wordpress exploit inserts <script> code? (14 posts)

  1. mvettas
    Posted 7 years ago #

    anyone aware of this? since i have installed wordpress on my server we have been attacked by what seems to be an exploit somewhere, code is being inserted into evey .html or .php page which either redirects to a site with a virus or simply renders the age useless giving visitors anti virus software warnings, i am not 100% sue if it is due to wordpress but it seems to have only started after installation, i have just upgraded to the most recent wp so i am hoping this fixes it.

    Any help or advise would be great


  2. macsoft3
    Posted 7 years ago #

    It's no offense, but such exploitation takes place at hundreds of mismanaged WP websites that I have seen here and there. A list of preventive measures is long. So I won't mention them.

    Good luck

    T. Blue

  3. ClaytonJames
    Posted 7 years ago #

    A list of preventive measures is long. So I won't mention them.

    ...of course not. No sense in doing that while responding to a request for help in a HELP FORUM!


    Such exploitation actually takes place at hundreds of mismanaged sites and servers regardless of the Blogging/CMS platform being used. Updating your software is crucial to staying proactive in mitigating any threat, but updating after a successful breach rarely ever corrects the problem. If you search the forums using the keyword "hacked", it will reveal a virtual road map of links, questions, answers, and insight from many individuals who have had to deal with the same effects of an intrusion as you are facing now. Review logs, check file and folder permissions, inspect databases for admin users you know should not exist, check directories for content that does not belong, verify the integrity of your ftp account information, and contact your host if you truly suspect that it is not WordPress related. That being said;

    i have just upgraded to the most recent wp so i am hoping this fixes it.

    That suggests that you may have fallen behind in your diligence to keep WordPress updated, which suggests that perhaps you fell victim to a vulnerability in a prior version. Spend some time using that knowledge in your search queries. I would bet that something you find may ring a bell of similarity with your current situation. Best of luck tracking it down.


  4. UseShots
    Posted 7 years ago #

    In addition to the above suggestions...

    Check your own computer for viruses and spyware (trojans can steal your passwords).

    Check your .htaccess file. Sometimes those fake "anti viruses" add conditional redirects.

    Try some exploit scanner like WP Security Scan or WordPress Exploit Scanner.

    Hardening WordPress

  5. poshcoffee
    Posted 7 years ago #

    I've experienced much the same problem. I've contacted the host Midphase, and they seem about as excited about looking into this as they might be about going for a long walk in the Mojave desert in July.

    I'll download those security scans though and see if I can get to the bottom of this.

    A list of preventive measures is long. So I won't mention them.

    ...of course not. No sense in doing that while responding to a request for help in a HELP FORUM!

    That made me laugh.

  6. mikey1
    Posted 7 years ago #

    I really do agree with Clayton.

    but updating after a successful breach rarely ever corrects the problem.

    Once a site has been breachedd, upgrading can simply carry the problem with you.
    The biggest clue, is

    i have just upgraded to the most recent wp so i am hoping this fixes it.

    @mvettas I hope you manage to resolve it.

    PS. If your users are getting anti virus warnings, it sounds like.
    advanced xp defender.

  7. poshcoffee
    Posted 7 years ago #

    So the answer then is to abandon the blog and domain entirely? Oh my word! :(

  8. mikey1
    Posted 7 years ago #

    Absolutely not !!
    If a blog has been exploited, it has to be fixed. In my experience a hosting company will never do this for you.

  9. ClaytonJames
    Posted 7 years ago #

    Is the site in this thread the one in question?


    I deleted wordpress
    I deleted her database and mysql user.
    I reinstalled wordpress using their one touch control panel, then reinstalled the theme (Dilectio) then the three or 4 plugins, then I manually reposted the 4 posts she had written.

    That takes a lot of possibilities out of the equation. The only things I did notice (this one completely unrelated) is that the dilectio theme is double nested. (for future reference). What did you think of that antileech.php plugin? I don't know what version hers is, but I found a copy to download just to take a look inside. I did find some Base 64 encoding in it. I don't know how those things work, but when I attempted to decode it, I got a binary file warning. Take that with a grain of salt, because I really can't say if it serves a legitimate function or not, but the general community feeling on code obfuscation is not a good one. It might be worth looking into... and I am of course assuming that I downloaded the same plugin.. so, another grain of salt there. It might be worth a look. Take a look in that error log in the plugins folder and see what that's about as well. Then check access logs for unwanted activity. (no doubt there's a lot of hits from me poking around for the last half hour or so, ignore me... I'll go away).

