WordPress.org

Support

Support » How-To and Troubleshooting » Site Hacked over and over WordPress 2.5.1 Please Help!

Site Hacked over and over WordPress 2.5.1 Please Help!

  • I have a WordPress site that is getting attacked over and over. Whoever or whatever is doing it, edits my theme index.php and fills is with Viagra spam links.

    Has anyone had this happen in the latest release and, why does this continue to happen even when I spend hours upgrading ?

    please help!

Viewing 14 replies - 1 through 14 (of 14 total)
  • Moderator Jan Dembowski

    @jdembowski

    Volunteer Mod. & Brute Squad

    They’re editing the index.php file? Your host is compromised.

    Change your password on your server and in WordPress; re-upload all the files from http://wordpress.org/ and inform your hosting company.

    Also give this entire article a read: http://ocaoimh.ie/2008/06/08/did-your-wordpress-site-get-hacked/

    Good Luck.

    Edit: Also which index.php? And is this a UNIX box?

    Well… it’s my header that’s being hacked.

    This appears right after the <body> tag. It positions them out of view but they’re there. Even when I delete them they come back.

    How are they accessing my header.php >? Any suggestions?

    This is what it looks like.

    <!--linksb-->
    <div style="position:absolute; left:-1130px; top:-1003px;">
    <a href="http://www.news.appstate.edu/wp-content/uploads/.thumbs/viagra/viagra.html">viagra </a>
    <a href="http://www.news.appstate.edu/wp-content/uploads/.thumbs/viagra/viagra-pills.html">viagra pills buy</a>
    
    +hundreds more links....................................
    
    <!--linkse-->

    What the?????

    I got back from vacation Sunday and discovered that my index.php file was hacked. Yes, I removed the vile code (actually, someone at my host, IX Hosting, did it for me), I’ve changed the password, updated WordPress, etc.

    One thing I haven’t done is check my .htaccess file. I can’t find it to check it.

    Lincoln

    I have recently been learning about permissions, and provided several links to articles about permissions that should be used for WordPress here.

    You should check that all folders are set to 755 or stricter, and that all files are set to 644 or stricter. Please check and report back.

    Thanks Flammo,

    All permissions appear to be set correctly. I checked this yesterday.

    I found these users in phpmyAdmin as recent members:

    pornvigra[at]gmail.com

    canadapharma[at]izmail.net

    Also, users have been complaining about not being able to login. A couple people told me their passwords weren’t working and when they try to get a new one it won’t work either.

    I get this when I request one /wp-login.php?action=rp&key=us4mN!AG!RS^

    I think my database has been hacked.

    So to double check, you have no folder permissions greater than 755, and no file permissions greater than 644?

    I don’t know what else to say other than to make sure you change your database password AND username to help slow them down. The real question is how did they work out what it was to be able to hack it?

    One thing to look at is check that you have mod_openbasedir installed in Apache. This means (I think) that contents of PHP files can only be parsed, and not read. Clearly then, if this is not installed, then your wp-config.php file could be easily read. (Mind you, I don’t know why any server wouldn’t have this installed, but good to check).

    Yesterday a comment appeared from one of my ‘test’ sites that I had actually forgotten about. What made this comment of particular interest was that it looked like it had some strange code, but I did recognize the word ‘Viagra’ (which was mentioned by a poster that a hacker left as an ad on his site.)

    Immediately upgraded the site to WP-2.5.1 and changed passwords.

    >I’ve changed the password

    That may not be a sufficient solution if they cracked the password with a known username.

    >You should check that all folders are set to 755 or stricter

    What does the CHMOD of 755 really mean? You want to show off the lists of files to people who don’t have to see and let them download files?

    What does the CHMOD of 755 really mean? You want to show off the lists of files to people who don’t have to see and let them download files?

    What does it really mean?

    Try this

    Yes… I know. I was attempting to elicit an intelligible response from macsoft3. That drive-by shooting of a jumble he left above wouldn’t help anyone. My sarcasm was apparently lost in the process.

    …but thank you for the effort!

    🙂

    Moderator Samuel Wood (Otto)

    @otto42

    WordPress.org Tech Dude

    Read this:
    http://ocaoimh.ie/2008/06/08/did-your-wordpress-site-get-hacked/

    Hacked sites get backdoors left behind in them for the hacker to get back in even after you fix the problem or upgrade. You have to find and eliminate those holes.

    Man, had I found this a week ago it would have saved me some time.

    exploit-scanner

    This plug-in found a couple problems right off the bat.

    It detected this in my upload directory. (I wont post the whole thing but what the???)

    2008.php

    error_reporting(7);
    @set_magic_quotes_runtime(0);
    ob_start();
    $mtime = explode(' ', microtime());
    $starttime = $mtime[1] + $mtime[0];
    define('SA_ROOT', str_replace('\\', '/', dirname(__FILE__)).'/');
    //define('IS_WIN', strstr(PHP_OS, 'WIN') ? 1 : 0 );
    define('IS_WIN', DIRECTORY_SEPARATOR == '\\');
    define('IS_COM', class_exists('COM') ? 1 : 0 );
    define('IS_GPC', get_magic_quotes_gpc());

    And this:

    fx__2008.php

    <?php
    @error_reporting(E_ALL);
    @set_time_limit(0);
    global $HTTP_SERVER_VARS;
    
    define('PASSWD','   ##$#@!!   ( I removed this for obvious reasons) ');
    
    function say($t) {
      echo "$t\n";
    };
    
    function testdata($t) {
      say(md5("mark_$t"));
    };
    
    echo "<pre>";
    testdata('start');

    Please try to avoid 777 folder permissions, because with such permissions your site becomes unsecured.

Viewing 14 replies - 1 through 14 (of 14 total)
  • The topic ‘Site Hacked over and over WordPress 2.5.1 Please Help!’ is closed to new replies.