WordPress.org

Support

Support » How-To and Troubleshooting » SQL attack on wpress 2.9.2

SQL attack on wpress 2.9.2

  • They changed my wp-options siteurl to be an iframe pointing to networkads.net/grep

    The site was not loading correctly so I was able to find this in phpmyadmin.

    I have had a rash of hacks lately and talked to Network Solutions (my host) They tell me all of their wordpress sites are getting banged up, but their servers are clean.

    I use the bad behavior plugin with a honeypot key, and that makes me feel a little better. I also use the URL injection technique as discussed here:
    suggested by this site:
    http://perishablepress.com/press/2009/12/22/protect-wordpress-against-malicious-url-requests/

    Anyone else having problems?

Viewing 15 replies - 1 through 15 (of 150 total)
  • yes i am having exactly same issue. My host is “network solutions”. how can i fix it?

    Thanks.

    burkestar
    Member

    @burkestar

    Yes, I was attacked as well after upgrading to WP 2.9.2 yesterday on Network Solutions.

    How I resolved it:

    1. Using Network Solution’s MySQL admin console, browse to the wp_options table and change the value for “siteurl” to be your blog’s URL like “http://example.com/wordpress”.
    2. Edit wp_config.php to override value of SITEURL (this way even if the database value is altered, it gets overridden by the config value)

    Make sure to backup your database using Network Solution’s admin console and enable the daily automated backups.

    Samuel B
    Participant

    @samboll

    First of all…whoever burkestar is, is a genius!!!!!!Thank you!!!!!!

    One other question, how do I “Edit wp_config.php to override value of SITEURL (this way even if the database value is altered, it gets overridden by the config value)”?

    I know how to edit the config file, but what and where exactly am I altering in there?

    Thank you again!!!!!!!!!

    Samuel B
    Participant

    @samboll

    First of all…whoever burkestar is, is a genius!!!!!!Thank you!!!!!!

    did you read my post?
    that does not stop the hack!

    Not sure what you mean? Will it “break” again? I apologize I am not too familiar with database functions and may be over my head. My site is back now, will it be short lived?

    My site is back now, will it be short lived?

    yes, you fixed the symptom. But you have a hole somewhere, a weakness or exploit. Which is how the hack got in. If the exploit is not fixed, you are as vulnerable as you were before.

    That’s why the reading @samboll posted is very important…. you’ve gotta root out the problem or the hacks will return, and could get worse

    Not as happy as I was 10 minutes ago! OK, I am reading those posts and I guess I will try to do what they say, but it truthfully may be over my head.

    Thanks for the help. Any shortcuts that you may know of are appreciated, but thanks for the info.

    sorry…there are no shortcuts unfortunately. You’ve gotta be super thorough

    http://www.rvoodoo.com/2010/02/the-dreaded-base64-wordpress-hack-and-other-hacks-too/

    here’s a sample of the crap I went through when I got hacked a couple times, if ya feel like reading more

    Thank you. This is a stupid question, but how do I scan my ftp server? Do I literally read every line of code or is there a scanning plugin/software?

    how much stuff do you have on there? I just had WP sites, so what I did was reinstall WP from the upgrade section (it just reinstalls the same version of WP I have now)

    That made all my WP files have the same timestamp…the current date and time

    Then I looked into my directories for any files that didn’t get updated (had different timestamps) and looked at them for bad code.

    I’m sure there’s gotta be an easier way….it’s just how I do things. Took a few hours, I have 6 WP installs running

    Good call, thanks.

    This server only has WP on it for the most part.

    Fingers crossed.

    PsionStorm
    Member

    @psionstorm

    I’m having a hard time finding the MySQL or wp_options table. Could someone point me in the right direction? Is this something I could or should navigate to with FTP?

    @psionstorm You can’t get to it through FTP, you need to access it through your web host panel – usually they provide direct access via an application called phpMyAdmin. If you can’t find it I’d call your host and ask.

    Also, this only fixes the symptoms of the problem as samboll noted above – the hackers can easily get in through the same door unless you take the proper steps. Read the links he posted above.

    DanClarkePro
    Member

    @danclarkepro

    Did the fix above, fixed mine, will speak to Network Solutions in the morning, odd how only one of my wordpress installations was hit, even though there were another 4 in the same directory, and same account on Network Solutions.

    Is anyone having this problem, who isn’t on Network Solutions? As this also happened to a client of mine, I am trying to narrow down what is the cause.

    We have changed SQL passwords, login passwords, main password and FTP passwords, but still not sure what caused it!

Viewing 15 replies - 1 through 15 (of 150 total)
  • The topic ‘SQL attack on wpress 2.9.2’ is closed to new replies.