WordPress.org

Ready to get started?Download WordPress

Forums

[resolved] WP 2.7 Can Be Hacked... FYI (42 posts)

  1. chowell18
    Member
    Posted 5 years ago #

    Just a note to everyone on the forums that my fresh WP 2.7 upgrade was hacked over the weekend. Prior to the site going down, there was a very heavy amount of spam comments... not sure if that was the culprit or not.

    The mischief left the site showing a PHP setting type page w/ user options to upload files to the FTP, etc. Not exactly safe...

    Had to restore** from a previous version to recover the site - re-uploading the files did not work. **Server-level restore (from backup).

    Lesson to everyone - BACKUP your blog or you could lost everything!

    If anyone else has experienced this, I would certainly like to know how to avoid it. For the time being, I have implemented stronger commenting restrictions, changed logins, etc.

  2. Do you have any access_log data showing the URLs that might be the culprit? If you don't find and close the egress point then the culprit will almost certainly be back.

    A general warning and good advice to back up are nice and appreciated, but can you provide anything that shows that 2.7 is vulnerable yet?

    I'm also on 2.7 so I'm asking purely out of selfish reasons.

  3. mikey1
    Member
    Posted 5 years ago #

    Also on 2.7, so always worrying, but, you say you had to restore, from which version did you restore, from my way of thinking, its much more likely to have come from a previous install, where a hack not cleared stil remains,
    just my two cents, but hope it works out for you.
    mike.

  4. chowell18
    Member
    Posted 5 years ago #

    Mikey, I did a restore from a few days prior backup (same 2.7 install) so hopefully it holds up this time. Restore included entire FTP site and MySQL data.

    As far as closing the vulnerability, I thought upgrading to 2.7 would fix any vulnerabilities from previous versions - that is the purpose of upgrading, no?

    I'm not terribly familiar w/ the access log info, etc., nor where the hack occured. I just know that it shut down the blog entirely and nothing I could do from my end worked. What I could access showed a huge spike in spam comments, so I have to assume it was somehow related to that (MySQL injection???).

    I have several plug-ins installed, but was sure to upgrade all available once 2.7 came out. 2.7 was installed on 12/13 and ran well for about a week before the hack took it down.

  5. sinagrida
    Member
    Posted 5 years ago #

    I think my wp site is hacked too!
    I cant log in :(
    I am trying to get new password but it doesnt recognize my username and email!!
    I can log in to the server though.
    Is there anything I count do about that?

    I have this site almost 3 years and I am really sad about this situation!
    Thank you in advance!

  6. As far as closing the vulnerability, I thought upgrading to 2.7 would fix any vulnerabilities from previous versions - that is the purpose of upgrading, no?

    Yes, but no. It will close the door for known WordPress bugs and exploits. It will not fix a blog that has been compromised already.

    You do backups already (good job that, wish more people did!) so if you are concerned you can backup again, delete everything except wp-config.php and anything you've uploaded into wp-content, and put a fresh installation of 2.7 onto your system.

    Delete you plugins and themes before you do this. Re-add the plugins and themes from their sources to make sure you are clean.

    Last thing, export your blog to WXR and eyeball the XML file for spammy badness.

  7. figaro
    Member
    Posted 5 years ago #

    @sinagrida

    If you have phpMyAdmin you can click on the wp_user table, click browse, and look for the admin user (probably ID 1). Then click on the pencil in that record to edit it. Delete the user password (it will be a long string of random characters) and type in a new password. In the function drop-down, select MD5 and then save (press go). This should reset your admin password.

  8. I think my wp site is hacked too!

    Hold please.

    Let's not make this a pile on; if you have password issues please check out http://codex.wordpress.org/Resetting_Your_Password and we can concentrate on the op issue.

    Edit: Thanks Figaro :)

  9. mikey1
    Member
    Posted 5 years ago #

    @chowell18
    Hi again, I have no doubt you've been very thorough with your install,
    keep us up to date with your progress, good luck.

    PS. If you had a large number of spam comments before the attack you may want to take a look at this great plugin from whoami which logs everything.
    http://www.village-idiot.org/archives/2007/04/18/wp-noshit/

  10. chowell18
    Member
    Posted 5 years ago #

    I am seeing a large number of spiders and site queries in the access logs from some bots that are questionable (QQdownload for instance).

    Is there a good Plug-in for managing the Robots.txt file and/or the list of known bad bots?

