WordPress.org

Ready to get started?Download WordPress

Forums

Site Hacked over and over WordPress 2.5.1 Please Help! (15 posts)

  1. Mobster
    Member
    Posted 6 years ago #

    I have a WordPress site that is getting attacked over and over. Whoever or whatever is doing it, edits my theme index.php and fills is with Viagra spam links.

    Has anyone had this happen in the latest release and, why does this continue to happen even when I spend hours upgrading ?

    please help!

  2. They're editing the index.php file? Your host is compromised.

    Change your password on your server and in WordPress; re-upload all the files from http://wordpress.org/ and inform your hosting company.

    Also give this entire article a read: http://ocaoimh.ie/2008/06/08/did-your-wordpress-site-get-hacked/

    Good Luck.

    Edit: Also which index.php? And is this a UNIX box?

  3. Mobster
    Member
    Posted 6 years ago #

    Well... it's my header that's being hacked.

    This appears right after the <body> tag. It positions them out of view but they're there. Even when I delete them they come back.

    How are they accessing my header.php >? Any suggestions?

    This is what it looks like.

    <!--linksb-->
    <div style="position:absolute; left:-1130px; top:-1003px;">
    <a href="http://www.news.appstate.edu/wp-content/uploads/.thumbs/viagra/viagra.html">viagra </a>
    <a href="http://www.news.appstate.edu/wp-content/uploads/.thumbs/viagra/viagra-pills.html">viagra pills buy</a>
    
    +hundreds more links....................................
    
    <!--linkse-->

    What the?????

  4. lincolnspector
    Member
    Posted 6 years ago #

    I got back from vacation Sunday and discovered that my index.php file was hacked. Yes, I removed the vile code (actually, someone at my host, IX Hosting, did it for me), I've changed the password, updated WordPress, etc.

    One thing I haven't done is check my .htaccess file. I can't find it to check it.

    Lincoln

  5. flammobammo
    Member
    Posted 6 years ago #

    I have recently been learning about permissions, and provided several links to articles about permissions that should be used for WordPress here.

    You should check that all folders are set to 755 or stricter, and that all files are set to 644 or stricter. Please check and report back.

  6. Mobster
    Member
    Posted 6 years ago #

    Thanks Flammo,

    All permissions appear to be set correctly. I checked this yesterday.

    I found these users in phpmyAdmin as recent members:

    pornvigra[at]gmail.com

    canadapharma[at]izmail.net

    Also, users have been complaining about not being able to login. A couple people told me their passwords weren't working and when they try to get a new one it won't work either.

    I get this when I request one /wp-login.php?action=rp&key=us4mN!AG!RS^

    I think my database has been hacked.

  7. flammobammo
    Member
    Posted 6 years ago #

    So to double check, you have no folder permissions greater than 755, and no file permissions greater than 644?

    I don't know what else to say other than to make sure you change your database password AND username to help slow them down. The real question is how did they work out what it was to be able to hack it?

    One thing to look at is check that you have mod_openbasedir installed in Apache. This means (I think) that contents of PHP files can only be parsed, and not read. Clearly then, if this is not installed, then your wp-config.php file could be easily read. (Mind you, I don't know why any server wouldn't have this installed, but good to check).

  8. Storyman
    Member
    Posted 6 years ago #

    Yesterday a comment appeared from one of my 'test' sites that I had actually forgotten about. What made this comment of particular interest was that it looked like it had some strange code, but I did recognize the word 'Viagra' (which was mentioned by a poster that a hacker left as an ad on his site.)

    Immediately upgraded the site to WP-2.5.1 and changed passwords.

  9. macsoft3
    Member
    Posted 6 years ago #

    >I've changed the password

    That may not be a sufficient solution if they cracked the password with a known username.

    >You should check that all folders are set to 755 or stricter

    What does the CHMOD of 755 really mean? You want to show off the lists of files to people who don't have to see and let them download files?

  10. ClaytonJames
    Member
    Posted 6 years ago #

    What does the CHMOD of 755 really mean? You want to show off the lists of files to people who don't have to see and let them download files?

    What does it really mean?

  11. flammobammo
    Member
    Posted 6 years ago #

    Try this

  12. ClaytonJames
    Member
    Posted 6 years ago #

    Yes... I know. I was attempting to elicit an intelligible response from macsoft3. That drive-by shooting of a jumble he left above wouldn't help anyone. My sarcasm was apparently lost in the process.

    ...but thank you for the effort!

    :-)

  13. Samuel Wood (Otto)
    Tech Ninja
    Posted 6 years ago #

    Read this:
    http://ocaoimh.ie/2008/06/08/did-your-wordpress-site-get-hacked/

    Hacked sites get backdoors left behind in them for the hacker to get back in even after you fix the problem or upgrade. You have to find and eliminate those holes.

  14. Mobster
    Member
    Posted 6 years ago #

    Man, had I found this a week ago it would have saved me some time.

    exploit-scanner

    This plug-in found a couple problems right off the bat.

    It detected this in my upload directory. (I wont post the whole thing but what the???)

    2008.php

    error_reporting(7);
    @set_magic_quotes_runtime(0);
    ob_start();
    $mtime = explode(' ', microtime());
    $starttime = $mtime[1] + $mtime[0];
    define('SA_ROOT', str_replace('\\', '/', dirname(__FILE__)).'/');
    //define('IS_WIN', strstr(PHP_OS, 'WIN') ? 1 : 0 );
    define('IS_WIN', DIRECTORY_SEPARATOR == '\\');
    define('IS_COM', class_exists('COM') ? 1 : 0 );
    define('IS_GPC', get_magic_quotes_gpc());

    And this:

    fx__2008.php

    <?php
    @error_reporting(E_ALL);
    @set_time_limit(0);
    global $HTTP_SERVER_VARS;
    
    define('PASSWD','   ##$#@!!   ( I removed this for obvious reasons) ');
    
    function say($t) {
      echo "$t\n";
    };
    
    function testdata($t) {
      say(md5("mark_$t"));
    };
    
    echo "<pre>";
    testdata('start');
  15. vladuxa
    Member
    Posted 5 years ago #

    Please try to avoid 777 folder permissions, because with such permissions your site becomes unsecured.

Topic Closed

This topic has been closed to new replies.

About this Topic