WordPress.org

Ready to get started?Download WordPress

Forums

[closed] SQL attack on wpress 2.9.2 (151 posts)

  1. dugbug
    Member
    Posted 4 years ago #

    @kellgell

    All these hosting sites have three day rollover backups and manual snapshots. If you only have the three day jobs and the hacker got in earlier in the week it won't do anything but I REALLY hope it does! Just make sure you harden it after the reinstall or in a day they will just repeat the trick that got them in. It could even be a bot they are so automated these days.

    @Kulmu

    Hardening would work prior to the hack (unless this is a new technique), but they have created a back door. They can do very simple things and they are in.

    If you want to get your site back in order to salvage what you can (and later set yourself up with a hardened variation) do some reading or use a service like is mentioned above.

    gosh good luck folks. Ill post if I get any relevant info.

  2. Kulmu
    Member
    Posted 4 years ago #

    @dugbug

    This has happened several times the same site. Even after I delete all files from the server and upload a fresh install.

  3. dugbug
    Member
    Posted 4 years ago #

    sucuri.net found the back door! Its a post to the simplepressforum plugin. Do any of you have this plugin?

    Ill get back with more info in a bit.

  4. dugbug
    Member
    Posted 4 years ago #

    and by post I don't mean a forum post, but an HTTP POST. You will never see it.

  5. shashib
    Member
    Posted 4 years ago #

    Hi Folks,
    Dugbug thanks for that news I will pass that on to our folks as well. I work for Network Solutions and there is some good info on the forums here and this is a helpful discussion. Our support team has been helping customers who have contacted us . Since WordPress gives you freedom to modify and add plugins its very difficult for any hosting company to have controls and restrictions on every WordPress instance hosted. This is the same with any hosting provider.

    In the meantime, you should definitely be doing this

    1) Change your Word Press administrative password immediately;

    2) Review the list of WordPress users who have access to your account and delete any users you do not recognize;

    3) Update your WordPress account to the most recent version

    4) Run your security and malware system scans on all computers that are used to access your WordPress account.

    Thanks,

    Shashi

  6. Running Is Funny
    Member
    Posted 4 years ago #

    I've used burkestar's fix to get my site (http://www.runningisfunny.com) at least looking normal again, but although I can finally get to the WP log-in page, I still can't get it to accept a password - despite resetting it in phpMyAdmin and getting a "lost password" e-mailed to me.

    I don't even want to think about future hacks until I can at least get to my WordPress dashboard to let my readers know what's up. Any suggestions?

  7. dugbug
    Member
    Posted 4 years ago #

    Thanks Shashi

    Always good advice. I also use network solutions and the network solutions safe site monitor, so I don't have to worry right :)
    (joking)

    I knew without finding the attack vector we would be cleaning, hardening, and reinstalling forever without knowing why.

    If it reappears after disabling the forum plugin Ill post here again to say my apologies and cry into a beer

  8. shashib
    Member
    Posted 4 years ago #

    Hi Dugbug

    Keep us posted

    Shashi

  9. dugbug
    Member
    Posted 4 years ago #

    Just an update... another networksolution user WITHOUT simplepress forum just got the identical hack. THe sucuri guy is helping more than one of us and is seeing that the only common vector in this seems to be network solutions.

    So hold off. DISABLE the simplepress forum as a precaution, but understand this is a bit stranger than first thought.

  10. dugbug
    Member
    Posted 4 years ago #

    @sashilib,

    Can you contact dd [at] sucuri.net so you and him can talk what you both know? I only can provide tools that are offered through nsHosting (like log files), but maybe you can give him the actual HTTP Post contents. It would go much faster.

  11. shashib
    Member
    Posted 4 years ago #

    will do . thanks lets connect my contact info here http://about.networksolutions.com

  12. woodja
    Member
    Posted 4 years ago #

    It looks like it is possible that the upgrade to WP 2.9.2 turned on XML-RPC support and it was exploited by script bots on other sites.

    Found this in the logs:
    208.74.66.xx - - [07/Apr/2010:23:51:21 -0400] "POST /xmlrpc.php HTTP/1.1" 200 497 "-" "SOAP::Lite/Perl/0.710.08"
    It looks like 208.74.66.xx is a host belonging to Centauri Communications in San Franciso. http://www.centauricom.com/

    My suggestion would be to double check in settings writing that XML-RPC is turned off and maybe as an extra precaution disable/move/delete xmlrpc.php.

    On a positive note, once informed Network Solutions quickly patched up the 2.9.2 config and restored the database to a backup from a couple days ago.

