WordPress › Support » wordpress exploit, site hacked [newportalse.com]

hellowoo
Member
Posted 1 year ago #

my site is trying to redirect to newportalse.com and google chrome is flagging it as hacked. anyone know how to fix this issue? I found a few possible fixes, but none for this specific one.

I had my site locked down really well, so I'm confused how it got hacked. they are injecting php and javascript. here is what a malware scanner returned:

Malware found on javascript file:
http://www.domain.com/wp-includes/js/l10n.js?ver=20101110

[Code moderated as per the Forum Rules. Please use the pastebin]
jkrill
Member
Posted 1 year ago #

My site just got this same attack.

Not good.
sr20de1
Member
Posted 1 year ago #

I got it also, scanned my site through securi.net, what did you use?
hellowoo
Member
Posted 1 year ago #

found some info on attacks, but nothing on this exact one if you're interested:

http://www.google.co.uk/support/forum/p/Webmasters/thread?tid=111c656d782114dd&hl=en

http://ocaoimh.ie/2008/06/08/did-your-wordpress-site-get-hacked/

and http://sucuri.net/ is where I found the scan.
hellowoo
Member
Posted 1 year ago #

I have a friend that finds lots of exploits to fix, one of the lead guys out there, I will keep you posted if I find a fix.
kmessinger
Volunteer Moderator
Posted 1 year ago #

You should check these out also.

http://codex.wordpress.org/FAQ_My_site_was_hacked
http://wordpress.org/support/topic/268083#post-1065779
http://smackdown.blogsblogsblogs.com/2008/06/24/how-to-completely-clean-your-hacked-wordpress-installation/
http://ottopress.com/2009/hacked-wordpress-backdoors/
http://codex.wordpress.org/Hardening_WordPress
jkrill
Member
Posted 1 year ago #

Seems like, based on sucuri.net, the attack was on /wp-includes/js/l10n.js and /wp-includes/js/jquery/jquery.js

It had inserted the malicious code at the end of those files.

I went in and deleted the bad code - but the question remains, how did this happen?

It appears that they got to every one of these files on my server (I have multiple WordPress installs) so it was not just a single site attack, but perhaps a server attack.

I am using hostmonster.com.
hellowoo
Member
Posted 1 year ago #

yikes. I have at least 10 wordpress sites, what a pain. I saw it might be via tim thumbs php injection. but not certain.
lukemillercallahan
Member
Posted 1 year ago #

My site (groaction.com) also got hacked by them a couple of days ago. I have timthumbs too, if that helps to get at the root of the problem.

Thanks for posting the links of where the bad code is. Much appreciated.
audacity
Member
Posted 1 year ago #

Whois info for newportalse.com:

Provorov Aleksey (countersster@googlemail.com)
SOKOLINOY GORYi 5-Ya UL., 23
Moskva
Moskovskaya obl,105275
RU
Tel. +7.9104556998

I have timthumbs as well, looks like that's where the exploit came from.
Rev. Voodoo
Volunteer Moderator
Posted 1 year ago #

http://ma.tt/2011/08/the-timthumb-saga/

for more info on the timthumb exploit. It has been patched, but the theme or at least timthumb need updated
dd@sucuri.net
Member
Posted 1 year ago #

Yes, this one is happening through the timthumb.php vulnerability. We posted some details here too:

http://blog.sucuri.net/2011/08/attacks-against-timthumb-php-in-the-wild-list-of-themes-and-plugins-being-scanned.html
http://blog.sucuri.net/2011/08/wordpress-sites-hacked-with-superpuperdomain2-com.html

thanks,
MANERS
Member
Posted 1 year ago #

I have a similar problem. Same domain and attack - there's two infected javascript files on my site. Here's the scan:

`
eb site: dotgamerclan.com
status: Site infected with malware
web trust: Not Blacklisted

Malware found on javascript file:
http://www.dotgamerclan.com/announcementsblog/wp-includes/js/l10n.js?ver=20101110

[Code moderated as per the Forum Rules. Please use the pastebin]

I don't know how to "clean" the files. I think I fixed the timthumb hole, though, using the fix on http://blog.vaultpress.com/2011/08/02/vulnerability-found-in-timthumb/. I am also using Host monster. Can anyone help me clean these files?
Ipstenu (Mika Epstein)
Half-Elf Support Rogue & Mod
Posted 1 year ago #

You can post on jobs.wordpress.net if you want to hire someoen to clean your site.
hellowoo
Member
Posted 1 year ago #

[update]

seemed to have clean the install and no more problems. here are the steps I took:

1. download wordpress and extract l10n.js listed above, and replace it, there is malicious code in it.

