[resolved] [closed] Calling all site owners hacked by walangkaji/ Badi etc. - Need some help (87 posts)

  1. rossagrant
    Posted 3 years ago #

    Hi guys!

    I think this has been spreading a fair bit over the last few weeks.

    Today 2 of my sites (on the same server) got hit by a 'Hacked By Badi' hack.

    Here's a detailed look at what it does:

    1. It changes your site title to something like this:
    +ADw-/title+AD4-Hacked By Badi+ADw-DIV style+AD0AIg-DISPLAY: none+ACIAPgA8-xmp+AD4-

    2. It creates a non registered sidebar in your 'Widgets' area and inserts a text widget with some script in it which looks like this:

    <script>document.documentElement.innerHTML = unescape([ redacted ]);</script>

    ALL widgets are removed from the sidebar that are currently on your site, so you have no widgets displaying in the front end.

    3. It changes your charset from UTF-8 to UTF 7.

    Now I HAVE NO IDEA how this happens, as no users are created, it doesn't look like wp-config is altered, no passwords are changed etc.

    Now I have Vaultpress and looking at my logs for the day (it's been a pretty quiet day on my WP/ Buddypress site) I see that between 9:21am and 10:21am that 33 uploads to the uploads folder were made.

    I can't be sure, but I don't think these were uploaded by a user. They weren't uploaded by me.

    None of the hack's affects were felt at this time though, as I was online until midday, and a user submitted a Gravity form at about 4:30PM through a widget.

    They wouldn't have been able to see the widget once the hack was in place.

    Vaultpress shows me that my site title and charset weren't changed until about 8:30pm, so maybe the uploads and this hack were unrelated.

    I have deleted the text widget created, changed me charset back to UTF-8 through settings---> reading WHICH SHOULDN'T ACTUALLY SHOW THAT OPTION SINCE WP 3.5 (so the script must bring that option back too), and changed my site title back.

    I was just wondering if those who have experienced this would post a list of the plugins they use.

    We can then cross check and see if there is a plugin flaw causing this.

    It looks like an SQL injection, but I have no idea how they work.

    Seems a bit too widespread to be a host issue perhaps.

    I really don't know, but if we put our heads together, we can hopefully get to the bottom of it.

    I have Securi on this too.

    Please pitch in!

  2. @rossagrant Please do not cross post into other threads: If you want to post here fine. But injecting into other threads just to bring people here is not how the support forum works.

  3. rossagrant
    Posted 3 years ago #

    Sorry Jan, I just didn't want to hijack this thread with my problem, so just wanted to ask for help from these guys on my issue.

    I think we could all do with some support on this as it seems a lot of sites are being hit and we need to find out why.

    I have 2 years of work and tens of thousands of dollars at stake with my WP site.

    I have good backup measures in place, but need to make security as tight as possible.

    Any help from anyone here would be amazing.

    Thanks, and sorry if I've caused a problem.

  4. Barneyntd
    Posted 3 years ago #

    At the time of the hack I had a bunch of simple plugins I wrote myself, akismet, and wordpress-importer. Nothing else, not even disabled.


  5. rossagrant
    Posted 3 years ago #

    Thanks Barney, that would suggest the code is being injected through another means then.

    Perhaps a server compromise or files uploaded to the uploads folder with executable code such as images.

    Anyone else found anything more about this?

  6. I think we could all do with some support on this as it seems a lot of sites are being hit and we need to find out why.

    And you get support, from volunteers like you and me. Just look at your previous posts.

    But you are really approaching this from the wrong direction. It's much more important to clean the mess and lock down your installation. That's why we all often refer to that list of articles. It's good advice and outside of your host being insecure (always a possibility) those posts will help you get a handle on your situation.

    You need to start working your way through these resources:

    Additional Resources:

    Also please do not post malware code here. If you have Sucuri working on this then I am sure they will be able to help you.

  7. rossagrant
    Posted 3 years ago #

    Will start working through. If anyone else comes up with anything please let me know.

  8. MickeyRoush
    Posted 3 years ago #

    I believe those attacks are made to leverage XSS.



    After you get your site cleaned up, it's important that you check your workstation (PC, Laptop, etc.) for any malware. Then make sure you change all important data, like passwords, usernames, etc.

  9. rossagrant
    Posted 3 years ago #

    That's really useful Mickey, thanks!

    I see ow they can execute stuff once they have changed the chat set to UTF 7, but does anyone have any idea how that happens in the first place?

    There doesn't seem to be a common plugin at fault in these cases and Securi can't find any malware on my sites whatsoever. My host is confident it isn't a server compromise. I'm just baffled as to how they get in and if the open door is in my file set somewhere.

    Is it a one off attack or do I need to role back to a backup.

  10. rossagrant
    Posted 3 years ago #

    Looks like Badi just popped up to say that his hack is a server vulnerability but his post seems to have been removed.

    Any chance you can let us know what the flaw is and whether our sites need to be rolled back to a previous backup? Is anything left behind when we revert this hack?

    How did you do it?
    I really need to know!

  11. Klapgeest
    Posted 3 years ago #

    Got hacked today too.....
    Even my cpanel is down.....

  12. Andrew Nevins
    Forum moderator
    Posted 3 years ago #

    Hi Klapgeest, you can create your own thread for support with your issue.

  13. badi-Owner - If you are, posting in a public forum where we can see your IP and trace you back is probably the stupiedst thing I've ever seen.

    Your posts were removed because we are a pro-active, sharing, community. Call us White Hat Hackers if you want, we don't engage in malicious actions, and they are not welcome here. If you're really the hacker, STOP. You're not helping anyone. Go talk to the server companies and explain what's wrong so they can fix it. Don't be an ass.

