I’m having a hard time locating the back door they used in this case. Site is back up and running clean (with clean files and a DB restoration), but obviously this is shaky ground until we find out how they got in.
If anybody figures it out please post it here – it may not be the same for all of us, but it’ll be worth a look (especially considering this seems to be focused on WordPress sites hosted on Network Solutions).
I figure my first step is to fix the symptoms so the site can at least function while I work on getting the root of the problem addressed. I’ll try to track down this phpMyAdmin.
I’m using NetSol as well, for what it’s worth.
Thanks!
Ok, I found the phpMyAdmin and made the site url change. Having trouble finding step 2.
“Edit wp_config.php to override value of SITEURL (this way even if the database value is altered, it gets overridden by the config value)”
Is that in a different location?
Sorry to be a pest, I’m really not all that knowledgeable with php.
wp-config.php is a file. It’s on your host, accessible by ftp or file manager, its in your root or WP directory
http://codex.wordpress.org/Changing_The_Site_URL
these instructions tell you how to change url in wp-config.php
Thread Starter
dugbug
(@dugbug)
@psionstorm. Gotta start your forensics somewhere. Get back your site and roadblock visitors to an under maintenance banner because the hack will come back and you don’t want to be a carrier (or have google or other sites decide to block access to you)
@miketek
I can’t find the door either. Clean site and clean DB and the attack reoccured this morning. I don’t get it. I have the usual hardening as mentioned in those “harden your site” suggestions.
Funny thing about the siteurl though is that it looks like splash overrun from a neighboring SQL variable… like the injection did not go as planned, which is why the site breaks. I mean, who puts HTML in the siteurl dbase var? It screwed up everything so it obviously served no purpose for the attacker.
At this point, I hired a security service that is familiar with wordpress and they scrubbed all files and the dbase but did not find any backdoor. Apart from two things, the service largely agreed that the site was well hardened.
1) I do not have an SSL https protected login
2) I do not use .htaccess to password protect the /wp-admin area. Which is on purpose, as how else do users use my forum or comments section if I require some global master password.
Network Solutions swears they are fantastic and nothing is wrong with the server itself. In fact if you mention wordpress suddenly ANYTHING is not their fault. Even if ping isn’t working.
So I dunno. We are studying logs now and we play the wait game. Gotta find the door.
I’m thinking about just wiping the whole site out and doing a brand new install per http://smackdown.blogsblogsblogs.com/2008/06/24/how-to-completely-clean-your-hacked-wordpress-installation/
I’ve scanned the entire FTP structure to see if anything’s been modified recently. I can’t find anything. It’s not a site I update on a daily basis, or even a weekly basis, so any recent changes/updates to files should stick out like a sore thumb… and they’re not. 🙁
I made the changes per burkestar’s recommendation and the site still looks completely off. I can’t even log into WordPress through the wp_admin page.
I think it’s time to start anew. Ugh!
@dugbug Same here – can’t find a thing. It clearly didn’t go their way, you’re right, but however they got in it’s likely they can come in through the same door next time. If I find anything I’ll post it here.
@psionstorm I had the same problem – broken front end and the /wp-admin/ login was kicking up that <iframe> from networkads.net.
If you have a backup of site files and your DB you should be able to roll back to a day or so ago and be alright.
Failing that, if you’ve checked your files thoroughly and can’t find any back doors there, it’s got to be in your DB. Direct access via phpMyAdmin can help – and try running some of the SQL queries in that Smackdown post you linked to above. I know this hack uses an iFrame so try the first query:
SELECT * FROM wp_posts WHERE post_content LIKE ‘%<iframe%’
If all of that fails…well…I don’t know what to tell you.
Thread Starter
dugbug
(@dugbug)
@psionstorm
You have network solutions right? If so you have access to the phpadmin screen. From your account services home page click on nsHost in the sidebar, then (I think) maintenance. Something takes you to the backups section. There, there is a “database” option and on that page you have access to your blog(s) databases and a button on the far right to launch myphpadmin.
Once in myphpadmin, click on the top-left link, which is essentioally “the entire database”. A search option in the right-pane top area is now available. Click on it, and then in the search field enter a single string like iframe and hit Go.
Thats a little easier than the SELECT * from certain tables and it covers your entire database.
At least you can get your site back, export your posts, and what not.
This is all from memory, and if you want Ill actually recreate the steps for you later.
Is anyone aware of a service professional who can assist me with this hacking issue? This is not my specialty.
you all have gone completely over my head. I was able to do step one in pstorm’s instructions but I still can’t access my log-in page. Would anyone be willing to help me out. I as hosted by Network Solutions also.
Kelly
Thread Starter
dugbug
(@dugbug)
@dpezzino, @kellgel
I am using sucuri.net to help get a better angle on things. Tell ’em Techulous (thats our site that got hit) sent you and he will hate me as they will be cleaning up wpresses all week 🙂 Note I am just as new to this scene as you are, but he seems well informed and their tools they host do some cool things with your site.
Maybe if we use the same site and you tell him we are all on the same service (network solutions, etc), more info can be gleamed from the larger data set.
This is my first attack and we (were) a reasonably popular gaming site so I felt I owed it to have some experienced help.
Also he will be able to see what plugins we all have in common, etc.
I am also being affected by a similer issue. I am on HostGator and was sent this by support:
***.**.**.*** – – [08/Apr/2010:11:32:39 -0500] “GET /wp-admin/theme-editor.php HTTP/1.1” 200 32691 “http://www.SITEURL.com/wp-admin/themes.php” “Mozilla/5.0 (Windows; U; Windows NT 5.1; ar; rv:1.9.1.9) Gecko/20100315 Firefox/3.5.9”
I am having problems across several sites with what appears to be an SQL injection attack that is modifying the Admin email to xpxd1@hotmail.com and also changing the password. It also is replacing the theme files to reflect the hack with some middle eastern text.
Several of the blogs affected contain no Plug-ins aside from Block Bad Queries (BBQ) which was installed after the first blog was affected, but does not seem to help.
I have put .htaccess restrictions in place on wp-admin in hopes it can prevent another attack. Removing the theme files did not resolve the issue.
I just called Network Solutions and they’re going to restore my blog to a couple days ago. They were very nice about the whole thing. Now I just need to make sure it doesn’t happen again.
Thanks!
Thread Starter
dugbug
(@dugbug)
@kellgell
All these hosting sites have three day rollover backups and manual snapshots. If you only have the three day jobs and the hacker got in earlier in the week it won’t do anything but I REALLY hope it does! Just make sure you harden it after the reinstall or in a day they will just repeat the trick that got them in. It could even be a bot they are so automated these days.
@kulmu
Hardening would work prior to the hack (unless this is a new technique), but they have created a back door. They can do very simple things and they are in.
If you want to get your site back in order to salvage what you can (and later set yourself up with a hardened variation) do some reading or use a service like is mentioned above.
gosh good luck folks. Ill post if I get any relevant info.