  11. whooami
    Member
    Posted 5 years ago #

    wrong link, mikey

  12. Saurus
    Member
    Posted 5 years ago #

    In your .htaccess file, add:

    RewriteEngine on
    RewriteCond %{HTTP_REFERER} !^$
    RewriteCond %{HTTP_REFERER} !^http://(www\.)?YOUR URL/.*$ [NC]
    RewriteRule \.(gif|jpg|js|css)$ - [F]
    
    RewriteEngine On
    RewriteCond %{HTTP_USER_AGENT} ^BlackWidow [OR]
    RewriteCond %{HTTP_USER_AGENT} ^Bot\ mailto:craftbot@yahoo.com [OR]
    RewriteCond %{HTTP_USER_AGENT} ^ChinaClaw [OR]
    RewriteCond %{HTTP_USER_AGENT} ^Custo [OR]
    RewriteCond %{HTTP_USER_AGENT} ^DISCo [OR]
    RewriteCond %{HTTP_USER_AGENT} ^Download\ Demon [OR]
    RewriteCond %{HTTP_USER_AGENT} ^eCatch [OR]
    RewriteCond %{HTTP_USER_AGENT} ^EirGrabber [OR]
    RewriteCond %{HTTP_USER_AGENT} ^EmailSiphon [OR]
    RewriteCond %{HTTP_USER_AGENT} ^EmailWolf [OR]
    RewriteCond %{HTTP_USER_AGENT} ^Express\ WebPictures [OR]
    RewriteCond %{HTTP_USER_AGENT} ^ExtractorPro [OR]
    RewriteCond %{HTTP_USER_AGENT} ^EyeNetIE [OR]
    RewriteCond %{HTTP_USER_AGENT} ^FlashGet [OR]
    RewriteCond %{HTTP_USER_AGENT} ^GetRight [OR]
    RewriteCond %{HTTP_USER_AGENT} ^GetWeb! [OR]
    RewriteCond %{HTTP_USER_AGENT} ^Go!Zilla [OR]
    RewriteCond %{HTTP_USER_AGENT} ^Go-Ahead-Got-It [OR]
    RewriteCond %{HTTP_USER_AGENT} ^GrabNet [OR]
    RewriteCond %{HTTP_USER_AGENT} ^Grafula [OR]
    RewriteCond %{HTTP_USER_AGENT} ^HMView [OR]
    RewriteCond %{HTTP_USER_AGENT} HTTrack [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} ^Image\ Stripper [OR]
    RewriteCond %{HTTP_USER_AGENT} ^Image\ Sucker [OR]
    RewriteCond %{HTTP_USER_AGENT} Indy\ Library [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} ^InterGET [OR]
    RewriteCond %{HTTP_USER_AGENT} ^Internet\ Ninja [OR]
    RewriteCond %{HTTP_USER_AGENT} ^JetCar [OR]
    RewriteCond %{HTTP_USER_AGENT} ^JOC\ Web\ Spider [OR]
    RewriteCond %{HTTP_USER_AGENT} ^larbin [OR]
    RewriteCond %{HTTP_USER_AGENT} ^LeechFTP [OR]
    RewriteCond %{HTTP_USER_AGENT} ^Mass\ Downloader [OR]
    RewriteCond %{HTTP_USER_AGENT} ^MIDown\ tool [OR]
    RewriteCond %{HTTP_USER_AGENT} ^Mister\ PiX [OR]
    RewriteCond %{HTTP_USER_AGENT} ^Navroad [OR]
    RewriteCond %{HTTP_USER_AGENT} ^NearSite [OR]
    RewriteCond %{HTTP_USER_AGENT} ^NetAnts [OR]
    RewriteCond %{HTTP_USER_AGENT} ^NetSpider [OR]
    RewriteCond %{HTTP_USER_AGENT} ^Net\ Vampire [OR]
    RewriteCond %{HTTP_USER_AGENT} ^NetZIP [OR]
    RewriteCond %{HTTP_USER_AGENT} ^Octopus [OR]
    RewriteCond %{HTTP_USER_AGENT} ^Offline\ Explorer [OR]
    RewriteCond %{HTTP_USER_AGENT} ^Offline\ Navigator [OR]
    RewriteCond %{HTTP_USER_AGENT} ^PageGrabber [OR]
    RewriteCond %{HTTP_USER_AGENT} ^Papa\ Foto [OR]
    RewriteCond %{HTTP_USER_AGENT} ^pavuk [OR]
    RewriteCond %{HTTP_USER_AGENT} ^pcBrowser [OR]
    RewriteCond %{HTTP_USER_AGENT} ^RealDownload [OR]
    RewriteCond %{HTTP_USER_AGENT} ^ReGet [OR]
    RewriteCond %{HTTP_USER_AGENT} ^SiteSnagger [OR]
    RewriteCond %{HTTP_USER_AGENT} ^SmartDownload [OR]
    RewriteCond %{HTTP_USER_AGENT} ^SuperBot [OR]
    RewriteCond %{HTTP_USER_AGENT} ^SuperHTTP [OR]
    RewriteCond %{HTTP_USER_AGENT} ^Surfbot [OR]
    RewriteCond %{HTTP_USER_AGENT} ^tAkeOut [OR]
    RewriteCond %{HTTP_USER_AGENT} ^Teleport\ Pro [OR]
    RewriteCond %{HTTP_USER_AGENT} ^VoidEYE [OR]
    RewriteCond %{HTTP_USER_AGENT} ^Web\ Image\ Collector [OR]
    RewriteCond %{HTTP_USER_AGENT} ^Web\ Sucker [OR]
    RewriteCond %{HTTP_USER_AGENT} ^WebAuto [OR]
    RewriteCond %{HTTP_USER_AGENT} ^WebCopier [OR]
    RewriteCond %{HTTP_USER_AGENT} ^WebFetch [OR]
    RewriteCond %{HTTP_USER_AGENT} ^WebGo\ IS [OR]
    RewriteCond %{HTTP_USER_AGENT} ^WebLeacher [OR]
    RewriteCond %{HTTP_USER_AGENT} ^WebReaper [OR]
    RewriteCond %{HTTP_USER_AGENT} ^WebSauger [OR]
    RewriteCond %{HTTP_USER_AGENT} ^Website\ eXtractor [OR]
    RewriteCond %{HTTP_USER_AGENT} ^Website\ Quester [OR]
    RewriteCond %{HTTP_USER_AGENT} ^WebStripper [OR]
    RewriteCond %{HTTP_USER_AGENT} ^WebWhacker [OR]
    RewriteCond %{HTTP_USER_AGENT} ^WebZIP [OR]
    RewriteCond %{HTTP_USER_AGENT} ^Wget [OR]
    RewriteCond %{HTTP_USER_AGENT} ^Widow [OR]
    RewriteCond %{HTTP_USER_AGENT} ^WWWOFFLE [OR]
    RewriteCond %{HTTP_USER_AGENT} ^Xaldon\ WebSpider [OR]
    RewriteCond %{HTTP_USER_AGENT} ^Zeus
    RewriteRule ^.* - [F,L]
  13. mikey1
    Member
    Posted 5 years ago #

