WordPress Site Hacked

  • Hema Latha

    (@hema-latha)


    14 years ago

    Both wp-adin/dashboard and my site is getting redirected to:

    [Mod note – links removed]

    Today, 04/14/2010 i logged into dashboard and it was crashed.
    I tried to refresh many a times and it still was crashed,
    and i saw this address running fast in the Task Bar:

    [Mod note – links removed]

    After sometime the dashboard started redirecting to bing.com mentioned above.

    Changes i did today:

    1. Uninstalled wp-united.
    2. Uninstalled Phpbb.
    3. Installed Beeline wp plugin.
    4. INSTALLED wp plugin Tal.Ki (Tal.ki Embeddable Forums)

    I came to know my site has been HACKED and googled few solutions.

    1. Changed Wp Admin Password.
    2. Changed FTP Password.
    3. Saw this code in Page Source:

    <script type='text/javascript'>
/* <![CDATA[ */
var thickboxL10n = {
	next: "Next >",
	prev: "< Prev",
	image: "Image",
	of: "of",
	close: "Close"
};
try{convertEntities(thickboxL10n);}catch(e){};
var commonL10n = {
	warnDelete: "You are about to permanently delete the selected items.\n  \'Cancel\' to stop, \'OK\' to delete."
};
try{convertEntities(commonL10n);}catch(e){};
var wpAjax = {
	noPerm: "You do not have permission to do that.",
	broken: "An unidentified error has occurred."
};
try{convertEntities(wpAjax);}catch(e){};
var adminCommentsL10n = {
	hotkeys_highlight_first: "",
	hotkeys_highlight_last: ""
};
var plugininstallL10n = {
	plugin_information: "Plugin Information:"
};
try{convertEntities(plugininstallL10n);}catch(e){};
/* ]]> */
</script>
<script type='text/javascript' src='http://indiangirlsclub.com/wp-admin/load-scripts.php?c=1&load=thickbox,hoverIntent,common,jquery-color,jquery-ui-core,jquery-ui-sortable,wp-ajax-response,wp-lists,jquery-ui-resizable,admin-comments,postbox,dashboard,plugin-install,media-upload&ver=b92e060c1632e7b2fe6ec9809056c0d0'></script>

<script type="text/javascript">if(typeof wpOnload=='function')wpOnload();</script>
<script src="[Mod note - links removed]/js.php"></script>

    5. Removed this code from Index.php and Load-Scripts.php :

    <?php /**/ eval(base64_decode[Mod note - base64 code removed]"));?>

    6. Uninstalled Tal.Ki Plugin.

    Still my site is not clean.

    It’s getting redirected to :

    [Mod note – links removed]

    Site Url: http://indiangirlsclub.com
    Please HELP me. I’m not a tech savvy. What else should i do ???

Viewing 15 replies - 1 through 15 (of 27 total)
1 2
  • jirikai

    (@jirikai)

    14 years ago

    I am also having an issue with this. totally lost as to how I might go about fixing it. attemtping to scan databse.

    adiant

    (@adiant)

    14 years ago

    Hopefully, this will help:
    http://codex.wordpress.org/FAQ_My_site_was_hacked

    I also see that someone else is reporting this same problem:
    http://wordpress.org/support/topic/388395?replies=1

    adiant

    (@adiant)

    14 years ago

    This appears to be a fix for GoDaddy customers:
    http://inspirated.com/2010/03/02/wordpress-ninoplas-virus-and-the-fix

    jirikai

    (@jirikai)

    14 years ago

    I saw some Base64 coding at the top of my index.php file in my root folder.

    Erased that and another .php file called “Florence_sdjfskd.php” or something similar. Can’t remember exactly. this file also contained a ton of coding.
    My site is now back to working normally.

    No idea if this problem will arise again tonight or not as all I have done it treat the infection, not the cause. Think it’s time for a wordpress core update as this appears to be a security flaw.

    while i am indeed with godaddy, other people around the net are complaining from other hosts also and i very much doubt we’ve all been hit by the same keylogger or malware.

    jirikai

    (@jirikai)

    14 years ago

    thanks by the way Adiant. Wouldn’t have thought to check the top of my index.php without your advice.

    adiant

    (@adiant)

    14 years ago

    Think it’s time for a wordpress core update as this appears to be a security flaw.

    Not from what I’ve read. Other software is being hit, too.

    Ask yourself how index.php is being modified. To me, that sounds like hackers have gained access to your web host, which is not something that WordPress can stop.

    jirikai

    (@jirikai)

    14 years ago

    it isn’t only godaddy hosted sites.

    http://forums.overclockers.co.uk/showthread.php?t=18128737
    They go on to ramble about random reasons and getting nowhere fast but the first post says all I need to see.

    hosted on freedom-2-surf (f2s)

    I remember reading about a couple of other hosts also as i crawled the net for a possible solution. Godaddy isn’t the only hosting company being targeted. This is what leads me to believe it is a WordPress issue and not hosting issue.

