Daniel Cid
Forum Replies Created
-
Forum: Fixing WordPress
In reply to: pharma hackI posted about this pharma hack here:
http://blog.sucuri.net/2010/07/understanding-and-cleaning-the-pharma-hack-on-wordpress.html
It seems that you forgot to remove the backdoor being used to give the attackers access to your system. I as said in the post, searching only for eval(base64_decode is not enough, since they are hiding it now too. If you do not remove it, they will re-infect your site every so often..
thanks,
Forum: Fixing WordPress
In reply to: My site hacked?Can you look at the dates of these files? This will help you see when it happened. Did you ever keep your WordPress not upgraded for a period of time?
Forum: Fixing WordPress
In reply to: Site attacked with WordPress 3.0Most probably you had a backdoor hidden in there even before you installed WP 3.0. Try searching for .php files inside wp-content/uploads, since these is a common place to have backdoors hidden.
If you had spam on your blog, this article show some techniques and tips how to fix it:
http://blog.sucuri.net/2010/06/cleaning-spam-from-your-wordpress-blog.htmlForum: Fixing WordPress
In reply to: 2.9.2 site hackedHappened today again at GoDaddy.
This time pointing to: http:// cloudisthebestnow.com / kp.php
Details: http://blog.sucuri.net/2010/06/godaddy-sites-hacked-with-cloudisthebestnow.html
http://sucuri.net/malware/entry/MW:MROBH:2The script still works:
http://blog.sucuri.net/2010/05/simple-cleanup-solution-for-latest.htmlForum: Fixing WordPress
In reply to: WordPress File Monitor reportSteve:
Can you post the contents of these files for us to check? It looks like a valid update (see the readme files changing, png, etc). But since you didn’t do it yourself, someone did 🙂
Forum: Themes and Templates
In reply to: Virus, external hacker or what? Security in local blogThis looks like due to a bug that was fixed on 2.9.1. What version are you using?
Forum: Fixing WordPress
In reply to: Have I been hacked? Username: “amin”I just posted that on another thread, but might help here.
We saw that on installations with WP < 2.9 lately. Also, even if you are now updated, your site might have been compromised before and the attackers left a backdoor hanging in there..
The sites also had this:
http://blog.sucuri.net/2010/05/seo-spam-network-code-used-and-more.html
http://blog.sucuri.net/2010/05/seo-spam-network-details-of-wp-includes.htmlForum: Fixing WordPress
In reply to: Post titles changed to spam — anyone familiar with this hack?mobius1ski: Which version of WordPress are you using?
We saw that on installations with WP < 2.9 lately. Also, even if you are now updated, your site might have been compromised before and the attackers left a backdoor hanging in there..
Forum: Fixing WordPress
In reply to: Site hacked and Q’s about Exploit Scan resultsThis attack seems to be getting a lot of sites using old versions of WordPress. And even if she is updated right now, she might have been infected before…
Some details:
http://blog.sucuri.net/2010/05/it-is-not-over-seo-spam-on-sites.html
http://blog.sucuri.net/2010/05/seo-spam-network-details-of-wp-includes.html
http://blog.sucuri.net/2010/05/seo-spam-network-code-used-and-more.htmlForum: Fixing WordPress
In reply to: 2.9.2 site hackedarichero: This script automates that for you:
http://blog.sucuri.net/2010/05/simple-cleanup-solution-for-latest.html
Forum: Fixing WordPress
In reply to: SEO SPAM network – Details of the wp-includes infectionA quick way to check your site:
1-Search on google for spam words + inurl:wp-includes + yoursite
2-Do a quick scan of of the wp-includes dir for files that shouldn’t be there.There is another method being used too, where a .files is created:
http://blog.sucuri.net/2010/05/it-is-not-over-seo-spam-on-sites.htmlSo check both places. If anyone have more info, let me know.
Forum: Fixing WordPress
In reply to: 2.9.2 site hackedcalvin13: Not fixed at all.
We just started to notice a big batch of sites getting hacked… If anyone here is still at GoDaddy, I am sorry for you 🙂
http://blog.sucuri.net/2010/05/here-we-go-again-problem-at-godaddy.html
Forum: Fixing WordPress
In reply to: 2.9.2 site hackedYes, it happened all over again at GoDaddy:
http://blog.sucuri.net/2010/05/continuing-attacks-at-godaddy.html
Same scripts, same techniques, just a different domain ( losotrana.com ) . We have details on the script they are using here:
http://blog.sucuri.net/2010/05/found-code-used-to-inject-malware-at.htmlSo, if you are at GoDaddy, check your site now.
Forum: Fixing WordPress
In reply to: 2.9.2 site hackedcalvin13: They removed it as a courtesy? How nice of them… LOL
Forum: Fixing WordPress
In reply to: 2.9.2 site hackedYes, it is happening again only at GoDaddy.
So far we counted more than 500 sites already with this new malware.
http://blog.sucuri.net/2010/05/lots-of-sites-reinfected-now-using.html
Let’s see if they will blame the users again…