WordPress.org

Ready to get started?Download WordPress

Forums

[resolved] site hacked (20 posts)

  1. ergate
    Member
    Posted 9 years ago #

    I have a site that is powered by wordpress 1.5.2 and it was recently hacked the root level of the install now reads "spykids ownz you". I dont think this was a security issue with WordPress, I am working with the admins of the server and we are trying to isolate what allowed the penetration. I can log into the admin section with no problem, none of the entries, users or passwords are affected.

    If you have heard of this with a WP site please let me know. I will post back anything that we find out.

    Aaron

  2. eveums
    Member
    Posted 9 years ago #

    I'm sorry to hear that happened to you. Good luck with everything.

  3. ergate
    Member
    Posted 9 years ago #

    update, I miss-typed the version of WP that is being used, it is 1.5.3.

  4. reuptake
    Member
    Posted 9 years ago #

    1.5.3? or 1.5.13?

    my site has been hacked too (running 1.2). too bad, the intruders got root on whole server runing some more important services than my weblog ;( I hope that latest version of WP is secure...

  5. ergate
    Member
    Posted 9 years ago #

    sorry again, it is 1.5.1.3

    Like I mentioned earlier, I do not necessarily think it was WP that was hacked, I think something else was exploited.

  6. reuptake
    Member
    Posted 9 years ago #

    it's very probable that it was WP.

  7. Mark (podz)
    Support Maven
    Posted 9 years ago #

    WOOOAHHHHHHHH - why say that ????

  8. Mark (podz)
    Support Maven
    Posted 9 years ago #

    reuptake - please make your comment really clear. It looks to a casual observer that you are making comments about the current version.

  9. If you are using WP v1.5.1.3, then it could have been hacked. Please upgrade to WP v1.5.2 ASAP.

  10. Class
    Member
    Posted 9 years ago #

  11. ergate
    Member
    Posted 9 years ago #

    No on the Cpanel.

    I have downloaded the upgrade and will get that taken care of as soon as my admins finish doing what they are doing and give me the ok.

  12. reuptake
    Member
    Posted 9 years ago #

    I said that because exploit for v1.5.1.3 is widely spread and very easy to find.

  13. ergate
    Member
    Posted 9 years ago #

    Ok, to wrap up the problem that led to the site being hacked.
    It was NOT a wordpress problem, they did not hack the script or any direct part of the install. Here is a portion of what the sysadmin on my server had to say
    "...I've searched the server for vulnerability and [there] are some clients who have old versions of phpBB and this is the way that hacker got in (he have user apache), then he used a script to search all index.php/index.html file and put there "spykids ownz you". "

    To make a long story short, a different script had a vulnerability in it and that was exploited, and used to re-write a page that WP uses.

  14. ergate
    Member
    Posted 9 years ago #

    I should also follow up with one last bit, the index file that was written over was not the index file at the root of the WP install, but the index file that was in the current theme.

  15. eragle
    Member
    Posted 9 years ago #

    Entirely possible. Thank you for clearing all of that up ergate. Sorry you got script-kiddied, but I'm glad it wasn't a problem with WordPress.

  16. PaulFlack
    Member
    Posted 9 years ago #

    I got it too, where do you find the fix?

  17. Mark (podz)
    Support Maven
    Posted 9 years ago #

    Got what ?

  18. PaulFlack
    Member
    Posted 9 years ago #

    Got the spykids "hack"...what do you do to get rid of it. All of my themes are totally screwed up, tried to reload them, to no avail.

  19. Mark (podz)
    Support Maven
    Posted 9 years ago #

    Upgrade to 1.5.2 - unless the blog at http://www.whohadada.com/blog/index.php is yours as that is already at 1.5.2

    There are no known security holes in 1.5.2, and from other reports it does not seem that WP is the weakness, rather that something else on the server has been exploited.
    If yoy have any server logs to the contrary, we would love to see them ?

  20. ergate
    Member
    Posted 8 years ago #

    Sorry for the delay in response, and sorry for the spykidz.

    Again, WP was not exploited. The server was exploited through a weakenss in an install of PHPBB, by someone on a different domain (the joys of shared hosting).
    I do not know what weakness they exploited, but I know the result, which is index files were over written with the irritating tag line. As a side note, I have several different installs of WP on one shared server (all installed at different domains). Only one theme in one install was affected, and it was only affected becuase I had the permissions set to 666, I was editing the file through the file editor, this is the only reason that we (my host admins and I) can find that allowed the index file to be overwritten.

    The only steps that I needed to to fix the problem was to refresh my theme from a "unaffected" backup. And make sure that I reset permissions as soon as I am done working. I keep and make my own backups, so this was no problem. As an added precaution, and as a way to clean up the domain, I asked the Hosting Provider admin to delete all contents from the httpdocs, and I started the whole thing fresh.

    The Database was not affected so it did not need any work.

Topic Closed

This topic has been closed to new replies.

About this Topic

Tags

No tags yet.