Support » Fixing WordPress » 2.5 updated to 2.5.1 hacked

  • Resolved EdGarciaDesign

    (@edgarciadesign)


    First off… ARGH!!!! Ok, feel better now. But my site is having something inserted code AFTER the footer so no matter how much I scream I wont get it fixed. 🙂

    I have searched the forum and have seen many hacks explained but I can’t see to find the one that applies here. There is code being inserted right after the footer. Starts like this: (notice the <dd4> – there are others like <dd5> in that code also)

    </body>
    </html> <dd4><font style=”position: absolute;overflow: hidden;height: 0;width: 0″><a href=……………………… (long list of links and text follow this, obviously from the hack)

    Now, at least the website does not display this since it is after the </html> tag. But I will be darn if I can find how to stop it from being there. Things I have looked for or tried:

    the “1” folder

    _new. and _old. files mentioned in other posts

    looking for iFrames

    used exploit scanner – returned very few hints, and even after deleting the plugin that could be at fault (Ajax WordPress) the code still showed up.

    uploaded a clean install of WP 2.6 -deleted WP dir + uploaded clean version to server + started WP without any theme or plugin working
    Looked through the database but found nothing out of order (limited knowledge here though)

    none of the above helped, the code was still there. I have the following plugins:

    Ajaxed WP
    Akismet
    All in One SEO
    Contact Form 7
    LightBox2
    Search Everything
    Subscribe2
    Wordpress Database backup
    WP-FileSystem Tester
    WP Ajax Edit Comments

    My theme is just a modified version of the default theme. mmmm what else can I try?

Viewing 15 replies - 1 through 15 (of 16 total)
  • Moderator Samuel Wood (Otto)

    (@otto42)

    WordPress.org Admin

    Got anything special in the root dir? .htaccess file? PHP.INI? If you deleted the WP folder and reinstalled clean, then it must be outside that folder.

    had an htaccess AND a php.ini in my root but deleted them trying to figure out the problem. Sorry I didn’t added that to the list of things I have done.

    I do have other folders that I use for testing but nothing weird shows up in them (pretty simplistic HTML files and some images >I< created)

    Moderator Samuel Wood (Otto)

    (@otto42)

    WordPress.org Admin

    Well, if it was me, I’d grab a copy of the whole thing via FTP and then run greps on it looking for where that code is.

    It’s somewhere in there. That’s the best we can say.

    whooami

    (@whooami)

    Member

    I guarantee you that your site has files on it, that you didnt place there …and thats just the files that are being called — thats not including whatever is calling the files.

    If you want help figuring it out, Im available — I do charge, but Im very reasonable.

    contact me via my contact form on my web site if you give up.

    thanks everyone, will download the whole thing and see what I can find. It must be outside of the WP folder so I will have to search everything. Is there any piece of code, or file, in specific I should be looking for?

    @mercime

    (@mercime)

    Volunteer Moderator

    EdGarcia, saw the same on a 2.5.1 version install last week – source code of public site AND admin pages had this instead

    <div><font style="position: absolute;overflow: hidden;height: 0;width: 0"><a href=...........</div>
    </body>
    </html>

    AND the XML export PLUS the feed had the <div><font style="position: absolute;overflow:....</div> at the end of the documents.

    We went with the check and cleanup of files, folders, themes, SQL route first including process ala video seen here. Like you, the result of new install of WP and database import still showed the hack. Banged our heads on the walls.

    Our second route and solution found was (after backing up everything including sitemap.xml and writing down ALL plugin settings, API’s, etc.
    1. delete all files including wp-content (remember we backed it up)
    2. create new database
    3. upload new WP files and folders, wp-config.php set up for new database
    4. run install.php
    5. created users to catch multi-blogger posts
    5. asked webhost to increase max file upload to 20mb
    6. imported cleaned up XML file and assigned users
    7. checked website using default theme – viola, nothing at the footer of theme, admin pages, feed nor in new export of XML.
    8. uploaded plugins and per notes taken down before closing old site, set respective configurations
    9. check of site posts/pages, admin pages, feed, new export of XML, new export of database clean
    10. uploaded customized theme (double checked for strange code, none found)
    11. check of site posts/pages, admin pages, feed and new export of XML, new export of database clean
    One week later, friend reports site still clean. “Hardened” his site so well, I got locked out when I forgot to put new password to login. Oh well.
    Good luck.