    Your friends version of WordPress still seems to be 2.6.1, so you may want to consider that as well. There were a couple of changes intended to mitigate sql vulnerabilities in the 2.6.2 upgrade, so is it possible that could be a factor? Who can say. There really isn't a lot of content yet, so that's actually a plus.

    If it were me? ...Wipe it clean again. ALL folders and files... check for hidden ones as well with an ftp client. Save the posts again, reinstall clean with NO plugins other than akismet to start with, and watch to see what happens. Make sure your file and folder permissions are correct, and check your .htaccess permissions as well.

    Best of luck to you.

  10. poshcoffee
    Posted 7 years ago #

    Hi Clayton,

    Yes you assume correctly about Rachel's as yet not very used blog.

    Just to let you know, the malicious code is also on the default theme too, and I just noticed it in the html of the webalizer pages! Midphase promise they will look into this and, as I reverted to their one button instalation of wordpress which you rightly point out is only very 2.6.1, they will also be doing a system wide update of wordpress too.

    My problem is that speaking to their tech support is painful as they seem unable to grasp what is going on. I'm having conversations that go something like this..
    MP "So you installed a script and it has a virus?"
    Me "No, no. There is a script at the footer of the HTML which appears to be malicious."
    MP. Oh, ok I see now."
    Me. "Great, so what do you suppose I can do about this?"
    MP. "Well sir, if you don't want it you could try uninstalling it."

    When I deleted everything, I used FTP and I blanked the whole lot. I then ran their 1 button install which reinstalled everything from new. My guess at this stage is that this is something at there end.

    In the meantime, it's a long shot, but I poinsed the code that has been added maliciously to the site. I changed the call from 'function' to 'funtoin'. That's probably a waste of time, but I wondered if maybe this was being added manually and if so then a glance at that probably wouldn't catch the typo. - Yeah I know, silly idea.

    If Midphase don't get on top of this before the weekend I will tell them we're moving to a new host.

  11. brew13
    Posted 7 years ago #

    @posh - It's not good etiquette to post links to websites that are known to be transmitting viruses to other computers.

  12. This shows you why it is important to keep backups of a site. So that if it gets hacked, you can go through them and restore to one before the hack.

    And here's the thing: A host is not really responsible for the content of your site. If you got hacked, then you need to fix it. They can't fix it, because they're responsible for running the site. All the host is obliged to do is to check their logs and security and see if they can work out how the intruder got in.

    This is another reason I hate one-click WordPress installs, BTW. People using these never understand how their site actually works, how FTP works, how WordPress works... Then they get hacked or something, and you tell them to fix it (when they are the ones that have to do so, because it's actually their responsibility) and that usually results in a blank stare. They have no idea what they are doing. They don't know how their own website works. See, you have to actually learn things to be a webmaster and run your own web site. This is not a plug-and-play operation, and it's not like installing a piece of software on your home computer. This is not elitist or anything, it's simply one of those facts of life deals.

    The short version of restoring your site after a hack, if you didn't make backups:
    1. Change all the passwords to the account itself.
    2. Make a backup copy of everything on the site and everything in the database. Keep them.
    3. Export a copy of the posts/comments/etc using WordPress' Export feature. This is a relatively safe export, without malicious content in it. Usually. This is not a backup, it's a simple export. Pieces are missing from this, but it's enough to get you up and going again with a fresh install.
    4. Erase the site completely. Do it manually. Database too.
    5. Upload a new fresh copy of WordPress to the site.
    6. Restore your export to the new WordPress by doing an Import.
    7. Find the stuff that is missing (theme, etc) and restore those as well. Since you still have a complete backup of the site (step 2), then you have not lost anything, and can go through those files to find the hard-to-replace pieces.
    8. After your site is working again, BACK IT UP THIS TIME. And do so every week or two.

  13. poshcoffee
    Posted 7 years ago #

    @ brew13 - I don't believe I actually linked to the blog that was affected. However, if I did then you're indeed right, that was wrong and I unreservedly apologize.

    It would seem that midphase have now fixed the problem. From what I can figure out from the limited information they have given me, they were hacked by someone who got hold of their list of ftp usernames and passwords.

    That seems a little worrying to me, but maybe it can happen. Either way Rachel's blog seems okay now.

  14. riocalle
    Posted 6 years ago #

    i dunno wat to do now. i wasnt able to back up file on my two websites (www.ngkhai.net/cebu) , (www.ngkhai.net/bizdrivenlife). The web has been down for 2weeks already and according to host, there were scripts inserted that the websites have been exploited. any help wold be much appreciated.

Topic Closed

This topic has been closed to new replies.

About this Topic


No tags yet.