Hacked copy of WP 2.04 (1 post)

  1. neotrope
    Posted 8 years ago #

    I tried to update my post and was told "post too old" (hmmm, guess you can't add to something after an hour ...) ... so:

    Howdy party people ... I thought I'd warn those of you who didn't pay attention about upgrading from certain versions of WordPress which have hackabilities... v 2.04 (same one Al Gore's blog was hacked ...), well, we just got two sites hacked this past week. The sites running 2.11 did okay, and we had just updated one to 2.5, which seems okay. Ironically, we were about to upgrade the 2.04 sites to 2.5 but was doing taxes last weekend (DOH!!!!).

    For those who might want to check their blogs... here's how it works, it seems the hackers create some posts under "admin" which are easy to spot, since most people don't post that way.

    Second, in our case the poster looks to have either hand posted or run a script right after the technorati simpletags plug-in to drop in all sorts of spam links.

    In case you want to know, these rat batards seem to be self-promoting their sites:
    (links intentionally broken and truncated here....)
    1) http://www.celticharper .com/harpblog -
    2) szymczyk.foxnet .pl/wordpress
    3) http://www.edico .de
    4) pieces.popagandhi .com

    If you have any string in your dbase with "szymczyk" or "popagandhi .com" then you have been hacked, methinks.

    Also, on site #2 we had some of these:
    1) blog.buzzword .com
    2) randomyak .com
    3) fatemag .com
    4) m33w-fansubs. com
    5) thesquarerootofevil .com
    6) jay.lowellarts .org
    7) livros.analce .org
    8) jeremy .com
    9) americascupmagazine .com
    10) celticharper .com
    11) amberandnick .com
    12) airbagsound .com
    13) katrieninguatemala .be
    14) brassgoggles .co.uk
    15) samizdat .com
    16) themostnews .com
    16) 12horas.setimadimensao .com

    the long string of keyword links into these sites are not included here, to save you (and the forum searchers) some suffering.

    An intrepid researcher could likely do some reverse domain => IP lookups and find some commonality amongst these and then do some serious IP blocks at the firewall level. I am posting all of these for posterity as this was an illegal hack of two of our sites by an evil evil person or company seeking to promote theire nudie movies, and loan/finance programs; likely all affiliate related.

    Again, ironically we were in the process of updating everything to 2.5, but held off a tad due to taxes, and to make sure the one site running 2.5 didn't explode (few issues, mostly the print page plugin DOA). So, upshot: if you're waiting to upgrade to 2.5, and are STILL running 2.04, PLEASE upgrade to 2.11, even if you have to PAY somebody to do it; otherwise you may spend hours cleaning/scrubbing your site as we're now doing. ARGH.

    I'm kicking in a donation to anybody who whacks these hackers good.

    ==== additional ====

    a quick way to spot the damaged posts, versus having to do a search, which can be hard to do with WP2.5 since it doesn't save the search string when you search again, is to choose a category index, and scroll down the list of stories... if you're using the excerpt feature to put in your own story excerpt, these will be missing and the post will revert to the auto excerpt ending in [...]

    So, in our case we were able to scroll through a list of stories to find any occurance of [...] in category indexes of content to find the bad posts. Some headlines were completely wiped also, and generally the "keyword" field was emptied.

    I looked through the files and could not find anything active after replacing all my plugins post upgrade... but it IS VERY IMPORTANT that you reinstall ALL your plug-ins after this kind of hack, as both the tecnorati tagging plugin, and then the sociable plugin "adopted" the links based on where they were on the page, meaning they were at bottom of post and look to be setup to "surround" anything running at bottom of post such as the socialble plugin (!).

    Really bad news here.

Topic Closed

This topic has been closed to new replies.

About this Topic