WordPress › Support » SQL attack on wpress 2.9.2

dugbug
Member
Posted 3 years ago #

They changed my wp-options siteurl to be an iframe pointing to networkads.net/grep

The site was not loading correctly so I was able to find this in phpmyadmin.

I have had a rash of hacks lately and talked to Network Solutions (my host) They tell me all of their wordpress sites are getting banged up, but their servers are clean.

I use the bad behavior plugin with a honeypot key, and that makes me feel a little better. I also use the URL injection technique as discussed here:
suggested by this site:
http://perishablepress.com/press/2009/12/22/protect-wordpress-against-malicious-url-requests/

Anyone else having problems?
ijlal
Member
Posted 3 years ago #

yes i am having exactly same issue. My host is "network solutions". how can i fix it?

Thanks.
burkestar
Member
Posted 3 years ago #
Yes, I was attacked as well after upgrading to WP 2.9.2 yesterday on Network Solutions.

How I resolved it:
1. Using Network Solution's MySQL admin console, browse to the wp_options table and change the value for "siteurl" to be your blog's URL like "http://example.com/wordpress".
2. Edit wp_config.php to override value of SITEURL (this way even if the database value is altered, it gets overridden by the config value)
Make sure to backup your database using Network Solution's admin console and enable the daily automated backups.
Samuel B
moderator
Posted 3 years ago #

you folks need to fix how they got in - not just symptoms

http://codex.wordpress.org/FAQ_My_site_was_hacked

http://smackdown.blogsblogsblogs.com/2008/06/24/how-to-completely-clean-your-hacked-wordpress-installation/

http://ottodestruct.com/blog/2009/hacked-wordpress-backdoors/
bychow26
Member
Posted 3 years ago #

First of all...whoever burkestar is, is a genius!!!!!!Thank you!!!!!!

One other question, how do I "Edit wp_config.php to override value of SITEURL (this way even if the database value is altered, it gets overridden by the config value)"?

I know how to edit the config file, but what and where exactly am I altering in there?

Thank you again!!!!!!!!!
Samuel B
moderator
Posted 3 years ago #

First of all...whoever burkestar is, is a genius!!!!!!Thank you!!!!!!

did you read my post?
that does not stop the hack!
bychow26
Member
Posted 3 years ago #

Not sure what you mean? Will it "break" again? I apologize I am not too familiar with database functions and may be over my head. My site is back now, will it be short lived?
Rev. Voodoo
Volunteer Moderator
Posted 3 years ago #

My site is back now, will it be short lived?

yes, you fixed the symptom. But you have a hole somewhere, a weakness or exploit. Which is how the hack got in. If the exploit is not fixed, you are as vulnerable as you were before.

That's why the reading @samboll posted is very important.... you've gotta root out the problem or the hacks will return, and could get worse
bychow26
Member
Posted 3 years ago #

Not as happy as I was 10 minutes ago! OK, I am reading those posts and I guess I will try to do what they say, but it truthfully may be over my head.

Thanks for the help. Any shortcuts that you may know of are appreciated, but thanks for the info.
Rev. Voodoo
Volunteer Moderator
Posted 3 years ago #

sorry...there are no shortcuts unfortunately. You've gotta be super thorough

http://www.rvoodoo.com/2010/02/the-dreaded-base64-wordpress-hack-and-other-hacks-too/

here's a sample of the crap I went through when I got hacked a couple times, if ya feel like reading more
bychow26
Member
Posted 3 years ago #

Thank you. This is a stupid question, but how do I scan my ftp server? Do I literally read every line of code or is there a scanning plugin/software?
Rev. Voodoo
Volunteer Moderator
Posted 3 years ago #

how much stuff do you have on there? I just had WP sites, so what I did was reinstall WP from the upgrade section (it just reinstalls the same version of WP I have now)

That made all my WP files have the same timestamp...the current date and time

Then I looked into my directories for any files that didn't get updated (had different timestamps) and looked at them for bad code.

I'm sure there's gotta be an easier way....it's just how I do things. Took a few hours, I have 6 WP installs running
bychow26
Member
Posted 3 years ago #

Good call, thanks.