2. clean your functions.php file in your themes, some versions of this might affect more than one install or theme, mine happened to just be in active theme. they inject about 100 lines then add some code.

the code:
http://pastebin.com/Qe1Ag47A

thats what you want to delete. also redo your salt tags.

3. make new username/password for wordpress and database.

http://sitecheck.sucuri.net/scanner/ posts that there is no more problems. this was scary as I have about a million hits a month, yikes, hope I didn't do damage to other peoples computers :/

note: this might not be an exhaustive method, there more be more hidden code. my wordpress was updated to most current version and all plugins were updated, so I'm not sure how it happened.

so far no more problems. hope this helps.
Ipstenu (Mika Epstein)
Half-Elf Support Rogue & Mod
Posted 1 year ago #

You should also check your .htaccess and wp-config.php

They've both been affected in these attacks :/
Ciotti
Member
Posted 1 year ago #

Thanks for all of the advice in this thread, really appreciate it as I've just had this attack happen on my site.

I've used Sucuri and I can definitely recommend their service, will be following up with all of the suggestions in this thread so try and make my sites secure from this nonsense.
a4jp.com
Member
Posted 1 year ago #

What caused the problem? I have sites but want to avoid this if possible.

Glen
daboss07
Member
Posted 1 year ago #

Thank you for writing these posts. I used http://sitecheck.sucuri.net/scanner/
and found this was linked to my prettyphoto plugin. I aslo replaced the l10n.js file. Thanks again. This really saved me the headache of finding the file.

Chad
MickeyRoush
Member
Posted 1 year ago #

I'm trying to work on some preventative measures to stop this kind of attack. Did anyone notice if there were any strange files in your upload folder(s)? The default is /wp-content/uploads but could be changed via your settings. Or wherever images and other files are uploaded. (Not FTP)

Look for anything with a double extension. Like example.php_.jpg

Or even just a php file like example.php
a4jp.com
Member
Posted 1 year ago #

There should be a setting to stop users uploading anything with the word php in it then. That would stop the problem, wouldn't it?

Glen
a4jp.com
Member
Posted 1 year ago #

daboss07 was that website where the problem came from? Or did you used it to see if you had the problem?

Glen
MANERS
Member
Posted 1 year ago #

After replacing the files that http://sitecheck.sucuri.net/scanner/ claimed were infected with fresh ones, I seem to be okay. My functions.php doens't seem to have the code from pastebin hellowoo kindly posted.
ClaytonJames
Member
Posted 1 year ago #

There should be a setting to stop users uploading anything with the word php in it then. That would stop the problem, wouldn't it?

I don't think that would have any positive impact. I think it would have virtually zero effect in preventing files from being placed on a website through access exposed by a vulnerability that allowed an intruder access to any of it's directories.
a4jp.com
Member
Posted 1 year ago #

ClaytonJames what do you think we can do to stop this type of thing happening? I just want a safe WordPress installation and site.
ClaytonJames
Member
Posted 1 year ago #

I think the best thing you can do right from the start is to research your host first. Take a look at the recorded history of issues, and see what you can find on the web about what others are saying about that company. You have to remember though, you will find very unhappy people who will say very unhappy things about every host, no matter what. Even though a hosting service may have had issues, it doesn't mean they are a bad bet. It happens to everyone sooner or later. You have to look at how they responded to the issue, as much as why it happened in the first place. Run that stuff through a logic filter before you make a decision. A good indication is how willing your hosting company is to answer your questions, and if they seem to be willing to work with you, and really want your business.

Learn about the correct file and folder permission for your environment. Being on a shared server is very different from being on a dedicated server. Don't be afraid to ask your host - or anyone else - about these things, and research their answers if you think you should.

