Support » Fixing WordPress » My site was Hacked

  • Thread7

    (@thread7)


    My site was hacked. The home page had a warning message from SnipeR-BaghdaD with an email address hackerpro79@yahoo.com.
    Anyways, I’ve read some good post in here on what to do in order to recover. Immediately after the discovery I got into admin and noticed I already have 2.8.4.
    I’m not sure which version I had before the problem. Maybe the hacker upgraded? But probably not. I was probably exploited with 2.8.4 on my system.
    So my question is this. I was using a template called Revolution Lifestyle 2.0. We had changed a lot of graphics, etc.
    Can certain templates have security vulnerabilities?

    Thanks.

Viewing 15 replies - 16 through 30 (of 37 total)
  • Moderator Jan Dembowski

    (@jdembowski)

    Brute Squad and Volunteer Moderator

    Is this something I should be worried about or am I just paranoid now?

    You’ve been hacked so I don’t think a little paranoia is uncalled for…

    On the WordPress front, you can double check your database by exporting it to a text file and then look for things like hidden or <iframe, etc.

    The codex link about has more info via this post:

    How To Completely Clean Your Hacked WordPress Installation

    Check out item #8 to look for damage within your posts.

    On your webhost front, that gets a little tricky. If the hacker got in via file access from an insecure webhost, you might not be able to do anything yourself. The webhost would have to lock the server down. Check with your provider and see what they say.

    jdembowski, hopefully thread7 is still monitoring this post and hasn’t given up all hope of finding a solution.
    I believe thread7 was looking for people who have also suffered the virus and have immediate solution to getting rid of it and eliminating re-occurrence.

    I found the thread and also hoped someone would supply a fix. I felt i should comment on your comment as not responding
    to thread7’s direct request. Your help was in fact rather condescending, bleeding obvious and vague. As I also found no
    helpful responses to the request I had to trawl through my site and ferret out the source of the virus and fix.

    If thread7 is still around here is what i found and did.

    The hacked front page can be removed by changing your theme template. Use a different template for the time being. Once changed delete the corrupted template, you could upload a fresh uncorrupted version of your template.

    I am unsure of how the hacker gained entry or was able to change my password, but Cron jobs or RSS feeds could have something to do with it from viewing my access logs. You can modify these entry points.

    Entry was gained through a sub domain site. The virus drilled down and changed my template of my main site which has joomla installed.

    The hacker is lazy and sloppy and left tracks all through his code(a cry for attention?). Hopefully i can return the favor to him somehow.

    Moderator Jan Dembowski

    (@jdembowski)

    Brute Squad and Volunteer Moderator

    Your help was in fact rather condescending, bleeding obvious and vague.

    Riiight. Sorry, but your behavior is rude and pointless. But keep trying.

    The hacked front page can be removed by changing your theme template.

    Or restoring a prior backup, or many other file modifications to the hacked files. That’s also “bleeding obvious”. As it’s bleeding obvious that if you don’t close the door that the attacker came in through, the script kiddie will be back.

    So, have you found out how the hacker gained access and modified those files? Was it via a poorly written script on your Joomla site or was it something in a WordPress installation such as a plugin or theme? Was it on a shared host and the file permissions were not hardened?

    I’m not being condescending here: Since you are trying to help Thread7 and others, why not share how the attack was implemented on your system? That might help others who have had their site defaced too.

    On the WordPress front, you can double check your database by exporting it to a text file…

    I just ran across this– anywhereindb. Haven’t tried it but it looks handy. Maybe it will help someone.

    @jxrtau

    I am unsure of how the hacker gained entry or was able to change my password, but Cron jobs or RSS feeds could have something to do with it from viewing my access logs. You can modify these entry points.

    Entry was gained through a sub domain site. The virus drilled down and changed my template of my main site which has joomla installed.

    The hacker is lazy and sloppy and left tracks all through his code(a cry for attention?). Hopefully i can return the favor to him somehow.

    Bullshit.

    You have absolutely no idea what happened, or what you are talking about.

    Nile Flores

    (@blondishnet)

    Yoast Support

    None of you do and it is both funny and irritating at the same time.

    If you were concerned to have read my reply- oh no, I am a woman, but I have been webhosting for more than 5 years.

    Your site/server had not been targeted personally as a means to get at you. It was someone who decided to hack 5000 websites for their pure enjoyment. It happens. Grow up, start your site over with a fresh and up to date version as even suggested by Matt Mullenweg himself, and make sure your webhost took care of the issue on their end by securing the server.

    So sorry to hear about your site being hacked… you are not the only one who has been. Instead, please read the valid suggestions made by myself and the only other logical person who responded jdembowski.

    Hey…any mods want to close up the topic before more ridiculous comments are shared?

    Thanks jdembowski for your tips.