  13. Inspired2Write
    Member
    Posted 4 years ago #

    My suggestion would be to double check in settings writing that XML-RPC is turned off and maybe as an extra precaution disable/move/delete xmlrpc.php.

    Thanks for that tip woodja. I was wondering about that file recently after reviewing my logs, which indicated an attempt to access that file.

    If the attack that you're sites were affected by was a vector, then that would have been from the server side, would it not?

  14. CowDog
    Member
    Posted 4 years ago #

    Just to add a bit more information to the mix, because my site got hacked, too. Same thing -- some HTML inserted into the siteurl field in the wp_options table, and I can't get to my login page. I hadn't upgraded to 2.9.2 yet, and the site's not using SimplePress forum.

    So it's not just 2.9.2 that is affected, if that helps at all.

  15. sdpate48
    Member
    Posted 4 years ago #

    My site njnnetwork.com got hacked yesterday morning. After a series of non-productive tasks all day, Network Solutions admitted they have been hacked on many WordPress sites.

    As of 6 AM Friday morning they are still working on it and don't have a prediction of when the sites will be working again.

    I cannot restore previous days backups. It's hard to tell what I should do. I did turn off public access to the site since it was trying to infect anyone who hit the main page.

  16. GinoGard
    Member
    Posted 4 years ago #

    Please ensure all sites public_html (or your www) directory have 750 permissions, not the insecure 755.

    Change the password for your mySql user and update wp-config. You can recreate the same user with an updated password.

  17. PsionStorm
    Member
    Posted 4 years ago #

    So I had NetSol help me restore my backup, but that too was infected. Guess I better get in the habit of checking the site every day... who knows how long it was hacked.

    I'm just gonna start over and try to salvage the posts. I've already started a new WordPress install, and will go one-by-one with the posts and try to restore them.

    Is it possible to simply drag and drop the posts into the WordPress directory using the FTP, and then just rebuild the links afterwards?

  18. Rev. Voodoo
    Volunteer Moderator
    Posted 4 years ago #

    Is it possible to simply drag and drop the posts into the WordPress directory using the FTP, and then just rebuild the links afterwards?

    The posts are in the DB, not in any file.....

  19. PsionStorm
    Member
    Posted 4 years ago #

    Doh! >_<

  20. Rev. Voodoo
    Volunteer Moderator
    Posted 4 years ago #

    sorry!

    dunno how messed up your db is? If it possible to reuse....

    export, clean up, import....

  21. PsionStorm
    Member
    Posted 4 years ago #

    This is all really new to me... apologies for being such a noob, but thank you so much for all the help and suggestions thus far.

    I'm looking through the wp database now. Couldn't see any odd users that registered so I don't think it came in that way.

    Checked a few posts, didn't see any malicious code there either, but I haven't looked everywhere yet.

    I guess I could go post-by-post and restore the data, I mean there's only 150 posts or so... could be much much worse.

    I did set up a new install of WordPress on the server and updated to the newest version immediately (NetSol does not install the newest version via their server, FYI) but now I'm blocked out of automatic plugin updates... got a ticket filed to fix that.

  22. burkestar
    Member
    Posted 4 years ago #

    @samboll - you are right, this fixes the symptoms but not the underlying cause which after several hours digging through your links (many thanks) I was not able to uncover.

    I am NOT using simplepress plugin. Try harder...that's not the common backdoor.

    I should add that I also did these steps:

    1. Disable XML-RPC functionality which is a moderately likely attack vector, but I'm not convinced
    2. configured the “secret keys” feature that adds password salting to make brute force attacks by guessing weak passwords MUCH, MUCH harder...although this is unlikely attack vector
    3. I used the WordPress Exploit Scanner plugin to search all source and theme files for "eval()" and "base64_decode" related backdoors. The podPress plugin has a lot of false positives and nothing appeared malicious.
    4. I searched database tables for "base64_decode" and "edoced_46esab"...no results
    5. setup an email alert using ChangeDetection.com that will alert me daily if the site’s content changes. I can safely ignore changes from new posts, but the intent is to automate capturing these iframe / cross-site-scripting attacks so we can recover zero day.

    Bottomline - I believe Network Solutions' database server farm is infected thus allowing the intruder to touch all MySQL hosted databases powering WordPress and change the siteurl value.

    I contacted Network Solutions and they do NOT provide Intrusion Detection/Prevention Services or any means to monitor your FTP file space for file modifications. I'm seriously considering moving our site BACK to our corporate servers for the added control as the benefits of outsourcing the hosting no longer seems worth it.