    Hi again, and my apologies to whoami, the link should have been.
    http://www.village-idiot.org/post-logger
    Still they are two very good plugins :)
    Thanks for noticing whoami.
    Mike.

  14. chowell18
    Member
    Posted 5 years ago #

    @Saurus

    Could you or anyone else just briefly explain what that .htaccess code does?

    Also, in terms of positioning within the file, should that go at the end?

    Thanks in advance.

  15. Bascially that blocks those crawlers from hitting your site.

    I would suggest, instead, BadBehavior: http://wordpress.org/extend/plugins/bad-behavior/

    Cautionary warning, it borks the Flash Uploader. But it saves my life, regularly.

  16. chowell18
    Member
    Posted 5 years ago #

    @Ipstenu

    I don't use the Flash Uploader too often, so I'm guessing that I would be ok to install the plugin.

  17. sinagrida
    Member
    Posted 5 years ago #

    Thank you all for your anwers!

    But a special T H A N K Y O U @ figaro cause it was the only way that helped me !!

    Thank you thank you thank you!

    Figaro Is it possible to give me your email?

  18. @chowell18, probably. :) Between that and akismet, I only get one or two missed spams a month (versus the 30-40 a day I used to get).

  19. figaro
    Member
    Posted 5 years ago #

    @sinagrida: 234figaro432 [at] gmail [dot] com

    For everyone:
    I just helped someone recover their site from a similiar problem and it looks like a hack...don't want to jump to conclusions, but here are the details of what I found:

    Symptoms:

    -- Site just upgraded to 2.7 a day or two ago
    -- Things worked fine at first
    -- Today admin couldn't login, but everything was still on the site

    What I found:

    -- The wp-users table was crashed
    -- There were two new users who had registered with @mail.ru addresses
    -- I deleted those users
    -- Repaired the users table
    -- Reset the admin password and all seems to be well now

    Not sure if someone has found a way to register on a 2.7 site and do something to crash the users table? That seems to be what happened here. Although, I guess the @mail.ru registrations could have just been a coincidence.

