WordPress › Support » SQL Injection?

bchignell
Member
Posted 7 months ago #

HI,
I recently had my site hacked by injecting code in various files within my installation. We resolved the issue initially but every week or so code appears in the 'Index.php' which effects the look of the main page and also opens a popup asking the visitor to download a file.

The website which the code referes to is 'neraller.com'.

Does anyone know anything about this hack or experienced it before, I can correct the issue by overwriting the 'index.php' wirh a backup copy but not sure where to look for code which may be updating the file every few days??

Thanks for any assistance offered :)
fyllhund
Member
Posted 7 months ago #

They've inserted more code than the one in your index.php. Look for backdoors!
bchignell
Member
Posted 7 months ago #

Hi fyllhund, thanks, I assumed as much, any pointers of where to look?
Samuel B
moderator
Posted 7 months ago #

http://smackdown.blogsblogsblogs.com/2008/06/24/how-to-completely-clean-your-hacked-wordpress-installation/

http://ottopress.com/2009/hacked-wordpress-backdoors/
bchignell
Member
Posted 7 months ago #

HI, thanks for the links I'll take a look, the 2nd one doesn't appear to work?
Samuel B
moderator
Posted 7 months ago #

2nd was working yesterday
give it some time and try again
fyllhund
Member
Posted 7 months ago #

http://blog.sucuri.net/2011/09/ask-sucuri-what-about-the-backdoors.html
http://blog.sucuri.net/2011/10/evil-backdoors-part-ii.html

instead then.
ottopress is down though.

still recommend going through your whole database and check for hidden iframes etc.
bchignell
Member
Posted 6 months ago #

HI, I have noticed that the hack reappears when a new post publishes, any ideas which files would be involved in this process so that I have a starting point?
Valdor
Member
Posted 6 months ago #

I am having the same problem, this is changing ALL index.* files in the root folder of all domains on the same server, it is also adding the javascript to any file named login.* in the root folder of the domains as well.

You can stop it by changing the permission on index.php to 444 (or 0444)

Can you list what theme and what active plugins you are using and also any urls of rss feeds you are publishing from other sites.

If you dont want to list all that on here then I can setup an email address for you to send it to.

I can see if I have any of the same themes, plugins or rss feeds on any of my WP sites and we can start to find out what is causing this.

Thanks.

P.S my hack went to ner-aller.com DO NOT VISIT THIS SITE! and the site then infects your computer with the zbot.g virus.

You can view the coded and uncoded javascript that is being added here:

http://jsunpack.jeek.org/?report=09993f18392e6e53a20c5f4034e591b9d2b51ab6
bchignell
Member
Posted 6 months ago #

Hi Valdor,
Yeah mine os from the same URL, I dont have any files names 'login' in the route folder but the index file is affected every time I publish a new post.

I use the 'Convergence' theme and whenever the file is overwritten it affects the formatting (which is handy as this lets me know that the file has been overwritten).

I have changed the permissions on the index.php to 444 (thanks for that)

I have re-uploaded the theme files and we went through the wordpress install files and DB but did not find anything (we even scanned the installation with a number of online tools and they did not find anything.

I dont think that the plugins had anything to do with the hack as I deleted all of the plugins and the hack still reoccurred.

I have just reported the URL on 'http://privacyprotect.org', I suggest you do the same and if found to be involved in spreading viruses, they will release the information of the owner of the URL.

Feel free to email me on losifish@gmail.com.

Cheers ;)

Reply

You must log in to post.

WordPress.org

Forums

SQL Injection? (10 posts)

Reply

About this Topic

Tags

Code is Poetry