    These do sound like server hacks, that said, and not something WP was open for. While I can fathom how one may use WP to access the site, the fact that the site then allows you to mess with the server is not something we can really help with, and you need to pick up a phone and call your webhost.

  14. rossagrant
    Posted 3 years ago #

    Am talking to my hosts and we're looking through things. Would be way more helpful if Badi could explain whether after the hack, if anything is actually remaining in the site's files.

    I can roll back, but do I really need to.

    I wouldn't expect a full explanation of the hack but people would be a grateful of a general overview of the flaw used to compromise the site.

    Even a general pointer.

  15. devinhsmartin
    Posted 3 years ago #

    My websites just got hacked. I currently have 19 wordpress websites sitting on this cpanel account. Looks like only the site titles and the side bars were changed. On two or three sites some pages are actually showing up the HACKED BY BADI white screen. Any thoughts on how to fix this ASAP?

  16. rossagrant
    Posted 3 years ago #

    Devin, firstly go into settings---> Reading and change the UTF-7 to UTF-8.

    Then go into your widgets area. You'll see an unregistered sidebar witha text widget in it.

    Delete it AFTER you set the UTF-8.

    This MUST be done first or you will lose access to that option (it is hidden by standard in WP 3.5, this hack must bring it back).

    Then change your site title back.

    So far, i think that is all you need to do.

    No malware or file changes will have taken place, but this is happening more and more.

    Badi was on here today and said it was done through server vulnerabilities.

    I wish he could just work with us to let us know, so our hosts can fix it.

    My livelihood is my WP site, it's not a hobby for me, it's my work. I need to know about vulnerabilities.

    I hope his conscience brings him to let the WP community know what he is doing here.

  17. Any thoughts on how to fix this ASAP?

    @devinhsmartin Putting aside the "You-really-should-open-your-own-topic-as-that's-the-best-way-to-get-assistance-for-you" mantra for a minute, I think you'll find all you need to know at this link.

  18. devinhsmartin
    Posted 3 years ago #

    Rossagrant, I am in the same boat. Quit my dull job to take on wordpress development full time to support my family. I don't know why somebody would do something like this. My 3 year old is trying to get my attention to play with him and I CANT BECAUSE of this incident.

    Whatever... Thank you for the info though. I need to know about Vulnerabilities too. My livelihood is on the line also.

    My Clients are asking me why somebody would do this... What is the motivation behind hacking like this?

  19. devinhsmartin
    Posted 3 years ago #

    Thank you Jan!

  20. rossagrant
    Posted 3 years ago #

    Not sure Dev,

    I though the protocol on this kind of stuff was to let the core team know at WP with a 'we'll put this out in the wild in x days' kind of thing.

    I still don't know for sure if it's a server side thing(very widespread across loads of different hosts) or a core WP thing.

    I have spoken to a few site owners and can't see a plugin correlation, so it's either WP or servers.

  21. Klapgeest
    Posted 3 years ago #

    Rossagrant; do you mean UTF-.. in the style.css?
    I am running WP3.5

  22. rossagrant
    Posted 3 years ago #

    No UTF-8 is the charset you need to set your database to in order for it to display some characters correctly.

    UTF-7, which the hack sets it too allows for code to be passed through the DB and isn't good from a security aspect.

    From what i found with my sites, if you go into the Settings--->Reading screen in the WP dashboard BEFORE you delete Badi's text widget with his script in, then you will see an option to set the charset back to UTF-8.

    If you delete the script then that option disappears and I guess you will have to set it through PhpMyAdmin.

    The option was taken out of the dashboard in WP 3.5.

    This hack seems to reinstate it until you delete the script found in the text widget that is also created upon the hack getting into your site.

  23. Klapgeest
    Posted 3 years ago #

    OK, unfortunately I don't understand where to change UTF-7 (I use Cpanel)

    When I go to my Cpanel and select PhPadmin, the same hack screen from Badi appears.... does this input help?

  24. rossagrant
    Posted 3 years ago #

    Klap, the UTF option should be in your WP dashboard, not in CPanel.

    Do you still see the text widget in the backend of WP in the Appearance--->Widgets section.

    It will be under a heading down the page that says unregistered sidebar?

    Don't delete it just yet, but see if it's there.

  25. Klapgeest
    Posted 3 years ago #

    No, no UTF option under dashboard and no text widget (only Fancy text which I bought.
    Yhe strange thing is that my widget page keeps loading and my sidebar dissappeared

  26. rossagrant
    Posted 3 years ago #

    The text widget won't be in one of your sidebar areas, it will be in a long panel under the list of widgets on the LEFT.

    It will be in an unregistered sidebar.

    If it's not, I'm not too sure, that's just what I experienced.

  27. Klapgeest
    Posted 3 years ago #

    no nothing there, also no UTF under dashboard....

  28. rossagrant
    Posted 3 years ago #

    Not too sure exactly what has gone on there then. Is yous ite title still messed up? Change it back.

    Are you showing weird characters on your site. Try typing a £ sign and see what it displays as. Are you definitely set to UTF-7?

  29. Klapgeest
    Posted 3 years ago #

    Just notice that my hosting previder helped me out with a backup.
    Caracters appear normally
    I don't know what Charset I use - the Style.css says Charset UTF-8 though...

  30. rossagrant
    Posted 3 years ago #

    Klap if £ signs appear normally you are good to go.

    That backup will have cleared out the hack I guess.

    Keep a close eye on things though.

Topic Closed

This topic has been closed to new replies.

About this Topic


No tags yet.