Hi
Could someone please help me. My wordpress site has been hacked. http://www.oneangrycustomer.org
Some one hacked into my worldpress site (28 posts)
-
kottyieth
Posted 6 years ago # -
curly
Posted 6 years ago #oY!
Hope you have root access to get rid of this...
-
Mark (podz)
Posted 6 years ago #Hang on - someone hacked your SITE.
They did NOT hack wordpress - or at the very least you have no proof.Email your host.
-
Posted 6 years ago #I am not a techie, so don't understand root and stuff
-
Posted 6 years ago #It is hosted on pow web, as recommended by WP
-
Posted 6 years ago #Tell Powweb - they should supply access logs, close any loopholes, help you clean up.
What other php applications are you running ?
Oh - and change every password you use on that site. All of them.
-
Posted 6 years ago #No other things, just a weblog
http://www.oneangrycustomer.org -
chimommy
Posted 6 years ago #Looks like just the index page that was hijacked? Had that happen before. That isn't a wp issue. Definitely notify your host and tell them of the situation. And like Podz said, change every single password you have related to your site and hosting acct.
-
SvenG
Posted 6 years ago #Same thing happened to me:
What should the default index page be?
What is the best way to resurrect the site?
-
Posted 6 years ago #I managed to change the index page, it said:
BI0S TEAM
Definitely makes you want to change web hosts...
-
Posted 6 years ago #I think I may be getting the run-around from my host--they said they think the hacker accessed my site through my WordPress login.
But to change the index page, wouldn't you have to have either account or FTP access through my webhost?
-
no given the right set of circumstances that may include some but not neccessarily all of the following ...
1. a wp install that is not current, ie running the latest stable version (possible wp exploit)
2. An older php package installed on your web host, that you web host didnt take the time to upgrade (possible php exploit)
3. a bad username/password combo for your admin account (weak passwords suck)
..someone out to do malicious things does NOT need ftp access.
That is not to say that any of the above occurred, but to let you know that there are other ways for bad things to happen, and not all of them require the front door to your site be open.
-
are you using any plugins? the plugins are what can be vulnerable to mysql injections.. hence how it was probabally cracked
-
Posted 6 years ago #estjohn - you have twice now suggested that plugins are a risk. Which ones ?
-
ones that let the user execute php can and.. hang on lemme get some info together on it.
-
What I will do is gather some more info on it and make a post. Some of the older versions of some plugins I have read have some vulnerabilities as well.. so I will try to include versions. This might take me a few days to get all documentation gathered up.
-
podz.. here is one place I had read... can you confirm if this is used in WP still or if this is from an old version, of if they are incorrect in posting this?
Granted these are not the plugins I was refering to... but..
If I should not have posted this, pelase feel free to say so or delete / edit it.
Original release date: 10/27/2005
Last revised: 11/4/2005
Source: US-CERT/NISThttp://nvd.nist.gov/nvd.cfm?cvename=CVE-2005-3330
The _httpsrequest function in Snoopy 1.2, as used in products such as MagpieRSS and WordPress, allows remote attackers to execute arbitrary commands via shell metacharacters in an HTTPS URL to an SSL protected web page, which is not properly handled by the fetch function.
also
http://www.securiteam.com/unixfocus/5IP0L2AGUY.html
WordPress User Privilege Escalation
Vulnerable Systems:
* WordPress versions 1.5.2 and prior -
Posted 6 years ago #Thanks whooami and estjohn; I'll have to take a close look at these...
-
twistedsymphony
Posted 6 years ago #The same thing happened to me... Luckily my main page was just an HTML splash back so the root WP php file was untouched... again the main page simply read "BI0S TEAM" Doing a google search for "BI0S TEAM" a large number of sites with WordPress installs have been hit by this same group.
I have a couple other PHP based applications on my site, Gallery, Video dB, and I recently added Media-Wiki. I had thought Video dB may have been at fault until I started searching around and found this thread and all of those other sites with WP installs.
BTW my site is: http://www.web-nine.com/blog/
It's WP Version: 1.2
And I have the following plug-ins Active:
Comment Killer for WP 1.2 Version 1.1The Following Plug-ins Un-Active:
Search Hilite v1.2
Hello Dolly
MarkDown 1.0 B4
Textile 1 V1.0
Textile 2 V2.0 BetaI realize my WP version is a bit old but it works, and works just how I like it (if it ain't broke, don't fix it) Though if this hack was really let in by WP... then I might just have to upgrade :(
-
vkaryl
Posted 6 years ago #You really really should upgrade. 1.2 had numerous security holes....
-
chrisgalfi
Posted 6 years ago #I just got the BI0S TEAM banner on one of my sites this morning. What bothers me is that I don't know how it happend, and nobody in this thread seems to know either. It's easy to blame software versions for the attack, but does anyone even know if it was an exploit from an old version?
This could still be an existing bug. If anyone has some information on how the "BI0S TEAM" is getting in, we should try and figure it out.
My hosting service is a little behind on things, however...
WordPress - 1.5.1.3
PHP - 4.3.1
Apache - 1.3.33 -
WordPress - 1.5.1.3
thats your answer. its well documented all over these forums that that version needed to be upgraded.
-
mush
Posted 6 years ago #My WP 2.0.x installation was hacked over the weekend, and I was also running Gallery. I wonder if Gallery is a way to get in.
-
dutch_gecko
Posted 6 years ago #A disturbingly large list of logged attacks.
It appears they simply hack index pages - several now restored sites out of a google search show various systems in use, not just wordpress.
-
chillbilly
Posted 6 years ago #i just had a freind get a worm virus notification after login into my site!!!
attacked port: ntbios-ssn(139)
attempted intrusion"ms asn1 integer overflow tcp"
these are the IPs...
70.78.1.47
70.78.99.190
im gettin kind worried here!!!!!!!!!!!
lol
-
chillbilly, your hosted on an IIS server? Gotta love Windows.
-
Posted 6 years ago #nope..i dont think so...im with ipower..pretty sure its linux and I use FF primarily...only use IE to check for campatabilty.
that info ws forwarded from my friend...she said it may not be from my site.
I have just installed a javascript chat box (xdchat form the xdforum plug in guys)
things totaly cool...users once logged in can see a list of users to click on then live chat.
it may have somethin ta do with it becuase its a pop up.
-
I asked because that particular worm is specifically a Microsoft IIS "thing" when found on a server. In other words, a BSD, Solaris, *NIX box isnt going to be affected.
At any rate, Im off to work.
Topic Closed
This topic has been closed to new replies.
