Is only a part of log.
What is the hacked file modification time?
Well the entire log itself is gigantic. Whatever is offered through my Cpanel is kind of limited..and there doesn’t appear to be any options, such as just seeing logs for today. I started where the users IP made a first request though, and ended it where the site was hacked and I fixed it.
As for file modification time, I’m not sure. I reuploaded fresh php files for my theme.. so I’m unsure =\. I was digging deeper in the log though, and it I think it may have been a javascript exploit.. particularly jquery. I see some very weird requests from this person to jquery.. such as
111.95.99.42 – – [07/Jul/2012:06:33:35 +0400] “GET /wp-admin/load-scripts.php?c=1&load=admin-bar,hoverIntent,common,jquery-color,wp-ajax-response,wp-lists,quicktags,jquery-query,admin-comments,jquery-ui-core,jquery-ui-widget,jquery-ui-mouse,jquery-ui-sortable,postbox,dashboard,thickbox,plugin-install,media-upload&ver=3.4.1 HTTP/1.1” 200 34487 “http://mindfuseproductions.com/wp-admin/” “Mozilla/5.0 (Windows NT 5.1) AppleWebKit/536.11 (KHTML, like Gecko) Chrome/20.0.1132.47 Safari/536.11”
The edited several files through the theme-editor though.. functions.php.. index.php, header, etc etc.
Without looking at the logs, they shouldn’t have been able to edit any files belonging to your site. I’d recommend checking your file permissions.
Also following these two guides from the codex is a good idea.
http://codex.wordpress.org/Hardening_WordPress http://codex.wordpress.org/FAQ_My_site_was_hacked
I read through all of those. I don’t think it’s a permission issue aside from maybe some sort of javascript exploit.
I fixed everything last night.. to the best of my ability.. and hacked again. Wtf..
http://mindfuseproductions.com/
@ Tyrion Frost
You should be looking at the POST requests. It looks as though they were able to just log in do whatever they wanted.
You need to lock it down completely from HTTP access the next time you do a clean up. You then need to remove any users that are not authorized, whether that be through the dashboard or the database, in your case most likely the database.
If you don’t need the theme/plugin editor should disable it. In your wp-config.php add the following:
define(‘DISALLOW_FILE_EDIT’, true);
But that is not an ultimate solution to your problem, it may only help a bit.
And since I’m not precisely sure what you’ve done already I’ve compiled a list of links so that you won’t have to scour the web for them.
Check your site(s) here:
1. http://sitecheck.sucuri.net/scanner/
2. http://www.unmaskparasites.com/
3. http://www.virustotal.com/
4. http://www.phishtank.com/
5. http://www.browserdefender.com/
6. http://ismyblogworking.com/
7. Google Safe Browsing (to access a site’s google info, add their domain to the end of this):
http://www.google.com/safebrowsing/diagnostic?site=
example:
http://www.google.com/safebrowsing/diagnostic?site=example.com
8. Check your URL at scumware.org to see if your site has already been classified as malicious:
http://www.scumware.org/search.scumware
Backup everything and put that backup somewhere safe. This is in case you have problems later on. Even though you could be backing up infected files, it is more important to have a backup up of your work, for if you make a mistake cleaning your site, you will still have the backup(s).
1. http://codex.wordpress.org/WordPress_Backups
2. http://codex.wordpress.org/Backing_Up_Your_Database
3. http://codex.wordpress.org/Restoring_Your_Database_From_Backup
Then read these:
1. http://codex.wordpress.org/FAQ_My_site_was_hacked
2. http://wordpress.org/support/topic/268083#post-1065779
3. http://smackdown.blogsblogsblogs.com/2008/06/24/how-to-completely-clean-your-hacked-wordpress-installation/
4. http://ottopress.com/2009/hacked-wordpress-backdoors/
5. http://wpmu.org/why-you-should-never-search-for-free-wordpress-themes-in-google-or-anywhere-else/
6. http://blog.sucuri.net/2012/03/wordpress-understanding-its-true-vulnerability.html
If you have indications of possible timthumb hacking, please read these:
1. http://blog.sucuri.net/2011/08/timthumb-php-security-vulnerability-just-the-tip-of-the-iceberg.html
2. http://markmaunder.com/2011/08/02/technical-details-and-scripts-of-the-wordpress-timthumb-php-hack/
3. http://www.wpbeginner.com/wp-tutorials/how-to-fix-and-cleanup-the-timthumb-hack-in-wordpress/
4. http://wordpress.org/extend/plugins/timthumb-vulnerability-scanner/
Once your site is clean, then read these:
1. http://codex.wordpress.org/Hardening_WordPress
2. http://codex.wordpress.org/htaccess_for_subdirectories
3. http://www.studiopress.com/tips/wordpress-site-security.htm
4. http://stopbadware.org/home/security
Need more help?
1. https://badwarebusters.org/
If you believe your personal computer (not your host server) is infected please read these:
1. MajorGeeks.com malware removal:
http://forums.majorgeeks.com/showthread.php?t=35407
2. MajorGeeks.com how to protect yourself from malware:
http://forums.majorgeeks.com/showthread.php?t=44525
Sorry for the long list of links. But there are thousands of different ways they could be accessing your site(s).
Incredibly helpful.. I’ll be reading over those for probably most of today. I’m currently uploaded a fresh copy of wp to see if I can figure out what they’ve done now. Last night I was hacked yet again, and I can’t figure out how they did it — or how to get rid of it. It seems they did something differently this time, and I can’t figure out where the hacked page is.
Anyway, thank you very much!
Btw, I found out they hacked my wp-config file. I’ve restored it and am fixing stuff. I’ve also applied a password to the wp-admin directory server-side, so maybe THAT will help while I further investigate what’s going on.
Stupid script kiddies..
be sure to change your passwords too, no doubt they got access to them the first time.
Tyrion, were you able to find a solution to the /wp-admin/load-scripts.php? attack ?
I have had the exact same issue, now hacked 2 times in 2 days. I’ve done everything listed above.
cheers.
