WordPress.org

Ready to get started?Download WordPress

Forums

SQL Injection? (11 posts)

  1. bchignell
    Member
    Posted 2 years ago #

    HI,
    I recently had my site hacked by injecting code in various files within my installation. We resolved the issue initially but every week or so code appears in the 'Index.php' which effects the look of the main page and also opens a popup asking the visitor to download a file.

    The website which the code referes to is 'neraller.com'.

    Does anyone know anything about this hack or experienced it before, I can correct the issue by overwriting the 'index.php' wirh a backup copy but not sure where to look for code which may be updating the file every few days??

    Thanks for any assistance offered :)

  2. fyllhund
    Member
    Posted 2 years ago #

    They've inserted more code than the one in your index.php. Look for backdoors!

  3. bchignell
    Member
    Posted 2 years ago #

    Hi fyllhund, thanks, I assumed as much, any pointers of where to look?

  4. Samuel B
    moderator
    Posted 2 years ago #

  5. bchignell
    Member
    Posted 2 years ago #

    HI, thanks for the links I'll take a look, the 2nd one doesn't appear to work?

  6. Samuel B
    moderator
    Posted 2 years ago #

    2nd was working yesterday
    give it some time and try again

  7. fyllhund
    Member
    Posted 2 years ago #

    http://blog.sucuri.net/2011/09/ask-sucuri-what-about-the-backdoors.html
    http://blog.sucuri.net/2011/10/evil-backdoors-part-ii.html

    instead then.
    ottopress is down though.

    still recommend going through your whole database and check for hidden iframes etc.

  8. bchignell
    Member
    Posted 2 years ago #

    HI, I have noticed that the hack reappears when a new post publishes, any ideas which files would be involved in this process so that I have a starting point?

  9. Valdor
    Member
    Posted 2 years ago #

    I am having the same problem, this is changing ALL index.* files in the root folder of all domains on the same server, it is also adding the javascript to any file named login.* in the root folder of the domains as well.

    You can stop it by changing the permission on index.php to 444 (or 0444)

    Can you list what theme and what active plugins you are using and also any urls of rss feeds you are publishing from other sites.

    If you dont want to list all that on here then I can setup an email address for you to send it to.

    I can see if I have any of the same themes, plugins or rss feeds on any of my WP sites and we can start to find out what is causing this.

    Thanks.

    P.S my hack went to ner-aller.com DO NOT VISIT THIS SITE! and the site then infects your computer with the zbot.g virus.

    You can view the coded and uncoded javascript that is being added here:

    http://jsunpack.jeek.org/?report=09993f18392e6e53a20c5f4034e591b9d2b51ab6

  10. bchignell
    Member
    Posted 2 years ago #

    Hi Valdor,
    Yeah mine os from the same URL, I dont have any files names 'login' in the route folder but the index file is affected every time I publish a new post.

    I use the 'Convergence' theme and whenever the file is overwritten it affects the formatting (which is handy as this lets me know that the file has been overwritten).

    I have changed the permissions on the index.php to 444 (thanks for that)

    I have re-uploaded the theme files and we went through the wordpress install files and DB but did not find anything (we even scanned the installation with a number of online tools and they did not find anything.

    I dont think that the plugins had anything to do with the hack as I deleted all of the plugins and the hack still reoccurred.

    I have just reported the URL on 'http://privacyprotect.org', I suggest you do the same and if found to be involved in spreading viruses, they will release the information of the owner of the URL.

    Feel free to email me on losifish@gmail.com.

    Cheers ;)

  11. Frostheim
    Member
    Posted 1 year ago #

    I'm having the same problem: everything up to date but that line of code keeps getting added to the index template (and no where else I can find). I just turned off write permissions for the index file, but am a little worried about how what the exploit is that lets it in in the first place.

Topic Closed

This topic has been closed to new replies.

About this Topic