WordPress.org

Ready to get started?Download WordPress

Forums

[resolved] [closed] Website repeatedly hacked (38 posts)

  1. cwinkler78
    Member
    Posted 1 year ago #

    Hi all. I'm hoping maybe someone can help me out with this. I've been banging my head My website has been hacked several times in the past week. Last week, it was taken down by:

    +ADw-/title+AD4-Hacker By Hacker alajman +ACo-//+ACop2+AEA-hotmail.com +ADw-DIV style+AD0AIg-DISPLAY: none+ACIAPgA8-xmp+AD4-

    This week it is:

    +ADw-/title+AD4APA-META http-equiv+AD0AIg-refresh+ACI content+AD0AIg-0+ADs-URL+AD0 http://184.170.132.78:8799/Sw8CNYKqVu+ACIAPgA8-DIV style+AD0AIg-DISPLAY: none+ACIAPgA8-xmp+AD4-

    They keep inserting a script with document.documentElement.innerHTML = unescape into my WordPress menus. (I have the full code if you need to see it) I have removed the script and gotten the site working again, only to have the problem reappear a few hours later. I have reset all of my passwords, completely deleted and reinstalled WordPress, upgraded my WordPress version, and installed a security plugin (Better WP Security) to close any gaps. But no matter what I do, this latest hack just keeps happening.

    I'm wondering if perhaps its something on my host (webhostingpad.com)? If you Google the title they've been inserting there seem to be a large number of sites effected.

    Anyone have any experience fixing this? Tips, tricks, advice.. anything would be appreciated.

  2. Rachel Baker
    Member
    Posted 1 year ago #

    Have you contacted your hosting provider? They would have access to log files that can help track down the vulnerability leading to the hacking.

    Check for new users created.

    Read all of the information here: http://codex.wordpress.org/FAQ_My_site_was_hacked

    Another helpful resource is the Sucuri Site Scanner: http://sitecheck.sucuri.net/scanner/

  3. @cwinkler78: webhostingpad.com is a crappy host. You have no control over other insecure accounts that will be hacking vectors into your account. You will probably be constantly hacked unless you change hosts. See Recommended WordPress Web Hosting

  4. houlejo
    Member
    Posted 1 year ago #

    @cwinkler78 : Where is the script located (document.documentElement.innerHTML = unescape)?

  5. govpatel
    Member
    Posted 1 year ago #

    Have you checked your own computer is a clean as when you login and if your computer is infected it will hack your website.

  6. cwinkler78
    Member
    Posted 1 year ago #

    Thank you all for the help.

    @rachelbaker - I contacted webhostingpad and they weren't helpful at all and I quote "They are most likely using your plugin or theme to insert this code into your website. Please make sure all of your plugins and themes are updated."

    Thanks for the FAQ link. I had followed those steps to get the site back up and running initially. And it worked, until it happened again.

    The Sucuri Site Scanner comes back clean.

    @songdogtech - Thanks. Wish I had known that before I locked myself into the contract. =(

    @houlejo - They insert it into the Sidebar of my theme. (Appearance -> Widgets-> Sidebar 1). They remove my existing widgets and replace it with a text one with the script in it. Screenshot of my WordPress install. http://colleenwinkler.com/cwtol-content/uploads/2012/11/hackfix2.jpg

    @govpatel - Yes. I've run spybot and nothing comes back out of the ordinary.

    One new thing I have discovered is a PHP warning showing up in my error logs around the times the site gets hacked again:

    [26-Nov-2012 23:04:43 UTC] PHP Warning: Division by zero in .../themes/wp-creativix/tpl_page_nosidebar.php on line 32

  7. houlejo
    Member
    Posted 1 year ago #

    I discovered that it's a SQL injection attack.

    It add a "widget_text" under the wp_options table.

    Also, the text

    [Code moderated. Please do not post hack code blocks in the forums. Please use the pastebin]

    is also in the wp_options table under "blogname".

    I guess that until wordpress publish a security update, it will be hard to stop those attacks.

  8. esmi
    Forum Moderator
    Posted 1 year ago #

    What makes you think this is a WordPress core issue?.

  9. cwinkler78
    Member
    Posted 1 year ago #

    @esmi - is that question directed at me? If so, I'm not sure it is. I think it could be a possibility because when I completely started over yesterday and had a clean install with the default template and no plugins installed the issue appeared again.

