Support » Fixing WordPress » WP 2.7 Can Be Hacked… FYI

  • Resolved chowell18

    (@chowell18)


    Just a note to everyone on the forums that my fresh WP 2.7 upgrade was hacked over the weekend. Prior to the site going down, there was a very heavy amount of spam comments… not sure if that was the culprit or not.

    The mischief left the site showing a PHP setting type page w/ user options to upload files to the FTP, etc. Not exactly safe…

    Had to restore** from a previous version to recover the site – re-uploading the files did not work. **Server-level restore (from backup).

    Lesson to everyone – BACKUP your blog or you could lost everything!

    If anyone else has experienced this, I would certainly like to know how to avoid it. For the time being, I have implemented stronger commenting restrictions, changed logins, etc.

Viewing 15 replies - 1 through 15 (of 41 total)
  • Moderator Jan Dembowski

    (@jdembowski)

    Brute Squad and Volunteer Moderator

    Do you have any access_log data showing the URLs that might be the culprit? If you don’t find and close the egress point then the culprit will almost certainly be back.

    A general warning and good advice to back up are nice and appreciated, but can you provide anything that shows that 2.7 is vulnerable yet?

    I’m also on 2.7 so I’m asking purely out of selfish reasons.

    Also on 2.7, so always worrying, but, you say you had to restore, from which version did you restore, from my way of thinking, its much more likely to have come from a previous install, where a hack not cleared stil remains,
    just my two cents, but hope it works out for you.
    mike.

    Mikey, I did a restore from a few days prior backup (same 2.7 install) so hopefully it holds up this time. Restore included entire FTP site and MySQL data.

    As far as closing the vulnerability, I thought upgrading to 2.7 would fix any vulnerabilities from previous versions – that is the purpose of upgrading, no?

    I’m not terribly familiar w/ the access log info, etc., nor where the hack occured. I just know that it shut down the blog entirely and nothing I could do from my end worked. What I could access showed a huge spike in spam comments, so I have to assume it was somehow related to that (MySQL injection???).

    I have several plug-ins installed, but was sure to upgrade all available once 2.7 came out. 2.7 was installed on 12/13 and ran well for about a week before the hack took it down.

    I think my wp site is hacked too!
    I cant log in 🙁
    I am trying to get new password but it doesnt recognize my username and email!!
    I can log in to the server though.
    Is there anything I count do about that?

    I have this site almost 3 years and I am really sad about this situation!
    Thank you in advance!

    Moderator Jan Dembowski

    (@jdembowski)

    Brute Squad and Volunteer Moderator

    As far as closing the vulnerability, I thought upgrading to 2.7 would fix any vulnerabilities from previous versions – that is the purpose of upgrading, no?

    Yes, but no. It will close the door for known WordPress bugs and exploits. It will not fix a blog that has been compromised already.

    You do backups already (good job that, wish more people did!) so if you are concerned you can backup again, delete everything except wp-config.php and anything you’ve uploaded into wp-content, and put a fresh installation of 2.7 onto your system.

    Delete you plugins and themes before you do this. Re-add the plugins and themes from their sources to make sure you are clean.

    Last thing, export your blog to WXR and eyeball the XML file for spammy badness.

    @sinagrida

    If you have phpMyAdmin you can click on the wp_user table, click browse, and look for the admin user (probably ID 1). Then click on the pencil in that record to edit it. Delete the user password (it will be a long string of random characters) and type in a new password. In the function drop-down, select MD5 and then save (press go). This should reset your admin password.

    Moderator Jan Dembowski

    (@jdembowski)

    Brute Squad and Volunteer Moderator

    I think my wp site is hacked too!

    Hold please.

    Let’s not make this a pile on; if you have password issues please check out http://codex.wordpress.org/Resetting_Your_Password and we can concentrate on the op issue.

    Edit: Thanks Figaro 🙂

    @chowell18
    Hi again, I have no doubt you’ve been very thorough with your install,
    keep us up to date with your progress, good luck.

    PS. If you had a large number of spam comments before the attack you may want to take a look at this great plugin from whoami which logs everything.
    http://www.village-idiot.org/archives/2007/04/18/wp-noshit/

    I am seeing a large number of spiders and site queries in the access logs from some bots that are questionable (QQdownload for instance).

