WordPress.org

Ready to get started?Download WordPress

Forums

Weird and Dangerous : ro8kfbsmag.txt (47 posts)

  1. K3200
    Member
    Posted 6 years ago #

    Saphod,

    Fantastic advice. That was exactly the fix to my current situation. Thank you so much!

  2. saphod
    Member
    Posted 6 years ago #

    You're welcome, K3200 - glad I could be of any help.

  3. 2GooD
    Member
    Posted 6 years ago #

    One of my WordPress 2.1.2 blogs (Divide and Conquer) got attacked like this during the morning but it looks like it was not entirely successful.

  4. here
    Member
    Posted 6 years ago #

    Collected information and solutions attempted in the codex documentation wiki at

    http://codex.wordpress.org/User:Here/Exploits/ro8kfbsmag

    Please help expand and clarify (!)

    [mod edit to link]

  5. whooami
    Member
    Posted 6 years ago #

    Here ill expand. Upgrade your f*cking blogs.

    Who gives a crap if some un-upgraded 2.1.x blog got hacked. I dont. You reap what you sow, brother.

  6. MichaelH
    Member
    Posted 6 years ago #

    Moved these three articles to Here's user pages awaiting further expansion of the subject:
    *User:Here/Exploits
    *User:Here/Exploits/ro8kfbsmag
    *User:Here/Exploits/wp-info

  7. deltina
    Member
    Posted 6 years ago #

    a couple of my sites have been hacked, but i am more interested in prevention - how does on keep an clean site from being hacked? it seems that even 2.5 is vulnerable?

  8. ronchicago
    Member
    Posted 6 years ago #

    chill whooami, this issue is stressful enough...tgif

    i thought you said earlier in this post it didn't matter what version one was running (fort fricken knox entry)

    and who wants to be an early adopter with wordpress software? i am running 2.5 on a site but seriously consider it still beta and i do want to upgrade by oldest/largest site to 2.5 eventually.

    now back to the issues at hand. just got hacked this week. was hacked in 1/08 and today found this thread thank goodness. as a result i just found the culprit in plugin "commentluv" and trying to comprehend from this thread what to do with it.

    there are several posts that suggest prevention = http://iboughtamac.com/2008/03/28/protecting-wordpress-from-magic-include-shell/

    there are several links in this post at the bottom that offer " other resources "

    btw - someone mentioned earlier about a quick-scan desitination for when something this big happens. this is a big forum and it ain't so easy sometimes to find things.

  9. whooami
    Member
    Posted 6 years ago #

    dude, youre the one thats needs to chill.

    This thread is identified in the topic title as refering to something that is a PHP rootshell - that its been cluttered up by countless other crap isnt my doing. Im not the one with the hacked blog.

    Here is exactly what I said, and you'll see I refer specifically to whats was originally identified in the the topic title.

    Lastly, as an addendum, ro8kfbsmag.txt is a PHP rootshell. left unnoticed on ANY web site, it does not matter what version of anything someone is using. .....

    You indicate that you were hacked in January. I'll bet you were never "unhacked" - in other words, you site, regardless of what you have done since then has not been secure since that point.

  10. BurstCollective
    Member
    Posted 6 years ago #

    whooami, where can I find that ro8kfbsmag.txt file? Or can I search for it across my directories so I can send it to hell where it belongs?

    I've upgraded to 2.5 since my blog was hacked, but want to be sure I'm not leaving a backdoor into my database, as I think you're alluding to as being a possibility.

    I shall never wait to upgrade again.
    I shall never wait to upgrade again.
    I shall never wait to upgrade again.

  11. ronchicago
    Member
    Posted 6 years ago #

    dude works for me. you are positively correct. i have spent the whole day cleaning house going back all the way to 10/07! fun and games. it helps knowing what the problem is, thank you very much. also, i just placed a server password on wp-admin if that is a step in the right direction.

    i found my file (maybe there are more) via sql query =

    SELECT * FROM wp_options WHERE option_name = 'active_plugins';

    If one exists, run the following query = UPDATE wp_options SET option_value="" where option_name="active_plugins";

  12. ronchicago
    Member
    Posted 6 years ago #

    david holder towards the beginning of this thread mentions changing the corrupt code in the uploads and plugins back to the default. i have changed the uploads. where/how does one find/change the path of the plugins? what is the plugins default path?

