WordPress.org

Ready to get started?Download WordPress

Forums

WordPress hacking in 3/2012 (5 posts)

  1. jlevin@portal2web.biz
    Member
    Posted 2 years ago #

    Numerous WordPress sites have been hacked this month. Sites that I have setup for Clients started getting hacked approx. on 3/13/12.

    The malicious code (shown at the end of this post) is what results.

    Research on the 'net has pointed to a 'timthumb' vulnerability in themes that are used within WP. I've made searches looking for the timthumb code and have come up empty.

    I do not believe that this, in all cases, is a TimThumb exploit. Every Client I have that is running Word Press got hacked in the last few days. My website was hacked, and I keep WP and the plugins and themes updated. Similarly, I use .htaccess and php.ini directives, as well as mods to WordPress itself to help secure matters. None of my themes had the TimThumb code present. The TimThumb scanner plugin did not locate it elsewhere on the site.

    In fact, the only tool that indicated that something had happened was the Website Defender WP plugin, but only by dint that it told me that a lot of files had been modified.

    It does seem like it is a WordPress 'related' exploit (but not specifically the Blog when installed all by itself). The vulnerability present has not come to light through my direct searching or searching for answers on the 'net.

    Only webhosts / websites that had WordPress on or associated with them were hacked. It didn't matter whether WP was updated completely, or their plugins were, or their themese were, or even if the various webhosts had differring security directives setup via PHP.INI and .htaccess.

    I'm at a loss as to what to do beyond the 'scorched earth' approach, which is definitely not practical under many situations.

    At any rate, here is the malicious code, without its opening and closing PHP tags-

    [ Code remove, please do not post malicious code here use pastebin.com instead if you must ]

    Any help anyone can give in how to fix the exploit, or otherwise neutralize it would be greatly appreciated.

    Thank you all for your time.

  2. Sorry to say, but it's the same advice given whenever any WordPress site is hacked.

    Change all of your passwords and scan your PC for and infections.

    Backup the whole works database and files.

    http://codex.wordpress.org/WordPress_Backups
    http://codex.wordpress.org/Backing_Up_Your_Database
    http://codex.wordpress.org/Restoring_Your_Database_From_Backup

    Give these a good read if you haven't already.

    http://codex.wordpress.org/FAQ_My_site_was_hacked
    http://wordpress.org/support/topic/268083#post-1065779
    http://smackdown.blogsblogsblogs.com/2008/06/24/how-to-completely-clean-your-hacked-wordpress-installation/
    http://ottopress.com/2009/hacked-wordpress-backdoors/

    These links can confirm that the site IS truly hacked.

    http://sitecheck.sucuri.net/scanner/
    http://www.unmaskparasites.com/

    When you've successfully deloused your installation consider hardening it.

    http://codex.wordpress.org/Hardening_WordPress

    Good luck.

  3. jexley
    Member
    Posted 2 years ago #

    They nailed all my sites too, middle of January and again in Feb. I've changed all my passwords and one of my webhosts buttoned down FTP to SFTP and they haven't been back (yet).

    I made a fix script you can find on my website http://www.jexanalytics.com if you're interested, but it's Use At Your Own Risk and may not work if you don't have "write" privileges.

    I've had a Google Alert set for "wordpress hacked" and have seen more and more people talking about it, so it seems there's no common theme other than a WordPress site was somehow involved (almost all mine were updated and I had no timthumb).

    The best advice so far, is to clean things out, reset all the passwords, and go for tighter FTP security where you can.

    Good luck!

  4. stuzphotography
    Member
    Posted 1 year ago #

    I was hacked over night. Message on my home page, "hacked by hacker". That's it. No access to site; no access to admin panel. I am absolute neophyte when it comes to this stuff. I used a Photocrati theme a year ago and all has being going well. All the information I read in the forums is great but it is not much help. I don't understand it.

  5. esmi
    Forum Moderator
    Posted 1 year ago #

    As per the Forum Welcome, please post your own topic. Your problem - despite any similarity in symptoms - is likely to be completely different.

Topic Closed

This topic has been closed to new replies.

About this Topic