This server only has WP on it for the most part.

Fingers crossed.
PsionStorm
Member
Posted 3 years ago #

I'm having a hard time finding the MySQL or wp_options table. Could someone point me in the right direction? Is this something I could or should navigate to with FTP?
MikeTek
Member
Posted 3 years ago #

@PsionStorm You can't get to it through FTP, you need to access it through your web host panel - usually they provide direct access via an application called phpMyAdmin. If you can't find it I'd call your host and ask.

Also, this only fixes the symptoms of the problem as samboll noted above - the hackers can easily get in through the same door unless you take the proper steps. Read the links he posted above.
DanClarkePro
Member
Posted 3 years ago #

Did the fix above, fixed mine, will speak to Network Solutions in the morning, odd how only one of my wordpress installations was hit, even though there were another 4 in the same directory, and same account on Network Solutions.

Is anyone having this problem, who isn't on Network Solutions? As this also happened to a client of mine, I am trying to narrow down what is the cause.

We have changed SQL passwords, login passwords, main password and FTP passwords, but still not sure what caused it!
MikeTek
Member
Posted 3 years ago #

I'm having a hard time locating the back door they used in this case. Site is back up and running clean (with clean files and a DB restoration), but obviously this is shaky ground until we find out how they got in.

If anybody figures it out please post it here - it may not be the same for all of us, but it'll be worth a look (especially considering this seems to be focused on WordPress sites hosted on Network Solutions).
PsionStorm
Member
Posted 3 years ago #

I figure my first step is to fix the symptoms so the site can at least function while I work on getting the root of the problem addressed. I'll try to track down this phpMyAdmin.

I'm using NetSol as well, for what it's worth.

Thanks!
PsionStorm
Member
Posted 3 years ago #

Ok, I found the phpMyAdmin and made the site url change. Having trouble finding step 2.

"Edit wp_config.php to override value of SITEURL (this way even if the database value is altered, it gets overridden by the config value)"

Is that in a different location?

Sorry to be a pest, I'm really not all that knowledgeable with php.
Rev. Voodoo
Volunteer Moderator
Posted 3 years ago #

wp-config.php is a file. It's on your host, accessible by ftp or file manager, its in your root or WP directory

http://codex.wordpress.org/Changing_The_Site_URL

these instructions tell you how to change url in wp-config.php
PsionStorm
Member
Posted 3 years ago #

Thank you!
dugbug
Member
Posted 3 years ago #

@psionstorm. Gotta start your forensics somewhere. Get back your site and roadblock visitors to an under maintenance banner because the hack will come back and you don't want to be a carrier (or have google or other sites decide to block access to you)

@MikeTek

I can't find the door either. Clean site and clean DB and the attack reoccured this morning. I don't get it. I have the usual hardening as mentioned in those "harden your site" suggestions.

Funny thing about the siteurl though is that it looks like splash overrun from a neighboring SQL variable... like the injection did not go as planned, which is why the site breaks. I mean, who puts HTML in the siteurl dbase var? It screwed up everything so it obviously served no purpose for the attacker.

At this point, I hired a security service that is familiar with wordpress and they scrubbed all files and the dbase but did not find any backdoor. Apart from two things, the service largely agreed that the site was well hardened.

1) I do not have an SSL https protected login
2) I do not use .htaccess to password protect the /wp-admin area. Which is on purpose, as how else do users use my forum or comments section if I require some global master password.

Network Solutions swears they are fantastic and nothing is wrong with the server itself. In fact if you mention wordpress suddenly ANYTHING is not their fault. Even if ping isn't working.

So I dunno. We are studying logs now and we play the wait game. Gotta find the door.
PsionStorm
Member
Posted 3 years ago #

I'm thinking about just wiping the whole site out and doing a brand new install per http://smackdown.blogsblogsblogs.com/2008/06/24/how-to-completely-clean-your-hacked-wordpress-installation/

I've scanned the entire FTP structure to see if anything's been modified recently. I can't find anything. It's not a site I update on a daily basis, or even a weekly basis, so any recent changes/updates to files should stick out like a sore thumb... and they're not. :(

I made the changes per burkestar's recommendation and the site still looks completely off. I can't even log into WordPress through the wp_admin page.