  23. burkestar
    Member
    Posted 4 years ago #

    Network Solutions could prove their competence by looking at the MySQL server logs (SNMP?) for all affected customers, identify the SQL UPDATE command that infected the siteurl value, find which process or host issued the SQL command and work backwards to find the backdoor. Once found, all affected customers (not just those with open tickets) would be informed by email to the incident and the resolution and educate everyone how to prevent future attacks. I'm shocked that logging and database backups aren't enabled by default....security is just an afterthought.

    Based on the repetition of the attack, I believe a cron job (either Linux's crontab feature or using the wp_cron functionality) is responsible and automates the re-infection on a schedule.

    Only time will tell...

  24. regina3196
    Member
    Posted 4 years ago #

    I have seven WordPress Network Solutions hosted sites affected by this. However, I also manage two other WordPress sites and have them hosted by Network Solutions and they have not been affected (yet!). So it is not all WordPress sites on all Network Solutions servers. I do not use SimplePress forum. All of my sites use the "secret keys" feature.

    2 of these sites were also affected by a previous Network Solutions WordPress attack (several months ago). I also am considering a move to another host. I am so angry my hands are shaking as I type this.

  25. MVpetrova
    Member
    Posted 4 years ago #

    Hi All,

    I have 2 WP sites hosted on Network Solutions that were hacked into yesterday. Apparently, the problem is in the databases, but my database auto backup was not turned on. NS default is not to back up the databases - they they don't tell you that that's a bad idea. So make sure your database backup is turned ON.

    Luckily, my awesome web admin Michelle, was able to fix my sites within a few hours and is now working to secure everything.

    If you are looking for someone to help you get your WP site/blog back up, she is wonderful (although not cheap). This is her site: http://www.midcolumbiawebs.com/
    Or contact her via twitter: @michellegust

  26. Rev. Voodoo
    Volunteer Moderator
    Posted 4 years ago #

    seems hackers are finding host vulnerabilities and exploiting them lately. I'm seeing Network Solutions a lot this week.

    About a month ago, there was a rash of godaddy WP sites hacked.....

    Honestly not sure how much can be done to prevent these things if they are host weaknesses rather than user.

    Of course its a good idea to harden as much as possible to alleviate potential weaknesses......

  27. burkestar
    Member
    Posted 4 years ago #

    Official Network Solutions response. Glad to see they're working hard to solve this.

    "From what we can determine at this time, the changes look like they were made by a user with admin credentials to your WordPress blog. This could be an issue with the WordPress installation or a WordPress plugins on the site. This is not an issue on our web hosting servers"

  28. Running Is Funny
    Member
    Posted 4 years ago #

    This does not bode well. I've got one hacked blog, and a reader notified me that another blog - also WordPress and hosted on NetSol - gave him a malware alert, despite the fact that it shows no evidence of a hack and still allows me access.

    It has to be a database or host problem, so screwing around with WordPress is a waste of time - except to eliminate that "siteurl" problem. I removed all my files through FTP yesterday and did a clean reinstall of WordPress and got nothing for my trouble except an internal server error.

    If others have had a different experience, I'd like to hear about it, but messing with WordPress files or the content of your site seems to have no effect.

  29. woodja
    Member
    Posted 4 years ago #

    @burkestar - Did you make NetSol aware of this thread. Kind of hard to believe that we all got infected at once because of bad admin credentials. Mine was one that couldn't be determined through normal dictionary style attacks. Not to mention there were no attempts to access /wp-admin/ in the past week.

    Also let us know if you discover an issue with a wp_cron task.

    Thanks everyone for your comments and suggestions. I implemented quite a few for my client in hopes that it prevents this issue from happening again. The WP community rocks!

  30. dugbug
    Member
    Posted 4 years ago #

    sucuri.net figured it out. The guy scanned for the wp_config.php files he could find on network solutions servers, and since the SQL user and password is kept in the clear by wordpress, he was able to do whatever he wanted to your database WITHOUT going to your website.

    Take these steps:
    1) Chmod your wp_config.php to be 750 using an FTP tool. This prevents him from reading the file again (assuming he didn't hack your site.. remember he hacked your database).
    2) On your network solutions account management interface, in the side bar select nshosting/configuration/databases and there, you can change the password of your SQL database.
    3) Edit your wp_config.php with the new password (there is a field there called DB_PASSWORD). change what is there with what you changed it to.
    4) obviously check siteurl again :)

    I suggest you use one of the complex password generators on the net since we never have to manually remember it anyway.

    And there you go! Thanks to everyone that took up my suggest to use sucuri... centralizing our efforts gave him all the info (no common plugins, clean installs, all the typical lockdowns, etc)....

    -d

Topic Closed

This topic has been closed to new replies.

About this Topic