  13. bondageradio
    Member
    Posted 6 years ago #

    Bits of information, some of it helpful.

    Combinations of attacks have been around since the ole 'One-Two punch' and will continue to be around till the end of time.

    There are two questions here, not just one.

    1. How did they gain access to your site?
    This is the initial security concern. What door was open? Do you have a compromised plugin? a tool to allow users to upload photos? a really lax registration policy? (new users become admins) or a piece of compromised code in the wp install, it's self?

    The most common form of open door comes from older installations and/or week plugins that are vulnerable to "SQL Injection" attacks.

    In these attacks, crackers attempt to trick php scripts that accept inputs to execute code in your sql server, dumping the output to their screen. They send requests to the scripts with encoded sql scripts in the post variables. Once they find a vulnerable script, the whole SQL system is open to them, they can reset passwords at will, create new admin users, change passwords, etc.

    Once that is done, they can then gain access through more traditional WordPress features such as the admin dashboard. Using the edit and upload abilities of wordpress they can hide more back doors in the system for later use. In the worst cases, crackers even modify themes to include back door code so all they have to search for, are theme specific references in google to find your site, which is already wide open.

    The second question is; How Can I Secure My Server?
    If you have already been attacked, you may want to sanitize your site. Unfortunately in some cases the only way to tell that you have been compromised is by going through all of your directories and looking for files that should not be there. /tmp/ directories and /uploads/ directories are the most frequent targets. However files can be hidden in wp-admin, wp-content, and other locations without your knowing it.

    This has been a small bit of information... I hope it has been helpful.

  14. ronchicago
    Member
    Posted 6 years ago #

    my site has been down two weeks in an effort to get rid of the hack. i've found it in several place. still don't know how to find it in the plugins as stated above. my uploads are cleaned out. i have not yet successfully converted my pages from posts yet.

    i wish to upgrade from 2.1.1 to 2.5. any advice? should i upgrade now and continue to look for the hack and hopefully change the page/posts after the upgrade?

    my site is mature with many plugs/widgets. should i throw the plugs out and upgrade the plugs immediately following the upgrade?

  15. Rudy64
    Member
    Posted 6 years ago #

    I had to fix this same problem on a 2.1.2 WP install I'm helping a friend with. I did find the post type changed to post, and fixed that with a query. I also found a suspicious entry in active_plugins in wp_options, but all of the plugins were still activated. I have a feeling it was an aborted attempt, as I can't locate the .txt file referenced anywhere in the user account, even within the upload directory. Also found the default upload location set to "/../../../../../../../../../../../../../../../tmp/", and the .txt file pointed to in the active_plugins parameter was:

    /../../../../../../../../../../../../../../tmp/3116725041d8eb2ad71627595648d850.txt

    I'm guessing this is the filename we need to search for. As I can't find it in any of our directories, I'm having our host search for it.

    One other precaution I took was to rename the "admin" account login name to something else, and give it a really long password of random numbers and letters (upper- and lower-case). Not sure if it will help, but I know that WP does not let you edit the admin account's login name, and it is just one more thing for the hackers to guess at. I did it directly in the database. (UPDATE wp_users SET user_login= 'whateveryouwant' WHERE ID=1)

    Hope this helps someone! This was an easy fix...and shame on me for not keeping WP current. ;)

  16. Rudy64
    Member
    Posted 6 years ago #

    One other thing to check...

    I just found a post made by the hacker, that pointed to the .txt file I referenced above. Since the admin user (ID #1) does not post on this blog, it was easy to find. Not sure if that post was significant or not, but I got rid of it anyway.

    Almost wish I could get rid of the admin user (ID #1) entirely...in fact, I don't see any reason why we couldn't, as both of us with logins already have administrator privileges.

  17. bbbco
    Member
    Posted 6 years ago #

    In case any of you don't want to deal with the issue of converting your pages back to posts by using SQL, you can always use my plugin, just recently updated, to fix that: p2pConverter. You can learn more about it at http://www.briandgoad.com/blog.

    Hope this helps!

    Brian D. Goad

Topic Closed

This topic has been closed to new replies.

About this Topic