I think it's time to start anew. Ugh!
MikeTek
Member
Posted 3 years ago #

@dugbug Same here - can't find a thing. It clearly didn't go their way, you're right, but however they got in it's likely they can come in through the same door next time. If I find anything I'll post it here.

@PsionStorm I had the same problem - broken front end and the /wp-admin/ login was kicking up that <iframe> from networkads.net.

If you have a backup of site files and your DB you should be able to roll back to a day or so ago and be alright.

Failing that, if you've checked your files thoroughly and can't find any back doors there, it's got to be in your DB. Direct access via phpMyAdmin can help - and try running some of the SQL queries in that Smackdown post you linked to above. I know this hack uses an iFrame so try the first query:

SELECT * FROM wp_posts WHERE post_content LIKE '%<iframe%'

If all of that fails...well...I don't know what to tell you.
dugbug
Member
Posted 3 years ago #

@PsionStorm

You have network solutions right? If so you have access to the phpadmin screen. From your account services home page click on nsHost in the sidebar, then (I think) maintenance. Something takes you to the backups section. There, there is a "database" option and on that page you have access to your blog(s) databases and a button on the far right to launch myphpadmin.

Once in myphpadmin, click on the top-left link, which is essentioally "the entire database". A search option in the right-pane top area is now available. Click on it, and then in the search field enter a single string like iframe and hit Go.

Thats a little easier than the SELECT * from certain tables and it covers your entire database.

At least you can get your site back, export your posts, and what not.

This is all from memory, and if you want Ill actually recreate the steps for you later.
dpezzino
Member
Posted 3 years ago #

Is anyone aware of a service professional who can assist me with this hacking issue? This is not my specialty.
kellgell
Member
Posted 3 years ago #

you all have gone completely over my head. I was able to do step one in pstorm's instructions but I still can't access my log-in page. Would anyone be willing to help me out. I as hosted by Network Solutions also.
Kelly
dugbug
Member
Posted 3 years ago #

@dpezzino, @kellgel

I am using sucuri.net to help get a better angle on things. Tell 'em Techulous (thats our site that got hit) sent you and he will hate me as they will be cleaning up wpresses all week :) Note I am just as new to this scene as you are, but he seems well informed and their tools they host do some cool things with your site.

Maybe if we use the same site and you tell him we are all on the same service (network solutions, etc), more info can be gleamed from the larger data set.

This is my first attack and we (were) a reasonably popular gaming site so I felt I owed it to have some experienced help.

Also he will be able to see what plugins we all have in common, etc.
Kulmu
Member
Posted 3 years ago #

I am also being affected by a similer issue. I am on HostGator and was sent this by support:

***.**.**.*** - - [08/Apr/2010:11:32:39 -0500] "GET /wp-admin/theme-editor.php HTTP/1.1" 200 32691 "http://www.SITEURL.com/wp-admin/themes.php" "Mozilla/5.0 (Windows; U; Windows NT 5.1; ar; rv:1.9.1.9) Gecko/20100315 Firefox/3.5.9"

I am having problems across several sites with what appears to be an SQL injection attack that is modifying the Admin email to xpxd1@hotmail.com and also changing the password. It also is replacing the theme files to reflect the hack with some middle eastern text.

Several of the blogs affected contain no Plug-ins aside from Block Bad Queries (BBQ) which was installed after the first blog was affected, but does not seem to help.

I have put .htaccess restrictions in place on wp-admin in hopes it can prevent another attack. Removing the theme files did not resolve the issue.
kellgell
Member
Posted 3 years ago #

I just called Network Solutions and they're going to restore my blog to a couple days ago. They were very nice about the whole thing. Now I just need to make sure it doesn't happen again.
Thanks!

12…6 Next »

Topic Closed

This topic has been closed to new replies.

WordPress.org

Forums

[closed] SQL attack on wpress 2.9.2 (151 posts)

Topic Closed

About this Topic

Tags

Code is Poetry