Clean 2.8.4 Hacked :( (25 posts)

  1. justbishop
    Posted 6 years ago #

    I had 2 instances of 2.8.3 running on seperate databases, and both were hacked before I got the chance to upgrade. I upgraded, deleted all WordPress, plugin, and theme files, downloaded fresh zips of all, uploaded those, checked my permalinks structure (nothing out of the ordinary there), searched both databases for the "eval" and "base_" crud that supposedly causes it (nothing came up except for the blog post about it by lorelle @ http://lorelle.wordpress.com/2009/09/04/old-wordpress-versions-under-attack/. Should that be in my databases??), and even had my hosting company look through my .htaccess file to ensure that anything that was there was supposed to be. Still getting the icky redirects and spyware warnings.

    Well, one of the installs of WP was just for design purposes and had virtually no content in it, so I went ahead and deleted all of it's files AND it's database. Started with a fresh clean database and a fresh clean 2.8.4 install of WordPress. Redownloaded and installed fresh versions of the plugins I use (FatFreeCart, Cleaner Gallery, and Lightbox 2), as well as the theme (Fixed Blix). The only files from the old install that I reuploaded were a handful of theme template files, which I meticulously went through with my own eyes beforehand (footer.php was NOT one of them).

    This fresh, clean install of 2.8.4 is STILL REDIRECTING randomly!!!!

    I've put in a help desk ticket with my host to make sure that my entire account didn't get affected somehow, but I'm expecting them to tell me to ask here anyway, since it originated wwith 3rd party software. Help?

    ETA: Also wanted to mention that I've tested the new install by repeatedly hitting "reload" and clicking around on it via a Mac iBook using Opera, so I highly doubt it's my machine that's infected. I've checked my browser cache, and it's clear. I'm no expert, though, so I guess it's possible?

  2. justbishop
    Posted 6 years ago #

    Ugh, I don't know why I even waste time posting here.

  3. What did your web host say? Are you on shared hosting? Are you still getting redirects will all of your plugins disabled?

  4. Looks like you've done it right already. Can you share the URL? Other people confirming the behavior would at least confirm if it's your blog or Mac.

    If your files, database, and .htaccess are all good then it's possible the web server itself was compromised. If that's the case, your hosting company would need to fix it.

  5. She's not going to get redirects from her local machine.

    Tell your host and find out what they're doing for shared hosting clients. Sounds like their problem.

    WordPress hacked FAQ

    How to clean your hacked wordpress install.

  6. alism
    Posted 6 years ago #

    Dodgy iframes still in the database?

  7. justbishop
    Posted 6 years ago #

    Thanks guys! I'm glad I got desperate enough to come check back here!

    URL: http://www.goashleygo.com

    My host said that they looked through everything and my account "seems to be functioning normally." I'm on shared hosting, I guess? I doubt that my $5/mo account is dedicated.

    Just did a search of my DB for "iframe" and got nothing.

    Today it seems to be happening when I hit the log in link in my footer, as well as randomly when I update an existing post or publish a new one.

    Tried the Exploit Scanner plugin, but most of what it brought up was either marked "could be legitimate" (so how do I know what's not kosher?) or was in the Exploit Scanner itself (which is to be expected).

    I've checked all of my index.php files in WordPress. They all look as they should. I've looked through the source of my site home page and the add new post page. Nothing out of the ordinary there, but both have so many js things going on that there could very well be something there that I just don't know enough to see.

    Is my last resort to use something like Winmerge and compare known clean files to ALL of the WordPress files on my server? Because that would really suck.


    ETA: just disabled/reactivated my few pluigns one by one, clicking around my site a bit in between each. It's hard to tell if that did anything though, since the redirection seems to happen at random anyway.

  8. syncbox
    Posted 6 years ago #

    Did you use the same name and password as before? Did you create a new .htaccess file?

    What's the URL so we all can at least see what shows up on this site?

    Hope we can help.

  9. justbishop
    Posted 6 years ago #

    Nope, changed all the passwords (used auto generated ones) and even changed the DB name and user name. Everything was created fresh and a clean 2.8.4 was installed.

    URL in my above post ;)

  10. alism
    Posted 6 years ago #

    Do you get the same problem if you use a different PC/Mac to access the site?

  11. justbishop
    Posted 6 years ago #

    Yep, happens on my PC desktop as well. I guess I should mention that we have found the koobface worm and some other random trojan on that thing, even though we use AVG and I don't click on the warning windows (I just do the 3 finger salute to close out the browser). My husband takes care of that sort of thing. I'm a virus magnet, hence having bought myself the ibook.