    Check your user list for hidden admin users and remove any that aren’t authorized. We suffered a similar hack a couple of months ago and that is how continuing access was gained.
    As for the comment about all vulnerabilities being in previous WP versions, do you not think the hack weenies are all over a new build from the day it hits beta release? They aren’t going to procrastinate in starting their search for new holes to exploit.

    I have had 3 sites hacked THREE times. I have wp-security scan, all in one seo, all plugins updated. Built all three sites in 2.8.4, and now have web clients breathing down my neck telling me NOT use wp. Don’t want to give up that easily.

    I have done extensive scanning on my laptop to make sure it didn’t have a keylogger or anything pernicious running, hours of testing came back negative.

    Checked with host, they have everything going fine.

    I am using very encrypted passwords….

    Somebody please HELP HELP HELP!

    Sniper-Baghdad……

    I know how to restore the sites, search find for code in index page, which is usually buried on some back page….

    I’m desperate!

    J

    Pls somebody help and take this seriously!!!!!! 2.8.4 is NOT secure in my estimation.

    Continued…let me add, the database is fine. There are no hidden admin users. FTP was not breached. Only my wp sites.

    I rec’d notice from web client that site was hacked (again, and again for third time.)

    Each time, I went in and found the offending page, uploaded a fresh one which immediately restored the site. Checked all pages just in case.

    Then changed username AND password once again.

    Double checked the wp-security-scan. Have htaccess in wp-admin. Username is never “admin.”

    I’ve read everything i can find on wp forum about hardening security, but I’m really stumped this time.

    I have several plugins, all updated. Don’t know where the hole is?

    whooami

    (@whooami)

    Member

    bmoon, I have a plugin that might help find a hole, if one is to be found. I dont know that I would put it on a clients site though .. but if you have a personal one thats having trouble.

    hi bmoon,

    I have noticed both you and thread7 are using similar plugins (as are others who have recently suffered).

    If you don’t really need them – my advice would be don’t use them!

    Make sure your hosting provider is a good one! – if you run your own servers and you’re having security issues – i’d stop now and out source it. Are your three site sharing the same space? or on separate accounts?

    Double check your laptop again (bit outside the scope of this thread), but – bit defender online scan and spybotSD are good places to start for the basics.

    Wipe your server space clean (everything! e.g cgi-bin, etc), wipe your database and any others db’s you may be running (e.g for joomla), change all ftp logins and start again!

    Download the latest WP again and run a fresh install – Keep everything as simple as you can (except your passwords lol). Change all your MySQL connect settings. Set your DB privileges appropriate to your use (more secure the better). Only keep the one theme you’re using online and always update it… any additional javascript you may use – make sure it comes from a good/reliable source!

    If you can help it, don’t re-use a backup as the issue could still be in it! (check that separately and thoroughly).

    If you or anyone gets hacked, please list all details about what you were using – as much as possible as it may help highlight an issue with a third party item.

    good luck!

    Hi again, and thanks for some quick responses.

    Ran over 10 hours of scans on my laptop, avg, spybot, malwarebytes, atf cleaner….had it get rid of some malware ad stuff, then reran every program again til it was clean.

    What’s the plugin Whoamii, that you suggest for finding holes???? Would love to try.

    Great suggestions JimZippy……and tomorrow is a new day, and will try them all. Thanks.

    J

    What about AskApache Password protecter??? or even purchasing ssl for the admin?

    Yes, i’ve got a few of my own sites running 2.8.4 too…will try on mine first, but it’s my clients who are getting hacked.

    yes, secure server and all sharing the same one….interesting, i know.

    J

    A few more things I’m finding on security…

    FROM
    http://codex.wordpress.org/Hardening_WordPress

    Securing wp-config.php

    You can move the wp-config.php file to the directory above your WordPress install. This means for a site installed in the root of your webspace, you can store wp-config.php outside the web-root folder. Note that wp-config.php can be stored ONE directory level above the WordPress (where wp-includes resides) installation.

    **I tried moving the wp-config.php and it broke stuff. I moved it to one level above web-root. So what is the other trick to making this work? And is this considered a good move?

    Thanks again and always, for the help.
    J

    I have to believe that everyone else has noticed that the variety of compromised platforms that bear this “hackers” signature, would seem to imply that WordPress is not a singular target. I will admit that 2.8.4 not being secure is probably going to be a given at some future point. Someone will find something, once again… to exploit. I guess that’s just how the game is played… but I’m not yet ready to come to the conclusion that WordPress itself is the responsible entry point on this one. All I’m saying, (at the risk of driving any other gender-insecure individuals to express their obvious omnipotence) is that it would be nice to see a common lowest denominator on this one. Shared environments? Malware based ftp compromise? Specific server configuration issues? This would seem to be a growing vBulletin issue as well. Does anyone know if a honeypot of some sort is possible on sites that have been repeatedly abused?

Viewing 15 replies - 16 through 30 (of 37 total)
  • The topic ‘My site was Hacked’ is closed to new replies.