Let's hope your assistant editor can't read, or doesn't frequent these forums.

    I didn't see anything obvious in the source code for any of your cached pages, but the few that there are, all seem to be cached /archives only. There's a page of fatal errors listed for the stray-quotes plugin, but the last error was mar 26th. So you must have fixed that. I don't see anything obvious with just that limited bit of information.

    You may want to concentrate on file an folder permissions, ftp and admin account compromises, issues with security in a shared hosting environment, and verify all of your plugins and theme files. Might not hurt to browse those access logs for clues.

    Here is a couple more links for good reading.

    http://smackdown.blogsblogsblogs.com/2008/06/24/how-to-completely-clean-your-hacked-wordpress-installation/

    http://ottopress.com/2009/hacked-wordpress-backdoors/

  4. JustSandN
    Member
    Posted 2 years ago #

    Thanks for the advice on this one guys. In the end Bluehost deleted everything... yay... I have a backup from early May, but it's clearly infected, my computer's antivirus flagged up a php file inside and it looks a complete mess. At this stage I'm wondering if it's worth throwing away a year and a half's work for the sake of a nice clean install and starting over... Which is kinda depressing.

  5. Dameian
    Member
    Posted 2 years ago #

    @JustSandN - I know it has been a few weeks, but would you be able to provide any supporting info related to your case that can be used to potentially help identify the location of the vulnerability? Themes and plugins installed at the time, etc? It would be greatly appreciated. I've just uncovered this exact same exploit on a client's site and want to do all I can to help her and try to shine more light on this to potentially benefit others.

Topic Closed

This topic has been closed to new replies.

About this Topic