Support » Fixing WordPress » Hacked Worppress sites

  • JW555

    (@jw555)


    I have numerous sites with different hosting companies, about 5 of the sites hosted with one company have been hacked. It is no big deal but I am trying to get to the bottom of how they got in.

    None of the sites has the same FTP & Password combination
    None of the sites have the same WordPress admin logins
    The WordPress admin logins are not default
    The passwords are strong and generated by a security system
    There is no common code, plugin or theme (e.g. Timthumb)

    The hack encodes all the PHP files a bit like IonCube, it clickjacks users on the front end once a day, so laods normally on refresh.

    The backend is all messaged up although you can still login.

    Looking at the backups there are some random PHP files in the root, they tend to have two words separated by an underscore e.g. Random_plate.php the files is encoded itself, I suspect it is called by something.

    Anyone recognise the hack and what caused it?

Viewing 10 replies - 1 through 10 (of 10 total)
  • I helped someone in a similar situation the other day, and it turned out his computer was compromised, and hacker used the user/passwords gathered from his computer to hack several of his blogs (setup much like yours).

    If nothing else, I recommend changing all passwords, then running a full malware scan on any computers you may have saved passwords on prevoiusly.

    Also, very important:
    NEVER user “admin” as your WordPress username.
    This just makes a would be hackers job so much easier…

    SAME! On Jan 28, then the sunsabeeches came back on 5th Feb.

    The put a cURL request in there to download an Exploit Pack and zap your machine with a million viruses/trojans.

    I have pretty good security by practice, and this thing his every site I have/run on 3 different servers in 2 different countries. The only common thread they had was WordPress on Apache.

    I’ve set up a Google Alert for this thing (which is how I found this thread) and this came up to: http://discussion.dreamhost.com/thread-134262-page-4.html

    While I know that this isn’t a WordPress targeted attack, they did seem to know to change anything footer.php, home.php in addition to index.php.

    I’ve written a quick cleaner script that you can get off my website, but you have to have all files writeable for it to work, so it doesn’t always get ’em.

    Other than that, I’ve just been waiting around for somebody to write some sort of article on how to fix this and then how they found and punished the crap outta the bad guys.

    Good luck folks!
    -Judd

    Stacy (non coder)

    (@functionmunchkin)

    I had my install done by my host. Is it possible to delete user 1 and create a new user 1? This is the only account that keeps getting hacked.

    list2010@lunch.za.net

    (@list2010lunchzanet)

    The host may be running php code for all accounts as a single user.
    The host may have failed to set permissions so that user A cannot read user B’s configuration files.
    Your FTP password may be compromised.
    Your desktop could be hacked.
    Check the log files.

    esmi

    (@esmi)

    Stacy (non coder)

    (@functionmunchkin)

    What exactly should one be looking for in the logs? I’m seeing ” [HTAccess] Failed to open,Permission denied” in the error log ( cpanel).

    list2010@lunch.za.net

    (@list2010lunchzanet)

    If the site was hacked by HTTP, then you will (usually) see a POST that corresponds (somewhat) to the time stamp of the new and unwanted files. If you don’t see it, look at all the recent POST entries. If any machines accessed the backdoor shell, see when they first did so, and what happened before that. If your site was hacked by FTP, then you’ll see it in the FTP logs. If your site was hacked by another user on the box, then you’ll see exactly nothing.

    Stacy (non coder)

    (@functionmunchkin)

    Thanks everyone.

    @list2010@lunch.za.net

    The host may have failed to set permissions so that user A cannot read user B’s configuration files.

    Do you mean wp users or shared account users on the host? If wp , do you know where this is found?

    list2010@lunch.za.net

    (@list2010lunchzanet)

    If you run code to read other users’ wp-config.php files, you should get nothing except your own wp-config.php file. In many shared hosting environments you are likely to get something.

    Here’s some dumb code:
    http://pastebin.com/hCDyp89a (Let’s see if the link is permitted…)

Viewing 10 replies - 1 through 10 (of 10 total)
  • The topic ‘Hacked Worppress sites’ is closed to new replies.