    But that said, I'm not the most technical person in the world.

  10. govpatel
    Member
    Posted 1 year ago #

    If this was wordpress core issue then we all should infected and our wordpress is not so it has to be server does not have any security have you tried to change permissions wp-config.php to 444 so that is not writable and change the database user name and password in wp-config.php file.

  11. esmi
    Forum Moderator
    Posted 1 year ago #

    is that question directed at me?

    No. It was houlejo that implied that this was a core security issue. I'd like to know what the reasoning is behind that implication.

  12. cwinkler78
    Member
    Posted 1 year ago #

    @govpatel - Got it. I had changed the wp-config.php file to 0444 after it was hacked this morning and reset the passwords and secret keys. I also moved wp-config.php up one level on the advice of http://www.problogger.net/archives/2011/08/11/take-5-minutes-to-make-wordpress-10-times-more-secure/

    So far the problem has not come back.

  13. houlejo
    Member
    Posted 1 year ago #

    @esmi

    I can't be sure it's a core issue. It was a guess because it's my second wordpress site hacked with this since yesterday.

    Websites have nothing in common except Google Analytics Plugin.

    Also, they are at the same hosting company, but on 2 different shared servers under 2 different accounts.

    I run all the recommended security setting of WSD Security plugin.

    I will do the config.php 444 and up a level.

    To all:
    I also say that the hack broke the "sidebars_widgets" entry in the database. Had to restore it from backup.

    Also, some chars are broken and I don't know why... "ex: The company’s customers".

    Thanks for the help.

  14. cwinkler78
    Member
    Posted 1 year ago #

    @houlego - The hack changes your character encoding from UTF-8 to UTF-7. You can fix this through the WordPress Admin Dashboard/Panel by going to Settings -> Reading and setting it back to UTF-8.

  15. cwinkler78
    Member
    Posted 1 year ago #

    @houlego - The hack changes your character encoding from UTF-8 to UTF-7. You can fix this through the WordPress Admin Dashboard/Panel by going to Settings -> Reading and setting it back to UTF-8.

  16. houlejo
    Member
    Posted 1 year ago #

    @cwinkler78 Wow thanks! I was looking deep in the DB for answers... and it was so simple ;-)

  17. esmi
    Forum Moderator
    Posted 1 year ago #

    I can't be sure it's a core issue.

    @houlejo: Then please do not make unfounded comments about core security. Your site being hacked is NOT a sign of a core security issue.

    It was a guess because it's my second wordpress site hacked with this since yesterday.

    Then I would suggest that you did not completely remove all traces of the hack - including hidden backdoors - from your site. You need to start working your way through these resources:
    http://codex.wordpress.org/FAQ_My_site_was_hacked
    http://wordpress.org/support/topic/268083#post-1065779
    http://smackdown.blogsblogsblogs.com/2008/06/24/how-to-completely-clean-your-hacked-wordpress-installation/
    http://ottopress.com/2009/hacked-wordpress-backdoors/

    Additional Resources:
    http://sitecheck.sucuri.net/scanner/
    http://www.unmaskparasites.com/
    http://blog.sucuri.net/2012/03/wordpress-understanding-its-true-vulnerability.html

  18. houlejo
    Member
    Posted 1 year ago #

    @esmi : Ok. Thanks for the info.

  19. cwinkler78
    Member
    Posted 1 year ago #

    Thank you all so much for the help. I wanted to leave an update here in case anyone else has the same problem.

    I have two WordPress sites that I administer and I had made the following changes to one of the sites, but not the other. This morning, the site without the changes was hacked again. The one with the changes was not. I'm going to take that as a sign this fix works. =)

    Here’s how to get your site back online fast.

    Step 1 – Login to your WordPress dashboard as an administrator and go to Appearance -> Widgets. In my case, the two widgets I was using had been moved to the Inactive Widget box and replaced with a Text Widget in the sidebar.

    Step 2 – Open the Text widget and click the Delete link on the bottom left. Once you’ve deleted it, reset your widgets to the way they were prior to the hack.

    Step 3 – Next go to settings -> Reading. Change your character encoding back to UTF-8. This will fix any lingering issues with your RSS feed and IE.