Learn how, and be diligent about, keeping your own pc and the tools you use to manage your site (ftp clients, usernames, passwords, etc...) secured and free from password harvesting infections and malware in general.

Keep up to date with the most recent security and bug-fix releases for wordpress. I can't stress this enough. Stay on top of it. Also make sure that you make scheduled, regular backups of your database and all of your files. You would be surprised how many people just don't do this. It really can be a major life saver.

Be cautious when using third part themes, plugins, applications, scripts, add-ons, etc... do the research first. If it's a bad idea, you can bet someone has posted something related to it somewhere. Keep your plugins and themes up to date.

Read all the resources you can find. Nothing is 100% sure, but there is no reason why you shouldn't look out for yourself (and your readers and visitors) first, by using all of the tools at your disposal.

Good place to start: Hardening WordPress
MANERS
Member
Posted 1 year ago #

After replacing the files that http://sitecheck.sucuri.net/scanner/ claimed were infected with fresh ones, I seem to be okay. My functions.php doens't seem to have the code from pastebin hellowoo kindly posted.

Update: it seems that this method DID NOT clear the issue. My browser (Chrome) still claims that newportalse. com has content on my site. This occurs despite Sucuri claiming my site is clean. It only makes this claim in the backend, about once every ten loads, never in a pattern. That's the part that really confuses me - what could possibly be loading only every so often?
MickeyRoush
Member
Posted 1 year ago #
@ a4jp.com

There should be a setting to stop users uploading anything with the word php in it then. That would stop the problem, wouldn't it?

Glen

I believe WordPress and most plugins that use the uploads folder already do this via php code that it is written with.

From a particular plugin:
```
if ( ( !empty( $file['file']['type'] ) && !preg_match('/(jpe?g|gif|png)$/i', $file['file']['type'] ) ) || !preg_match( '/(jpe?g|gif|png)$/i', $file['file']['name'] ) )
		return false;
```
But hackers get around this by uploading a file with a double extension or by using null bytes.

script.php.jpg or script.php%.jpg or something like that. But I believe WordPress doesn't allow the use of special characters so the null byte method won't work. Also I believe WordPress will add an underscore after the first extension resulting in script.php_.jpg after the file is successfully uploaded.

And since the file permissions on the uploads folder are usually pretty loose, it could result in an issue.

As ClaytonJames mentioned, it could also rely on other vulnerabilities in the code of the theme or plugin.

My question is, has anyone checked the upload directory of anyone using the timthumb.php code or any variants there of, that are inflicted with this attack and/or similar ones. This could be your wp-content/uploads or somewhere else. Just check and see.

I helped another webmaster solve his entry of attack by finding scripts in his uploads folder where there should be done. It may not be related, but I'm still investigating and researching. If anyone has anymore positive information, I'd gladly appreciated the input.
MANERS
Member
Posted 1 year ago #

After replacing the files that http://sitecheck.sucuri.net/scanner/ claimed were infected with fresh ones, I seem to be okay. My functions.php doens't seem to have the code from pastebin hellowoo kindly posted.

Update: it seems that this method DID NOT clear the issue. My browser (Chrome) still claims that newportalse. com has content on my site. This occurs despite Sucuri claiming my site is clean. It only makes this claim in the backend, about once every ten loads, never in a pattern. That's the part that really confuses me - what could possibly be loading only every so often?

Just another update with me (in case someone in the future reads this thread), because the only time I every encounter an alert from Chrome while in the backend, and Sucuri claims my site is clean, I assumed that the issue is backend only (thus Sucuri can't access it and the users are safe). My next idea was to use WordPress's built in reinstall feature. It seems to have worked. I will update this thread if I encounter the message again. Again, I only got it about 1 out of every 10 reloads, so it'll take time to figure out if my install is really clean or not.
MANERS
Member
Posted 1 year ago #

@MickeyRoush

I just checked my uploads. Nothing unusual as far as I can tell.

(Sorry for double post)

12 3 Next »

Topic Closed

This topic has been closed to new replies.

WordPress.org

Forums

wordpress exploit, site hacked [newportalse.com] (67 posts)

Topic Closed

About this Topic

Tags

Code is Poetry