    Is there a good Plug-in for managing the Robots.txt file and/or the list of known bad bots?

    whooami

    (@whooami)

    Member

    wrong link, mikey

    In your .htaccess file, add:

    RewriteEngine on
    RewriteCond %{HTTP_REFERER} !^$
    RewriteCond %{HTTP_REFERER} !^http://(www\.)?YOUR URL/.*$ [NC]
    RewriteRule \.(gif|jpg|js|css)$ - [F]
    
    RewriteEngine On
    RewriteCond %{HTTP_USER_AGENT} ^BlackWidow [OR]
    RewriteCond %{HTTP_USER_AGENT} ^Bot\ mailto:craftbot@yahoo.com [OR]
    RewriteCond %{HTTP_USER_AGENT} ^ChinaClaw [OR]
    RewriteCond %{HTTP_USER_AGENT} ^Custo [OR]
    RewriteCond %{HTTP_USER_AGENT} ^DISCo [OR]
    RewriteCond %{HTTP_USER_AGENT} ^Download\ Demon [OR]
    RewriteCond %{HTTP_USER_AGENT} ^eCatch [OR]
    RewriteCond %{HTTP_USER_AGENT} ^EirGrabber [OR]
    RewriteCond %{HTTP_USER_AGENT} ^EmailSiphon [OR]
    RewriteCond %{HTTP_USER_AGENT} ^EmailWolf [OR]
    RewriteCond %{HTTP_USER_AGENT} ^Express\ WebPictures [OR]
    RewriteCond %{HTTP_USER_AGENT} ^ExtractorPro [OR]
    RewriteCond %{HTTP_USER_AGENT} ^EyeNetIE [OR]
    RewriteCond %{HTTP_USER_AGENT} ^FlashGet [OR]
    RewriteCond %{HTTP_USER_AGENT} ^GetRight [OR]
    RewriteCond %{HTTP_USER_AGENT} ^GetWeb! [OR]
    RewriteCond %{HTTP_USER_AGENT} ^Go!Zilla [OR]
    RewriteCond %{HTTP_USER_AGENT} ^Go-Ahead-Got-It [OR]
    RewriteCond %{HTTP_USER_AGENT} ^GrabNet [OR]
    RewriteCond %{HTTP_USER_AGENT} ^Grafula [OR]
    RewriteCond %{HTTP_USER_AGENT} ^HMView [OR]
    RewriteCond %{HTTP_USER_AGENT} HTTrack [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} ^Image\ Stripper [OR]
    RewriteCond %{HTTP_USER_AGENT} ^Image\ Sucker [OR]
    RewriteCond %{HTTP_USER_AGENT} Indy\ Library [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} ^InterGET [OR]
    RewriteCond %{HTTP_USER_AGENT} ^Internet\ Ninja [OR]
    RewriteCond %{HTTP_USER_AGENT} ^JetCar [OR]
    RewriteCond %{HTTP_USER_AGENT} ^JOC\ Web\ Spider [OR]
    RewriteCond %{HTTP_USER_AGENT} ^larbin [OR]
    RewriteCond %{HTTP_USER_AGENT} ^LeechFTP [OR]
    RewriteCond %{HTTP_USER_AGENT} ^Mass\ Downloader [OR]
    RewriteCond %{HTTP_USER_AGENT} ^MIDown\ tool [OR]
    RewriteCond %{HTTP_USER_AGENT} ^Mister\ PiX [OR]
    RewriteCond %{HTTP_USER_AGENT} ^Navroad [OR]
    RewriteCond %{HTTP_USER_AGENT} ^NearSite [OR]
    RewriteCond %{HTTP_USER_AGENT} ^NetAnts [OR]
    RewriteCond %{HTTP_USER_AGENT} ^NetSpider [OR]
    RewriteCond %{HTTP_USER_AGENT} ^Net\ Vampire [OR]
    RewriteCond %{HTTP_USER_AGENT} ^NetZIP [OR]
    RewriteCond %{HTTP_USER_AGENT} ^Octopus [OR]
    RewriteCond %{HTTP_USER_AGENT} ^Offline\ Explorer [OR]
    RewriteCond %{HTTP_USER_AGENT} ^Offline\ Navigator [OR]
