They changed my wp-options siteurl to be an iframe pointing to networkads.net/grep
The site was not loading correctly so I was able to find this in phpmyadmin.
I have had a rash of hacks lately and talked to Network Solutions (my host) They tell me all of their wordpress sites are getting banged up, but their servers are clean.
I use the bad behavior plugin with a honeypot key, and that makes me feel a little better. I also use the URL injection technique as discussed here:
suggested by this site:
Anyone else having problems?
Rif yes. I also posted in the suggestions form for wp to mod installation to include the 640
Does anyone at all have any concern about the following statement, given it’s failure to relay actual details about suspect file locations? Maybe I’m just misinterpreting what I’m reading, but jquery.js is included by default in WordPress at /wp-includes/js/jquery/jquery.js, and it’s not unusual to see it called in the source. Or are we actually dealing with the creation of a rogue directory that contains a file named “jquery.js”?
“The virus somehow infiltrates WordPress and adds a new file in your scripts directory called jquery.js and then inserts that file into the header or footer files of your site.”
I got that quote from Tech Cocktail, (and now network solutions) but I can’t seem to find any specifics or originating source that contains more detail about actual unwanted file location inside the wordpress folder. And I don’t think there is a directory in wordpress named “scripts” by default.
I would be grateful if anyone might be able to point me toward a more detailed source of information that I might have overlooked regarding the statement I quoted above. Thanks!
Yes, different attack on the jquery, but still a pain in the a$$. Shees, its like hell has unleashed on us.
Note that cforms plugin comes with a copy of jquery, and there is one (as you say) that comes with wordpress. To NetSol users I recommend using filemanager from your account and doing a file search for jquery.js There may be a few other legit plugins that provide a copy of jquery.
It would seem what they are trying to do is replace a file of similar name that would occur earlier in the search path?
Thanks to everybody for getting on this so quickly, especially dugbug and the folks at Sucuri.
One thing that may be of help for people with sites they still can’t access/administer:
It seems NetSol has been restoring databases from backup–mine was restored this morning around 9:30. They’ve also been changing database passwords.
So I have no idea when my site got hacked, or if it go hacked. All I know is that my site was down because the wp_config had my old password stored in it. I have ripped everything off the server, restored all files from a local backup, and changed my database again via NetSol and in my wp_config (I assume NetSol changed my password, but I thought it prudent to change it again just in case). Now everything is fine, assuming the chmod advice does the trick.
Note re: NetSol: I’m curious when/if they were going to let people know about what they were doing to protect the hack from spreading. When I called this morning, I got nothing but finger pointing at the “WordPress Community” and a promise to “escalate the issue.” Simply saying that they restored my database from backup and changed my password would have been helpful.
Going to be interesting to watch NetSol unwind this.
Thanks again, everyone. You are all collectively awesome.
I got hacked again, this time with them redirecting mainnetsoll.com/grep/. This was after yesterday cleaning my site, reinstalling WordPress 2.9.2, changing all the passwords on my database, wordpress, and ftp portions. I also changed the permissions on wp-config.php to 640.
Both my site and my wife’s site (hosted on Network Solutions) have been hacked. Initially, we solved the problems by restoring previous DB backups, but were hacked again.
I’ve been reading all of the comments and solutions, and the fact that Network Solutions wants everyone to sit tight until there is a fix. In the meantime, to protect our visitors, we moved our WP files into a new directory, and used Network Solutions web site builder tool, Image Cafe, to create a one-page “we’re having technical difficulties” site. This protects our viewers and gives us a breather from trying to fix this problem until a clear solution is detected.
It’s hard to sit back and not do anything about this, but it might be the wise thing to do letting the engineers and technicians figure it out.
Thanks everyone for great community effort here in collectively helping us with your comments and suggestions . Just posted a update here http://blog.networksolutions.com/2010/update-word-press-issue-fixed/
Thanks to ‘amcjoe’ for mentioning that Network Solutions changed peoples database passwords this morning. I changed the database username & password on my friends WP blog last night as well as changing all the table prefixes and getting the blog running again this morning to be greeted by a database error this afternoon. It turns out that NetSol changed the wp-config database password but did NOT update the db password.
But the main reason I’m posting this is to mention that I believe ‘woodja’ hit the nail on the head in his post 2 days ago. My friends blog is not even public yet, and the XML-RPC option is turned off in WP. After the first attack I turned on the Raw logging function and saw the same IP ‘woodja’ mentioned and access of the xmlrpc.php file at the time of the second attack. I then compared the xmlrpc.php file to a fresh copy and they were identical which indicates to me that a backdoor exploit exists within the file.
It might be possible to simply tighten up the file permissions for the file, but I’ve gone ahead and deleted the xmlrpc.php file. If you’d like to try this fix, first ensure the XML-RPC option is turned off
(It’s in Settings > Writing under Remote Publishing) then delete the xmlrpc.php file from your WP installation either via FTP or using the File Manager.
First: To be clear, I am not a customer of Network Solutions.
Second: I am impressed by your ( Network Solutions) active involvement in the community, and interaction with your customer base relative to concerns on this issue. I think that, in and of itself, says a lot about any service provider.
Lastly – and I assure you, it is purely because I personally am a pedantic, detail obsessed, individual who firmly believes in full disclosure – will there be any further detail (disclosure) on your (Network Solutions) part concerning this statement?
“-The root cause for this issue has been addressed.”
Such as the actual root cause as identified by Network Solutions.
@shashib: Good job!
Unfortunately, I can still see at least 13 more infected blogs on your servers.
Moreover, the attack seems to have a long history (at least from January), have several different incarnations and it still evolves.
As you can see the problem is more serious than some of you might think.
You can find more details in my article:
Hope, it will help.
If you need more addresses of hacked blogs, you can contact me here.
techcocktail.com has had an inline script that points to a flagged domain (promtacular.com) present since they went back online yesterday. I got a popup prompting me to “update my browser” when I visited them yesterday.
Right now the script points to an iframe from hxxp://mainnetsoll .com/ grep/ It is the same site (same IP) as the original “networkads .net” iframe
Sent you my email address
Are you referring to techcocktail
I have to say that I am thrilled with all this conversation although I wish it didn’t have to happen. I got hacked in October on 10 sites and it was bad enough that I had to nuke my entire hosting account. I had backups for 3 months and it seems it must have been a time bomb because regardless of how far back I went, within 24 hours I was in trouble again. Now I NEVER get rid of a backup. I keep a gmail account for each sites backup. And I do keep my sites updated regularly, so that wasn’t the problem.
I might add, the hosting company was not Network Solutions.
I will follow some of the solutions here though to prevent it from happening again.
I was disappointed to hear from NS telephone support that the only support options available to me was the offer to send me instructions on how to access the WordPress website. “NS does not support third party software”. What a chump! Didn’t even offer to provide a backup from a few days ago. I’ll keep reading here…
- The topic ‘SQL attack on wpress 2.9.2’ is closed to new replies.