[Resolved] Calling all site owners hacked by walangkaji/ Badi etc. – Need some help
I think this has been spreading a fair bit over the last few weeks.
Today 2 of my sites (on the same server) got hit by a ‘Hacked By Badi’ hack.
Here’s a detailed look at what it does:
1. It changes your site title to something like this:
+ADw-/title+AD4-Hacked By Badi+ADw-DIV style+AD0AIg-DISPLAY: none+ACIAPgA8-xmp+AD4-
2. It creates a non registered sidebar in your ‘Widgets’ area and inserts a text widget with some script in it which looks like this:
<script>document.documentElement.innerHTML = unescape([ redacted ]);</script>
ALL widgets are removed from the sidebar that are currently on your site, so you have no widgets displaying in the front end.
3. It changes your charset from UTF-8 to UTF 7.
Now I HAVE NO IDEA how this happens, as no users are created, it doesn’t look like wp-config is altered, no passwords are changed etc.
Now I have Vaultpress and looking at my logs for the day (it’s been a pretty quiet day on my WP/ Buddypress site) I see that between 9:21am and 10:21am that 33 uploads to the uploads folder were made.
I can’t be sure, but I don’t think these were uploaded by a user. They weren’t uploaded by me.
None of the hack’s affects were felt at this time though, as I was online until midday, and a user submitted a Gravity form at about 4:30PM through a widget.
They wouldn’t have been able to see the widget once the hack was in place.
Vaultpress shows me that my site title and charset weren’t changed until about 8:30pm, so maybe the uploads and this hack were unrelated.
I have deleted the text widget created, changed me charset back to UTF-8 through settings—> reading WHICH SHOULDN’T ACTUALLY SHOW THAT OPTION SINCE WP 3.5 (so the script must bring that option back too), and changed my site title back.
I was just wondering if those who have experienced this would post a list of the plugins they use.
We can then cross check and see if there is a plugin flaw causing this.
It looks like an SQL injection, but I have no idea how they work.
Seems a bit too widespread to be a host issue perhaps.
I really don’t know, but if we put our heads together, we can hopefully get to the bottom of it.
I have Securi on this too.
Please pitch in!
- The topic ‘[Resolved] Calling all site owners hacked by walangkaji/ Badi etc. – Need some help’ is closed to new replies.