WordPress.org

Support

Support » How-To and Troubleshooting » WordPress got hacked here, wp-includes/user.php and theme got changed

WordPress got hacked here, wp-includes/user.php and theme got changed

Viewing 10 replies - 1 through 10 (of 10 total)
  • Stephen Peacock
    Member

    @stephenpeacockcreativenet

    I am sorry your site was hacked. But it is interesting to me because I was just Googleing the IP address: 109.120.142.20 because I was informed by the WordFence security plugin that it was locked out of two of my websites for repeated attempts to login. This forum post was the top result.

    From what I can tell the IP address is for somewhere in central Russia.

    I’m sorry I can’t say exactly how to resolve your issue, but you might consider checking out the security plugin WordFence. Their free version will compare your core WP files to those in the repository and will show you what if any changes have occurred. They also offer a premium (relatively inexpensive I think) service to help you recover from a hack.

    Hope that helps.

    Atari-Frosch
    Member

    @atari-frosch

    They tried it on my blog, too:

    109.120.159.169 – – [12/Nov/2012:01:28:10 +0100] “POST /wp-login.php HTTP/1.0” 200 3753 “http://blog.atari-frosch.de/wp-login.php” “Mozilla/5.0 (X11; U; Linux i686; en-GB; rv:1.7.6) Gecko/20050405 Epiphany/1.6.1 (Ubuntu) (Ubuntu package 1.0.2)”

    109.120.159.169 – – [12/Nov/2012:08:35:20 +0100] “POST /wp-login.php HTTP/1.0” 200 3753 “http://blog.atari-frosch.de/wp-login.php” “Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.452) Gecko/20041027 Mnenhy/0.6.0.104”

    109.120.142.20 – – [12/Nov/2012:13:14:33 +0100] “POST /wp-login.php HTTP/1.0” 200 3753 “http://blog.atari-frosch.de/wp-login.php” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; MathPlayer2.0)”

    109.120.159.91 – – [12/Nov/2012:13:14:34 +0100] “POST /wp-login.php HTTP/1.0” 200 3753 “http://blog.atari-frosch.de/wp-login.php” “Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US) AppleWebKit/525.19 (KHTML, like Gecko) Chrome/0.2.153.1 Safari/525.19”

    WordPress (3.4.2) files have not been changed as far as I can see. Is it possible that they entered the website with admin account and a weak password?

    esmi
    Forum Moderator

    @esmi

    People: As per the Forum Welcome, please post your own topic. Your problem – despite any similarity in symptoms – is likely to be completely different.

    Thank you for the replies. I installed the plugins WordFence, exploit-scanner and limit-login-attempts to all of my blogs. BTW: I have 7 sites running, 2 were hacked. And yes, it might have been passwords which were too weak – never changed these in the last 5 years, shame on me. But I changed every password of every user just now to state of the art passwords. After that I double checked again that no files were changed again and ran the WordFence scan which did not bring up any alerting news.

    Is someone better with PHP than me and read the code I posted in the first post? The mail address in the code (anto@netherlandbarmuda.com) was used and mails were sent out to this address. Very nice… :-/

    Hopefully the problem is gone now and I really hope that it was the weak passwords which created the problems, no severe WP exploit.

    Cheers,
    Martin

    Atari-Frosch
    Member

    @atari-frosch

    @esmi: No, it is in fact the same problem. Just with the difference that my password has not been guessed right, so that the attackers weren’t able to enter the dashboard and to change any files. From that I came to the weak passwords, because if it were a vulnerability in WP, my site would have been hacked by now, too.

    Search all files via FileZilla. After sort by modified date 🙂
    Use this plugin;
    BBQ: Block Bad Queries : http://wordpress.org/extend/plugins/block-bad-queries/

    @ John: Thanks for your reply. I already checked the files and changed the modified files back to the original files. Thanks for the plugin suggestion, sounds good to me so I installed it! 🙂

    I highly recommend this one “Login LockDown”.
    http://wordpress.org/extend/plugins/login-lockdown/

    azeroth2b
    Member

    @azeroth2b

    This hack is alive and well. Hit me about 6 seeks ago.

    This hack is definitely alive and going strong. Hit my site about a month ago (approx. 2/20/13) and again just a few days ago (3/20/13). Slightly different modifications to my user.php file each time. Apparently I’m on the 20th of the month rotation for attack attempts. Wonderful.

Viewing 10 replies - 1 through 10 (of 10 total)
  • The topic ‘WordPress got hacked here, wp-includes/user.php and theme got changed’ is closed to new replies.