    I suppose I overread, but did you (both) check the footer.php (and/or other theme files)? If the theme was altered, you can upgrade, backup, reinstall, etc. all you want, but if you keep using the same theme, nothing much will change. Mercime deleted the wp-content folder, which includes the theme, which forced him to put up a new theme (or a clean download of it or the version on the computer at least) which might have solved the problem.
    Just my 2 cents.

    @mercime

    (@mercime)

    Volunteer Moderator

    Yes, Gangleri, all theme files especially footer.php was checked because the hack kept appearing there. [Added: We even deleted <?php wp_footer(); ?> just in case, but hack still appeared.] We deleted the wp-content in first and second routes to find solution. But after new installation with XML import, checked with default theme first, when it passed clean, uploaded the customized theme from computer which was used in the original install.

    Part of cleanup process was exactly like shown in video, but that was not all. We were lucky to have caught the hack. We were working on altering the home page the night before, looking at source files and all was well. When we went back to working on implement changes the next day (roughly 12 hours), the hack showed up.

    I guessed so 🙂
    Roy

    Problem solved. Deleted ALL files from server and uploaded back up files. Seems the hack is inside files but not on database. So if you get the DD4 or DD5 on the inserted code you can safely replace all your files with a backup and you are set. Upgrade often! is all I can recommend.

    mercime saw your posts after I posted mine (that is what I get for not refreshing page). Thanks, it seems my hack did not included anything like that on database though. I think there are quite a few variants of the hack.

    I’ve just had the same problem. I don’t know how it got there but if you go to the index.php file in your root directory you’ll see the offending code after the closing html tag. Delete it and you should be good to go 🙂

    I just found a similar crack that was implemented as a “graphic” file, but in reality it was a php script named “lnu_php.jpg”. Looking at the code in this script, I found it is fully capable of allowing the cracker to access and modify any file on the system that Php has access to.

    Being an image file extension, it would be really easy to have had a link to it embedded in any number of files to cause it to “re-infect” upon loading, and who really looks for extra image tags?

    Note that the site I found this crack on does NOT run WordPress, but is a not-for-profit site I occasionally do tech support for, so it isn’t a WordPress specific problem.

    HTH!

    Koolforkatz

    (@koolforkatz)

    At last I found someone with the same problem. I have just discovered the exact same thing in my index file. I deleted it all yesterday, let my host company know of this problem but it was back again today. Just different garbage this time. I have a very, very simple, 5-page site I designed myself a few years ago. No bells and whistles whatsoever. I looked through all the files and directories yesterday and everything seemed normal except for the index file. Now…. there were actually two weird little things that I didn’t add. Something in the folder called “m” and another one called “ksp.php” The one called “m” just had “index” in it. The other one had some scripting stuff which I have since found out is bad, too. The host company removed both of these things but it seems like my reoccuring problem with the garbage in index occured after they had removed these. I don’t know what to do? Any ideas? As I said, my website is boringly simple…. and I can’t see anything untoward in the files at all 🙁 Help!!!!!

    whooami

    (@whooami)

    Member

    Any ideas?

    Besides what?

    You dont even indicate what version of wordpress you are using.

    here’s the wisdom:

    1. you ought to be running wordpress 2.7

    2. if youre not, and your site has already been exploited — then you need to ‘clean’ your web site and THEN upgrade.

    3. If you are and your site is showing signs of being exploited right now, you were probably hacked before you upgraded.

    there are tons fo threads on here that already address the process.

    http://wordpress.org/search/exploited?forums=1
    http://wordpress.org/search/hacked?forums=1

    Lastly, what Alderin described is very common-place – no big surprise.

Viewing 15 replies - 1 through 15 (of 16 total)
  • The topic ‘2.5 updated to 2.5.1 hacked’ is closed to new replies.