    The number of people being hit at once negates the chances of it being malware or keyloggers of some sort. the multiple different hosting companies negates the chances of it being a hosting issue. That leads only 1 remaining common element. the CMS WordPress.

    Of course there is always a chance that it is godaddy that is targeted and the others i saw from other hosters have been hit my malware but for it all to happen at roughly the same time leads me to believe that isn’t the case. Could be wrong but doubt it.

    adiant

    (@adiant)

    14 years ago

    There are many other explanations. For example, FTP ID/password databases built by hackers over the last year. Malware on machines of anyone with the FTP ID and password for a hosting account sends them to a central hacker database. Could have happened during a single infection 8 months ago.

    The “all hit at once” syndrome is also a sign it could be hackers. They do automated mass attacks. For example, in my FTP scenario, they would go to their database of thousands of FTP ID/password/host name combinations, and attack them all at once, and make the changes you’ve seen.

    This is not Sci-Fi. This happened around the Labour Day weekend last summer.

    Again, if this were peculiar to WordPress security, then only WordPress would have been compromised. Instead, many other pieces of software are being hit.

    jirikai

    (@jirikai)

    14 years ago

    I’m fully aware such things are not sci-fi lol. There is a distinct chance you are correct.

    However i am not finding any results of this issue for any other CMS. I’ve tried searching Joomla and Drupal in the hopes they might have found a solution that i could use to no joy.

    If you can provide links of where you found the other pieces of software being hit, it’d be appreciated. Any and all information regarding this issue is welcomed as even the slightest hint from a different CMS could lead to a realisation of a fix for our own.

    adiant

    (@adiant)

    14 years ago

    On another forum, Hema says:
    “It’s just not only the WordPress … I also have topsites directory, 4images, Another WordPress with Buddypress installed in the root.”
    ref. – http://forums.digitalpoint.com/showthread.php?t=1770144 (scroll down a way)

    Thread Starter Hema Latha

    (@hema-latha)

    14 years ago

    The “eval base 64” code is just not only in Index.php and Load-Scripts.php
    But through out my FTP php files. And i have spent a whole night deleting the codes from wp-admin, wp-content and wp-includes.

    But it’s still present in plugins, themes, 4images, topsites directory and more. I don’t think it’s possible to delete each and every php file manually.

    I have no idea how to use clean-ninoplas.sh script.
    I do understand i can change the needle. But bash, ssh .. ?

    I have also contacted Godaddy support and waiting for their reply.

    wpsecuritylock

    (@wpsecuritylock)

    14 years ago

    I just got done fixing someone’s site who was on Godaddy with this same problem.

    First thing you should do is…

    Change your hosting account, ftp, wordpress username, and database passwords.

    If you’re using Godaddy on a Linux Hosting Account…

    Login into your hosting account, go to File Manager, click on the “History” tab and see if you have a snapshot of your website before it got hacked.

    Here’s how to restore it if you have a snapshot prior to the attack…

    1. Go to your Godaddy hosting account “File Manager.”

    1. Click on “Current” tab and delete all files on your server. This is necessary to get rid of any “extra” files that may have been uploaded.

    ** Note **
    Do not delete or restore the _db_backups or php_uploads. These are part of Godaddy’s structure and shouldn’t be touched.

    2. Click on “History” tab and checkmark 3-4 files/directories at a time (so you don’t overload the server). Then click on the “Restore” icon. Repeat this process until all files are restores.

    3. Edit your wp-config.php file with your new database password. And make sure you add/change your Authentication Unique Keys.

    Here’s a article on how to use Restore…
    http://community.godaddy.com/help/2009/02/02/restoring-a-linux-hosting-account/

    If you need further assistance, please let me know.

    Hope that helps.

    tdjcbe

    (@tdjcbe)

    14 years ago

    Anything else think a mod should break the offending links? 🙂

    Rev. Voodoo

    (@rvoodoo)

    14 years ago

    base64 stuff that you find in php files often comes in through a backdoor php file on your server….. here’s what I went througha while back when I got hacked (on godaddy)

    http://www.rvoodoo.com/2010/02/the-dreaded-base64-wordpress-hack-and-other-hacks-too/

    mrmist

    (@mrmist)

    14 years ago

    The redirection links etc. have been removed from the OP.

Viewing 15 replies - 1 through 15 (of 27 total)
1 2
  • The topic ‘WordPress Site Hacked’ is closed to new replies.