WordPress.org

Ready to get started?Download WordPress

Forums

wordpress exploit, site hacked [newportalse.com] (67 posts)

  1. hellowoo
    Member
    Posted 3 years ago #

    my site is trying to redirect to newportalse.com and google chrome is flagging it as hacked. anyone know how to fix this issue? I found a few possible fixes, but none for this specific one.

    I had my site locked down really well, so I'm confused how it got hacked. they are injecting php and javascript. here is what a malware scanner returned:

    Malware found on javascript file:
    http://www.domain.com/wp-includes/js/l10n.js?ver=20101110

    [Code moderated as per the Forum Rules. Please use the pastebin]

  2. jkrill
    Member
    Posted 3 years ago #

    My site just got this same attack.

    Not good.

  3. sr20de1
    Member
    Posted 3 years ago #

    I got it also, scanned my site through securi.net, what did you use?

  4. hellowoo
    Member
    Posted 3 years ago #

    found some info on attacks, but nothing on this exact one if you're interested:

    http://www.google.co.uk/support/forum/p/Webmasters/thread?tid=111c656d782114dd&hl=en

    http://ocaoimh.ie/2008/06/08/did-your-wordpress-site-get-hacked/

    and http://sucuri.net/ is where I found the scan.

  5. hellowoo
    Member
    Posted 3 years ago #

    I have a friend that finds lots of exploits to fix, one of the lead guys out there, I will keep you posted if I find a fix.

  6. kmessinger
    Volunteer Moderator
    Posted 3 years ago #

  7. jkrill
    Member
    Posted 3 years ago #

    Seems like, based on sucuri.net, the attack was on /wp-includes/js/l10n.js and /wp-includes/js/jquery/jquery.js

    It had inserted the malicious code at the end of those files.

    I went in and deleted the bad code - but the question remains, how did this happen?

    It appears that they got to every one of these files on my server (I have multiple WordPress installs) so it was not just a single site attack, but perhaps a server attack.

    I am using hostmonster.com.

  8. hellowoo
    Member
    Posted 3 years ago #

    yikes. I have at least 10 wordpress sites, what a pain. I saw it might be via tim thumbs php injection. but not certain.

  9. lukemillercallahan
    Member
    Posted 3 years ago #

    My site (groaction.com) also got hacked by them a couple of days ago. I have timthumbs too, if that helps to get at the root of the problem.

    Thanks for posting the links of where the bad code is. Much appreciated.

  10. audacity
    Member
    Posted 3 years ago #

    Whois info for newportalse.com:

    Provorov Aleksey (countersster@googlemail.com)
    SOKOLINOY GORYi 5-Ya UL., 23
    Moskva
    Moskovskaya obl,105275
    RU
    Tel. +7.9104556998

    I have timthumbs as well, looks like that's where the exploit came from.

  11. Rev. Voodoo
    Volunteer Moderator
    Posted 3 years ago #

    http://ma.tt/2011/08/the-timthumb-saga/

    for more info on the timthumb exploit. It has been patched, but the theme or at least timthumb need updated

  12. Daniel Cid
    Member
    Posted 3 years ago #

  13. MANERS
    Member
    Posted 3 years ago #

    I have a similar problem. Same domain and attack - there's two infected javascript files on my site. Here's the scan:

    `
    eb site: dotgamerclan.com
    status: Site infected with malware
    web trust: Not Blacklisted

    Malware found on javascript file:
    http://www.dotgamerclan.com/announcementsblog/wp-includes/js/l10n.js?ver=20101110

    [Code moderated as per the Forum Rules. Please use the pastebin]

    I don't know how to "clean" the files. I think I fixed the timthumb hole, though, using the fix on http://blog.vaultpress.com/2011/08/02/vulnerability-found-in-timthumb/. I am also using Host monster. Can anyone help me clean these files?

  14. You can post on jobs.wordpress.net if you want to hire someoen to clean your site.

  15. hellowoo
    Member
    Posted 3 years ago #

    [update]

    seemed to have clean the install and no more problems. here are the steps I took:

    1. download wordpress and extract l10n.js listed above, and replace it, there is malicious code in it.

