UseShots
Forum Replies Created
-
Forum: Fixing WordPress
In reply to: 2.9.2 site hacked@nikosd66:
>I can see permissions and owner only after I restore the file.
>I don’t know if they change after restoration.I guess they change. So now this info is not reliable.
By the way, what is the directory permissions?
Forum: Fixing WordPress
In reply to: 2.9.2 site hackedThis is the files described in this article:
http://smackdown.blogsblogsblogs.com/2010/05/13/hosting-with-godaddy-might-want-to-rethink-that-decision/It injects malicious code into your files and them removes itself.
Until GoDaddy identify how hackers manage to upload such files into user directories, your sites will get reinfected every so often.
BTW, did you notice the permissions and the owner of this file?
Forum: Fixing WordPress
In reply to: SQL attack on wpress 2.9.2@steve D: Can you share the file permissions of the hacked files?
Forum: Fixing WordPress
In reply to: SQL attack on wpress 2.9.2Well, I see a new round of hacks on Net Sol servers. This time it is not a DB hack. Hackers inject a malicious script into files on disk. The script injects a hidden iframe from hxxp://corpadsinc .com/grep/. This new domain name points exactly at the same place as previous networkads .net and mainnetsoll .com iframes.
Not only WordPress blogs are affected.
Forum: Fixing WordPress
In reply to: WordPress Hack – wp-includes/stat file@trinitywebhosting: It looks like there are many other sites hacked on your server. I would be concerned with file permissions and isolation of individual sites.
Did you notice the owner of those stat and uploads file? Was it your user or web servers user? What are the permissions of wp-includes and wp-admin directories?
I’d like to take a look at those rogue files. Could you contact me if you still have them?
Forum: Fixing WordPress
In reply to: SQL attack on wpress 2.9.2@bychow26:
Did you notice the domain name used in that iframe?mainnetsoll or mainNetSoll – looks like hackers specifically target Network Solutions (NetSol).
So WordPress reinstall is only a temporary solution. Guys at Net Sol should catch the hackers that mess with their servers.
Forum: Fixing WordPress
In reply to: SQL attack on wpress 2.9.2Right now the script points to an iframe from hxxp://mainnetsoll .com/ grep/ It is the same site (same IP) as the original “networkads .net” iframe
Forum: Fixing WordPress
In reply to: SQL attack on wpress 2.9.2@shashib: Good job!
Unfortunately, I can still see at least 13 more infected blogs on your servers.
Moreover, the attack seems to have a long history (at least from January), have several different incarnations and it still evolves.
Right now I can see this iframe injected as an obfuscated javascript into some of the WordPress files. Actually, this happened to the blog that you link to from the “Alert: WordPress Blog & Network Solutions” article. So right now it points your readers to an infected blog.
As you can see the problem is more serious than some of you might think.
You can find more details in my article:
http://blog.unmaskparasites.com/2010/04/11/network-solutions-and-wordpress-security-flaw/
Hope, it will help.If you need more addresses of hacked blogs, you can contact me here.
Forum: Fixing WordPress
In reply to: 404.php theme hacked – any advices?Hi,
I would be warned if Avast reports images as harmful files. Make sure those gif files don’t have any extra content.
If the gif files are real GIF files with no extra content, this could be a sign of another serious problem: the whole server (not just your site) could be hacked so that it serves malicious content for random requests.
For example, during the Beladen infection I saw AV warnings even for favicon.ico files (you can see screenshots here):
http://blog.unmaskparasites.com/2009/06/18/beladen-elusive-web-server-exploit/Forum: Everything else WordPress
In reply to: KoiQBOL hack/wormHi llworldtour,
So the KoiQBOL was in the fotter.php file in the /uploads directory?
Can you share the wording of the email from the Firewall plugin. It is still not clear how they upload the script, so text from the warning may help.
Thanks
Forum: Fixing WordPress
In reply to: Site crash FATAL ERROR please helpThese errors are results of buggy Gumblar scripts that doesn’t take into account WordPress architecture.
The attack uses stolen FTP credentials and uploads backdoor scripts that can be used to reinfect compromised sites.
Details here:
http://blog.unmaskparasites.com/2009/11/04/gumblar-breaks-wordpress-blogs-and-other-complex-php-sites/Forum: Installing WordPress
In reply to: Fatal Error with wp-config.php(1)Hi,
This “Cannot redeclare” errors are results of buggy Gublar infection. Backdoor scripts mentioned in the above posts are injected into many .php files. And since they don’t take into account complex structure of WordPress, the same malicious functions get redeclared. Thousands of compromised PHP sites are broken because of that bug.
Details here:
http://blog.unmaskparasites.com/2009/11/04/gumblar-breaks-wordpress-blogs-and-other-complex-php-sites/@sickofhackers: The server are not hacked. This attack uses FTP credentials stolen from computers of webmasters. Thus it’s important to remove all backdoor scripts, remove injected malicious code, and then change all site passwords and keep them secure (i.e. don’t save then in FTP clients where malware steals them from).
Your blog is no longer blacklisted, but it looks corrupted.
No styles, snippets of PHP code all over the place.Looks like your theme files are corrupted
Forum: Fixing WordPress
In reply to: Two quick questions on SuPHP?Are you on a dedicated server? Then what’s the problem with 777 permissions for the uploads folder?
755 & 644 permissions won’t let other users to modify your files. But if you don’t share a server with other users, it’s not an issue.
On the other hand, with SuPHP, security holea in .php files can provide full access to all your files (not just in the uploads directory)Forum: Fixing WordPress
In reply to: some-other-life — malware?the-past .ru, some-other-life .ru, and hundreds of other domains that point to the same servers, are a part of the attack that uses stolen FTP credentials. A trojan on infected computers extracts usernames, passwords and hostnames saved in 10 popular FTP clients.
So you should scan your own computer for malware.
Then change passwords and don’t save them in FTP clients anymore.
Otherwise this iframe code will be reuploaded every day.