    RewriteCond %{HTTP_USER_AGENT} ^PageGrabber [OR]
    RewriteCond %{HTTP_USER_AGENT} ^Papa\ Foto [OR]
    RewriteCond %{HTTP_USER_AGENT} ^pavuk [OR]
    RewriteCond %{HTTP_USER_AGENT} ^pcBrowser [OR]
    RewriteCond %{HTTP_USER_AGENT} ^RealDownload [OR]
    RewriteCond %{HTTP_USER_AGENT} ^ReGet [OR]
    RewriteCond %{HTTP_USER_AGENT} ^SiteSnagger [OR]
    RewriteCond %{HTTP_USER_AGENT} ^SmartDownload [OR]
    RewriteCond %{HTTP_USER_AGENT} ^SuperBot [OR]
    RewriteCond %{HTTP_USER_AGENT} ^SuperHTTP [OR]
    RewriteCond %{HTTP_USER_AGENT} ^Surfbot [OR]
    RewriteCond %{HTTP_USER_AGENT} ^tAkeOut [OR]
    RewriteCond %{HTTP_USER_AGENT} ^Teleport\ Pro [OR]
    RewriteCond %{HTTP_USER_AGENT} ^VoidEYE [OR]
    RewriteCond %{HTTP_USER_AGENT} ^Web\ Image\ Collector [OR]
    RewriteCond %{HTTP_USER_AGENT} ^Web\ Sucker [OR]
    RewriteCond %{HTTP_USER_AGENT} ^WebAuto [OR]
    RewriteCond %{HTTP_USER_AGENT} ^WebCopier [OR]
    RewriteCond %{HTTP_USER_AGENT} ^WebFetch [OR]
    RewriteCond %{HTTP_USER_AGENT} ^WebGo\ IS [OR]
    RewriteCond %{HTTP_USER_AGENT} ^WebLeacher [OR]
    RewriteCond %{HTTP_USER_AGENT} ^WebReaper [OR]
    RewriteCond %{HTTP_USER_AGENT} ^WebSauger [OR]
    RewriteCond %{HTTP_USER_AGENT} ^Website\ eXtractor [OR]
    RewriteCond %{HTTP_USER_AGENT} ^Website\ Quester [OR]
    RewriteCond %{HTTP_USER_AGENT} ^WebStripper [OR]
    RewriteCond %{HTTP_USER_AGENT} ^WebWhacker [OR]
    RewriteCond %{HTTP_USER_AGENT} ^WebZIP [OR]
    RewriteCond %{HTTP_USER_AGENT} ^Wget [OR]
    RewriteCond %{HTTP_USER_AGENT} ^Widow [OR]
    RewriteCond %{HTTP_USER_AGENT} ^WWWOFFLE [OR]
    RewriteCond %{HTTP_USER_AGENT} ^Xaldon\ WebSpider [OR]
    RewriteCond %{HTTP_USER_AGENT} ^Zeus
    RewriteRule ^.* - [F,L]

    Hi again, and my apologies to whoami, the link should have been.
    http://www.village-idiot.org/post-logger
    Still they are two very good plugins 🙂
    Thanks for noticing whoami.
    Mike.

    @saurus

    Could you or anyone else just briefly explain what that .htaccess code does?

    Also, in terms of positioning within the file, should that go at the end?

    Thanks in advance.

    Moderator Ipstenu (Mika Epstein)

    (@ipstenu)

    Lead Plugin Wrangler

    Bascially that blocks those crawlers from hitting your site.

    I would suggest, instead, BadBehavior: http://wordpress.org/extend/plugins/bad-behavior/

    Cautionary warning, it borks the Flash Uploader. But it saves my life, regularly.

    @ipstenu

    I don’t use the Flash Uploader too often, so I’m guessing that I would be ok to install the plugin.

Viewing 15 replies - 1 through 15 (of 41 total)
  • The topic ‘WP 2.7 Can Be Hacked… FYI’ is closed to new replies.