    2. clean your functions.php file in your themes, some versions of this might affect more than one install or theme, mine happened to just be in active theme. they inject about 100 lines then add some code.

    the code:
    http://pastebin.com/Qe1Ag47A

    thats what you want to delete. also redo your salt tags.

    3. make new username/password for wordpress and database.

    http://sitecheck.sucuri.net/scanner/ posts that there is no more problems. this was scary as I have about a million hits a month, yikes, hope I didn't do damage to other peoples computers :/

    note: this might not be an exhaustive method, there more be more hidden code. my wordpress was updated to most current version and all plugins were updated, so I'm not sure how it happened.

    so far no more problems. hope this helps.

  16. You should also check your .htaccess and wp-config.php

    They've both been affected in these attacks :/

  17. Ciotti
    Member
    Posted 3 years ago #

    Thanks for all of the advice in this thread, really appreciate it as I've just had this attack happen on my site.

    I've used Sucuri and I can definitely recommend their service, will be following up with all of the suggestions in this thread so try and make my sites secure from this nonsense.

  18. Glen Charles Rowell
    Member
    Posted 3 years ago #

    What caused the problem? I have sites but want to avoid this if possible.

    Glen

  19. daboss07
    Member
    Posted 3 years ago #

    Thank you for writing these posts. I used http://sitecheck.sucuri.net/scanner/
    and found this was linked to my prettyphoto plugin. I aslo replaced the l10n.js file. Thanks again. This really saved me the headache of finding the file.

    Chad

  20. MickeyRoush
    Member
    Posted 3 years ago #

    I'm trying to work on some preventative measures to stop this kind of attack. Did anyone notice if there were any strange files in your upload folder(s)? The default is /wp-content/uploads but could be changed via your settings. Or wherever images and other files are uploaded. (Not FTP)

    Look for anything with a double extension. Like example.php_.jpg

    Or even just a php file like example.php

  21. Glen Charles Rowell
    Member
    Posted 3 years ago #

    There should be a setting to stop users uploading anything with the word php in it then. That would stop the problem, wouldn't it?

    Glen

  22. Glen Charles Rowell
    Member
    Posted 3 years ago #

    daboss07 was that website where the problem came from? Or did you used it to see if you had the problem?

    Glen

  23. MANERS
    Member
    Posted 3 years ago #

    After replacing the files that http://sitecheck.sucuri.net/scanner/ claimed were infected with fresh ones, I seem to be okay. My functions.php doens't seem to have the code from pastebin hellowoo kindly posted.

  24. ClaytonJames
    Member
    Posted 3 years ago #

    There should be a setting to stop users uploading anything with the word php in it then. That would stop the problem, wouldn't it?

    I don't think that would have any positive impact. I think it would have virtually zero effect in preventing files from being placed on a website through access exposed by a vulnerability that allowed an intruder access to any of it's directories.

  25. Glen Charles Rowell
    Member
    Posted 3 years ago #

    ClaytonJames what do you think we can do to stop this type of thing happening? I just want a safe WordPress installation and site.

  26. ClaytonJames
    Member
    Posted 3 years ago #

    I think the best thing you can do right from the start is to research your host first. Take a look at the recorded history of issues, and see what you can find on the web about what others are saying about that company. You have to remember though, you will find very unhappy people who will say very unhappy things about every host, no matter what. Even though a hosting service may have had issues, it doesn't mean they are a bad bet. It happens to everyone sooner or later. You have to look at how they responded to the issue, as much as why it happened in the first place. Run that stuff through a logic filter before you make a decision. A good indication is how willing your hosting company is to answer your questions, and if they seem to be willing to work with you, and really want your business.

    Learn about the correct file and folder permission for your environment. Being on a shared server is very different from being on a dedicated server. Don't be afraid to ask your host - or anyone else - about these things, and research their answers if you think you should.