  20. Sford
    Member
    Posted 5 years ago #

    I cant even login. When i go to my admin page /wp-admin it is just blank. I even tried reinstalling the admin file incase something was deleted but no nothing.

  21. Sford,

    That's different. Blank pages usually mean PHP issues. Check your error_log to see if anything is tossing errors.

    Try going into your wp-content folder and rename plugins to plugins-save. If you can login, the move those plugins back one at a time until you find the problem.

  22. whooami
    Member
    Posted 5 years ago #

    why does a crashed user table look like a hack?

    I would have a gazillion registered .ru users were it not for the registration spam protection I use.

    That particular problem has been around for years.

    neither of those alone, or even together looks like a hack to me.

    what chowell18 describes being on his site is a PHP root shell script, and that is clear evidence of a hack. All the same, even without having more info, its not automatically wordpress 2.7's fault. Simply stated, we dont have all the facts.

    Just saying...

  23. figaro
    Member
    Posted 5 years ago #

    As I said...

    Not sure if someone has found a way to register on a 2.7 site and do something to crash the users table? That seems to be what happened here. Although, I guess the @mail.ru registrations could have just been a coincidence.

    Emphasis on Not sure... and could have just been a coincidence.

    why does a crashed user table look like a hack?

    Because I have personally been working with WordPress for the last 6 or 7 years and haven't run into this problem before...if it's a well known problem, then I've just been lucky not to experience it ;-)

    Just floating a possibility. I don't know what the cause of the problem is, but there sure does seem to be a lot of people experiencing it lately.

  24. whooami
    Member
    Posted 5 years ago #

    Aha.

    This is why facts are so important. Consider the inflammatory nature of this thread. The reads..? hundreds? ya think? thousands?

    chowell18, your site was hacked BEFORE you upgraded to 2.7 .. Do you know that?

    Here is google's cache of a page of your site:

    http://74.125.95.132/search?q=cache:7Poe6eaymk8J:www.411lowdown.com/2008/09/15/swizz-beatz-alicia-keys-not-to-blame-for-my-marital-breakup/+http://www.411lowdown.com/&hl=en&ct=clnk&cd=4&gl=us

    Im downloading that, should it change.

    Thats from December 11, and if you look in the source code, you were running 2.3.3 .. and if you look further down, in the footer -- there are spam links. LOTS of them.

    hacked. Different symptom - same problem. Upgrading a site thats already exploited does nothing once your data has been compromised.

    Coming here, and starting this thread is all well and fine, but not sharing the whole truth isnt really fair to everyone else, if you knew you had been hacked just prior.

    If, on the other hand, you didnt even know you were hacked at 2.3.3, then how is anyone here to trust that you properly secured your site at any given time.

    Someone continuing to run insecure software .. knowingly, at the very least.

    I thought upgrading to 2.7 would fix any vulnerabilities from previous versions - that is the purpose of upgrading, no?

    Yes, and you missed your share of upgrades. That said, upgrading a compromised site doesnt seal up holes that were created while the site was vulnerable.

  25. Laughter.

    Whoo's investigation fu is superior to mine *bows* :)

    I didn't think it was a 2.7 issue but was to stumped to work it out. Thanks.

  26. mikey1
    Member
    Posted 5 years ago #

    LOL. I've just mailed Paris Hilton, if she wants her jewels back, she'd better get whoami to investigate.
    I'm exhausted (time for a beer)
    Mike.

  27. chowell18
    Member
    Posted 5 years ago #

    @whooami

    Was not aware that the site was already hacked, but that certainly would explain some things.

    Any idea how to fix that particular hack?

    Thanks.

  28. chowell18
    Member
    Posted 5 years ago #

    Passwords all changed, footer edited.

    Still looking for the page/file containing the "wp_footer" call, which was the hack.

  29. whooami
    Member
    Posted 5 years ago #

    which was the hack.

    thats not the hack. thats a symptom, an effect. and that's the problem with people trying to 'fix' sites. they try to fix symptoms.

    to that end though, you presumedly replaced that file when you upgraded -- stressing again that that's merely a symptom of what was, or is, the real problem.

  30. Mobster
    Member
    Posted 5 years ago #

    Wow! Those spam links look painfully familiar. :)

    Let whooami to look behind the scenes. And oh... don't forget to donate a few bucks.

    Good luck!

Topic Closed

This topic has been closed to new replies.

About this Topic