    Step 4 – Lastly, reset the Site Title & Tagline for your site. The location for this will vary based on your theme. For my site, I selected Appearance -> Themes and then clicked the Customize link for my theme.

    That will fix your site immediately. Clear out your cache and confirm that everything works.

    Now that your site is up and running, you will need to make it more secure so that this problem does not happen again.

    Step 1 – Change your passwords for your hosting service, WordPress, etc.

    Step 2 – Upgrade to the latest version of WordPress.

    Step 3 – If you have a backup of your site, do a restore to a version prior to the attack just for good measure.

    Step 4 – Login to your WordPress dashboard and install the plugin Better WP Security and resolve issues 1-19 on the dashboard. For item 20, you will need to enable/purchase SSL from your hosting provider. NOTE – some of the changes the plugin makes will break links or images on your website. You will need to go back and update all of them, but that is a small price to pay for having your site more secure. The easiest way to fix all of the links at once is to download an export of your blog’s content (Tools -> Export), open it in Notepad and do a find and replace.

    Step 5 – Move your wp-config.php up one level. You can find instructions for doing so on ProBlogger’s Take 5 Minutes to Make WordPress 10 Times More Secure post.

    Step 6 – Change your database password and make a note of it. How to do this will vary by host. For GoDaddy users, click here. For those with cPanel, click here.

    Step 7 – Go to your wp-config.php and open it in your favorite code editor. Update your database password to your newly updated password. Then go to the Secret Keys section and follow the instructions to update your keys.

  20. cbouchard
    Member
    Posted 1 year ago #

    You have saved my life - I have the exact same issue through my Webhostingpad site. They "cleaned the site" only to have the same problem happen - same hack, same issues. I will follow these steps and hopefully I can get my site back on track as well!!

  21. cbouchard
    Member
    Posted 1 year ago #

    Bummer, well I followed all of these steps and thought I was hack free until today. Same hack, same issues.

    @cwinkler78 - have you had any further problems?

  22. cwinkler78
    Member
    Posted 1 year ago #

    @cbouchard - I'm still hack free (knock on wood). Sorry the fix didn't work for you.

    I'm not sure what else to recommend.

  23. cbouchard
    Member
    Posted 1 year ago #

    @cwinkler78 - have you had any further problems.

    Thanks - it did supply some really great tips I am going to use on all the other sites I develop. Thanks again!

  24. Shay
    Member
    Posted 1 year ago #

    @cbouchard, do you still experience this re-hacks ?

  25. cbouchard
    Member
    Posted 1 year ago #

    @Shay - I've got a security expert (one of the top ranked ones on Elance) on it, but even he seems stumped. It seems that the problem is that the hacker is injecting the malicious code through photos in the uploads folder - but besides removing this folder I'm not sure what to do.

  26. cwinkler78
    Member
    Posted 1 year ago #

    Interesting, I wonder if this fix would help then

    http://www.blogtips.org/avoid-users-uploading-malware/

    At the bottom of the article it explains how to add some code at the bottom of your .htaccess file that prevents malicious PHP code from being inserted using images

  27. The Hack Repair Guy
    Member
    Posted 1 year ago #

    That's sad to hear. Hopefully you've received a full refund from the elance person (who could not figure out the issue).

    A money back guarantee is something WordPress peeps should require of anyone doing security work (since solving the problem or recommendation a solution is what you are paying him/her for respectively).

  28. Shay
    Member
    Posted 1 year ago #

    @cbouchard, after having the exact same problem from the same hacker and got re-hacked over and over again in the last 36 hours, I followed @cwinkler78's instructions plus moved wpconfig.php upper in the directories hierarchy. I then changed the WP tables prefix again.
    I also wrote a Nagios script that determines if the site is being hacked by the same hacker so it won't take long to fix the site if bad things happen.
    All have been done a few hours ago, I'll post again if I get re-hacked.

  29. cbouchard
    Member
    Posted 1 year ago #

    @Shay Thanks for the message. I passed it along to my security guy - do you mind sharing the Nagios script that you used? I am VERY interested in knowing if you get rehacked! Please keep me updated.

  30. cbouchard
    Member
    Posted 1 year ago #

    @Shay One more question - do you used WebHostingPad.com? I am going to switch hosts if this seems to a problem on their end!

Topic Closed

This topic has been closed to new replies.

About this Topic