    Learn how, and be diligent about, keeping your own pc and the tools you use to manage your site (ftp clients, usernames, passwords, etc...) secured and free from password harvesting infections and malware in general.

    Keep up to date with the most recent security and bug-fix releases for wordpress. I can't stress this enough. Stay on top of it. Also make sure that you make scheduled, regular backups of your database and all of your files. You would be surprised how many people just don't do this. It really can be a major life saver.

    Be cautious when using third part themes, plugins, applications, scripts, add-ons, etc... do the research first. If it's a bad idea, you can bet someone has posted something related to it somewhere. Keep your plugins and themes up to date.

    Read all the resources you can find. Nothing is 100% sure, but there is no reason why you shouldn't look out for yourself (and your readers and visitors) first, by using all of the tools at your disposal.

    Good place to start: Hardening WordPress

  27. MANERS
    Member
    Posted 3 years ago #

    After replacing the files that http://sitecheck.sucuri.net/scanner/ claimed were infected with fresh ones, I seem to be okay. My functions.php doens't seem to have the code from pastebin hellowoo kindly posted.

    Update: it seems that this method DID NOT clear the issue. My browser (Chrome) still claims that newportalse. com has content on my site. This occurs despite Sucuri claiming my site is clean. It only makes this claim in the backend, about once every ten loads, never in a pattern. That's the part that really confuses me - what could possibly be loading only every so often?

  28. MickeyRoush
    Member
    Posted 3 years ago #

    @ a4jp.com

    There should be a setting to stop users uploading anything with the word php in it then. That would stop the problem, wouldn't it?

    Glen

    I believe WordPress and most plugins that use the uploads folder already do this via php code that it is written with.

    From a particular plugin:

    if ( ( !empty( $file['file']['type'] ) && !preg_match('/(jpe?g|gif|png)$/i', $file['file']['type'] ) ) || !preg_match( '/(jpe?g|gif|png)$/i', $file['file']['name'] ) )
    		return false;

    But hackers get around this by uploading a file with a double extension or by using null bytes.

    script.php.jpg or script.php%.jpg or something like that. But I believe WordPress doesn't allow the use of special characters so the null byte method won't work. Also I believe WordPress will add an underscore after the first extension resulting in script.php_.jpg after the file is successfully uploaded.

    And since the file permissions on the uploads folder are usually pretty loose, it could result in an issue.

    As ClaytonJames mentioned, it could also rely on other vulnerabilities in the code of the theme or plugin.

    My question is, has anyone checked the upload directory of anyone using the timthumb.php code or any variants there of, that are inflicted with this attack and/or similar ones. This could be your wp-content/uploads or somewhere else. Just check and see.

    I helped another webmaster solve his entry of attack by finding scripts in his uploads folder where there should be done. It may not be related, but I'm still investigating and researching. If anyone has anymore positive information, I'd gladly appreciated the input.

  29. MANERS
    Member
    Posted 3 years ago #

    After replacing the files that http://sitecheck.sucuri.net/scanner/ claimed were infected with fresh ones, I seem to be okay. My functions.php doens't seem to have the code from pastebin hellowoo kindly posted.

    Update: it seems that this method DID NOT clear the issue. My browser (Chrome) still claims that newportalse. com has content on my site. This occurs despite Sucuri claiming my site is clean. It only makes this claim in the backend, about once every ten loads, never in a pattern. That's the part that really confuses me - what could possibly be loading only every so often?

    Just another update with me (in case someone in the future reads this thread), because the only time I every encounter an alert from Chrome while in the backend, and Sucuri claims my site is clean, I assumed that the issue is backend only (thus Sucuri can't access it and the users are safe). My next idea was to use WordPress's built in reinstall feature. It seems to have worked. I will update this thread if I encounter the message again. Again, I only got it about 1 out of every 10 reloads, so it'll take time to figure out if my install is really clean or not.

  30. MANERS
    Member
    Posted 3 years ago #

    @MickeyRoush

    I just checked my uploads. Nothing unusual as far as I can tell.

    (Sorry for double post)

Topic Closed

This topic has been closed to new replies.

About this Topic