Support » Fixing WordPress » WordPress Hacked-post-new.php infected

  • I’ve recently had my WordPress install hacked. I’m running the latest version (2.9.1). The page that seems to be infected is the post-new.php page. All of the links from that page redirect to http://1dns.org.in/s/111.php, which is considered a fishing site by google. This is the only page in my WP install that appears to be infected.

    I’ve replaced that file, but it didn’t work. I’ve done a fresh upgrade, but that didn’t seem to work. Any suggestions for how to start over? I’d export my DB, but if the injection is in there, then I don’t suppose it will help.

    FYI, I’ve also run WP exploit scanner, which resulted in the following:

    _transient_feed_0ff4b43bd116a9d8720d689c80e7dfd4:_transient_feed_0ff4b43bd116a9d8720d689c80e7dfd4
    iframes can sometimes be used by hackers to load their own adverts and code on your site.

    r side of I-35 from the convention center.</p>
    <p><iframe width=”300″ height=”300″ frameborder=”0″ scrolling=”no” marginheight=”0″ marginwidth=”0″ src=”http://maps.google.com/maps/m

    I did a search on the site for “I-35 from the convention center” but received no results.

    I’m really at a loss.

Viewing 12 replies - 1 through 12 (of 12 total)
  • Hi,

    Refer this article:

    http://codex.wordpress.org/FAQ_My_site_was_hacked

    Thanks,

    Shane G.

    I have the EXACT same thing happening. Same results on scan, and same thing result from the scanner. Still working on trying to locate it. As far as I know, there are no iframes on the site.

    I don’t think my post-new.php file was hacked. How did you find yours was hacked, and what was in it?

    PS: “I-35 from the convention center” for me resulted in references to this:
    http://www.facebook.com/note.php?note_id=396818736124&comments&ref=mf

    “Location: Conjunctured coworking space, 1309 East 7th St., Austin, TX 78702. From the convention center, walk up to 7th Street, hang a right, and walk until you get to #1309. If you’re tired of walking, taking a cab is a decent option. Note that this is on the other side of I-35 from the convention center.”

    I was wondering if there is an iframe on the dashboard page, including WP news….?

    zakiwarfel,

    search your SQL database for the string 1dns Who knows, maybe that will lead you somewhere.

    Also as a lot of info in that article Shane G pointed you to includes some hardening. Reinstalling without .htaccess tweaks and password changes, etc. won’t do.

    Im a victim too, but a different attack.

    Still battling this. Note, using Google’s Anywhereindb search tool, I looked for 1dns. As above, looked for “<iframe width=”300″ ” etc… no luck. It seems to affect just the front page: feeds, etc.. are all fine.
    Anyone have ideas?

    I used the Exploit Scanner plugin for WordPress and came up with the exact same warning about the transient feed. My site has been hacked twice in the last month (most recently this morning).

    I searched my database simply for I-35 and the specific information is in the WordPress wp_options table, Field: option_name, Type: varchar(64), Value: _transient_feed_0ff4b43bd116a9d8720d689c80e7dfd4

    It looks like an announcement for the 2010 WordPress Wordcamps with directions to one several location, one which includes the text lisa3711 wrote earlier.

    Is this a hack or part of the news? I don’t want to mess with this in the database, and at the same time, I want to know how to get rid of the iframe vulnerability.

    Just to add, this transient_feed is in all of my WordPress sites, including ones that were NOT hacked and are not all running the same version of WordPress – my hacked sites (ironically) are updated to 2.9.2, whereas the ones that were not hacked were not updated.

    I have the I-35 transient also.

    I never authorized this to be in my blog and would like to know how to find it and REMOVE IT.

    I also have an unauthorized transient directing to cssjockey.
    which I never authorized also.

    Where do I locate these transients? I operate 2.9.2

    Same here! Just had a pro clean my site, too. Grrrrr.

    I’d be most grateful if someone could ferret out this perp (if it’s an attack!)

    I’m beginning to wonder why I am getting into blogging when I should be getting into security at this point. Cyber security Utopia.

    I am on 2.9.2 which I believe is the latest version. I am at GoDaddy so just went ahead and restored the site back to a few days ago. Try that. It might help.
    Thank you.

    Restores are easy. The real problem is did the criminals leave any back doors in our restored site.

    If only we had a scanner that will automatically remove and quarantine hacker code. Man that would be nice. I’d pay handsomely for something like that.

Viewing 12 replies - 1 through 12 (of 12 total)
  • The topic ‘WordPress Hacked-post-new.php infected’ is closed to new replies.