    For a while I thought it was just that computer doing it, but am still being redirected here on my ibook using Opera as well, so assuming it's still something to do with my installation of WordPress >.<;;

  12. alism
    Posted 6 years ago #

    Hmmm. I've got a funny feeling that Koobface screws with the DNS.

    I'd try it from a different network (ie one that hasn't got viruses and spyware on it!!).

  13. justbishop
    Posted 6 years ago #

    so, take my laptop to someone else's house and use their internet? How do we fix ours?

  14. alism
    Posted 6 years ago #

    Try a different PC/Mac, on a different (hopefully clean) network. You ideally want to narrow it down to your two computers if possible.

  15. justbishop
    Posted 6 years ago #

    can my husband try from his PC laptop here at our house on our wireless? Our Wii and xbox 360 also use our wireless...can this crap hurt those too?!

    ETA: and so it should be safe to allow others to visit my site then?

  16. alism
    Posted 6 years ago #

    You can try it... but whether it'll prove anything if you get still get redirected is a different matter. Might still be your website after all, but just trying to help eliminate possibilities for you - divide and conquer! I'm sure others will chime in if they've got any other genius ideas. There's plenty of people reading this forum that are way more qualified to talk about this type of thing than me.

    I would suggest you make it a priority to clean up your known bad PC though. Having data stealing software on a PC is never a good. I'm sometimes amazed at how blase some people seem to be about that sort of thing (funnily enough, that usually only lasts until their bank account is suddenly empty and there's a load of items they don't remember buying on their credit card!)


  17. justbishop
    Posted 6 years ago #

    Yeah, my husband is working on cleaning up my mess as I type (OK, so he's feeding the baby while some sort of scan runs, lol!)

    Thanks to all for the help thusfar. This is really frustrating!

  18. justbishop
    Posted 6 years ago #

    Anyone happen to visit and find anything?

  19. Interesting: Koobface does muck with DNS, but only on Windows boxes.

    When you're cleaned up, I'd change your DNS to OpenDNS in your home router and your PCs and Macs. It's very easy. That won't prevent another Koobface infection, but will help with other DNS malware.

    And, in my not so humble opinion, $5 a month shared hosting is junk; you're just waiting for a server hack. Do yourself a favor and get better hosting. Even GoDaddy hosting must be better.

  20. You've got a 500 server error now. Did you edit the .htaccess with your Mac? Check to see that you saved it with Unix line endings out of your Mac text editor.

  21. alism
    Posted 6 years ago #

    I've not read enough about Koobface to know how much damage it does or what else it might drop on the machine, but I know that just one machine infected on a local network is potentially able to poison the DNS for other machines though - even 'uninfected' Macs.

    Let us know how you get on.

  22. They're different malware critters. If you're using OpenDNS as opposed to local, and (mostly) don't run in Windows admin mode and don't password software install under OS X, you're pretty safe.

  23. justbishop
    Posted 6 years ago #

    Yeah, I saw the 500 and posted a ticket to my host's help desk. They said that it was a weird entry in my .htaccess (I didn't put it there!), which they fixed, and now everything's peachy. No redirects all day. IDK what technology gods have smiled upon me today, but wherever they are, I thank them!

    I'll tell my husband about the OpenDNS thingie. He deals with that sort of thing. I know how to code, FTP, and open a browser, lol!

    Thanks so much for everything guys, and please post back if anyone figures out anything else!

  24. Jesse Heap
    Posted 6 years ago #

    May not be related to your issue, but the Koobface virus does steal passwords for servers from popular FTP programs:

    FTP server and client software:
    » Total Commander
    » cuteFTP
    » Ipswitch
    » SmartFTP
    » Coffeecup Software
    » FTP commander (Pro, Deluxe)
    » FlashFXP
    » FileZilla

    In our case, my mother-in-law was infected by Koobface and the virus got a hold of our website FTP credentials and installed itself on our web servers.

    So if you are/were infected with Koobface make sure to change your passwords for FTP immediately. And if your laptop is still infected, I would uninstall these FTP programs and refrain from logging into your website until the virus is completely removed.



  25. justbishop
    Posted 6 years ago #

    Thanks for the info! Not having any issues since my host looked at my .htaccess the second time and found something to fix, so crossing my fingers that it's all over :)

Topic Closed

This topic has been closed to new replies.

About this Topic