WordPress 2.8.4 Site Hacked

  • One of my domains was hacked while it was running version 2.8.4 are there any vulnerabilities I should know about?

    The site has three Wp installations, 2x 2.8.4 and 1x 2.7. Interestingly both 2.8.4 installations was hacked (changed files), but the one running 2.7 which I forgot to update wasn’t affected (just updated to 2.8.4 now after recovering the other sites)!

    https://www.free-recipes.co.uk/
    https://www.free-recipes.co.uk/hair/
    https://www.free-recipes.co.uk/store/ the 2.7 version

    Not sure exactly when it was hacked, but know it was after the 25th of last month when I made the last dedicated server backup and no later than the 12th October as Google Cache confirms (hair site Google cache from 25th September is clean).

    I’ve used the 25th of September server backup to fix the problems and changed all the passwords, deleted plugins not used, updated a few plugins so hoping it won’t get hacked again.

    I only found the problem by luck, realised today an anomaly in how the template on the main WP installation was looking on the page (something was off), viewed source and found hundreds of links below the footer (lot of viagra links). If you look at the Google cache now from 12th October you can see the links.

    So I’m confident those links was added after the 2.8.4 update.

    The main index.php file had hidden content at the bottom. Also found it in an index.php file associates with the PHPBB forum (cleaned it now) at https://www.free-recipes.co.uk/forum/ (that forum gets the crap spammed out of it!! have not added the new MySQL password to the config file, so not working now), but I couldn’t see the links on the forum pages, so guess it was a script or something adding the links to index.php files, but not all of them as the blank index.php files in the plugins and theme folders are clean.

    I noticed all files and folders I checked now have full write access.

    This domain has not been hacked before, my son was running a few WordPress 2.5 sites that got hacked (different problem, had an iframe added to malicious content) a month or two ago, (too lazy to update) I cleaned them after finding the problem, those sites now running 2.8.4 and are clean.

    I started cleaning the site and fixed the main installation (uploaded 2.8.4 again) before deciding to use the backup, I’ve made another backup of the hacked/partially cleaned Virtualmin server for the domain in case it’s useful for WordPress development to track down how the site was hacked. This hacked backup has whatever was changed to the hair installation by the hacker intact (I made no changes).

    If access to this backup is any use to WordPress development let me know, I run over 50 WordPress installations so it’s in my best interest to help you guys out to keep WordPress secure ??

    David Law

Viewing 6 replies - 1 through 6 (of 6 total)
  • Moderator Ipstenu (Mika Epstein)

    (@ipstenu)

    ?????? Advisor and Activist

    The main index.php file had hidden content at the bottom. Also found it in an index.php file associates with the PHPBB forum

    That sounds like more of a server hack than a WP hack, since it’s hitting WP and phpBB. I’d check your FTP logs. If it’s JUST php files getting changed, it’s more likely to be a regular server hack than a SQL injection via WP.

    Thread Starter David Cameron Law

    (@seo-dave)

    I’ve found other WordPress 2.8.4 sites of mine (same server) compromised.

    So far four domains, still checking others.

    The theme so far is files I’ve checked have had their permissions changed to full write access (though one domain just had the index.php file changed), on the latest domain a file was uploaded to

    /wp-admin/web/doorway-2009-10-18_20-56.zip

    Which was unzipped to over 1,000 web pages of porn/viagra links etc… some of which was linked to from the home page (via the WordPress index.php file).

    The hacked WordPress sites that have this content on are PR4, PR4, PR4 and PR5 (first hacked was the PR5), so far my lower PR domains are not touched, so looks like the higher PR domains are being cherry picked.

    I’ve run chkrootkit that didn’t find anything.

    I’ve looked through the logs, but I’m not proficient with server security, so nothing has jumped out at me as an issue.

    I realise it could be a hacked server, but the cherry picking of higher PR WordPress domains suggests WordPress has something to do with this, particularly the 2.7 version of WP that wasn’t changed when two 2.8.4 version on the same domain was changed.

    If someone had full root access to the server they could change all the index.php files from 50+ WP installations easily. Also the dates the files for each domain have been changed are different, last two I’ve found are the 16th and 18th of October. Why go to the hassle of hacking a server and change domains one by one over a period of weeks (first domain I found hacked was hacked before the 12th).

    To rule out a hacked server other than chkrootkit (which found nothing) what else could I check?

    If you are running WordPress 2.8.4 and have a PR4+ home page view source of the home page and see if you have any hidden links. I’ve found them mostly below the footer, but on one domain it was below the body tag.

    David Law

    Moderator Ipstenu (Mika Epstein)

    (@ipstenu)

    ?????? Advisor and Activist

    Why go to the hassle of hacking a server and change domains one by one over a period of weeks (first domain I found hacked was hacked before the 12th).

    Because it may not be a hacked server so much as a compromized FTP password.

    The reason I’m fairly sure it’s your server/accounts and not WordPress is how limited this hack is. If it was a WordPress hack, it would spread across all your installs pretty fast, wouldn’t it? Your argument lends more credence to ‘someone has limited access to your server and is being a di**’ than ‘someone’s hacked wordpress and is selectively attacking my blogs’. Also a WordPress hack tends to be the sort that affects more than just the index.php file.

    Personally, I refuse to rationalize why some blogs are hit and others aren’t. It never makes sense. If I wanted to speculate, I’d say they’re hitting higher PRs because they found them first.

    Check your FTP and SSH logs and see if people are logging in around the same time as those files being added.

    Go through the regular advice here too: https://ocaoimh.ie/did-your-wordpress-site-get-hacked/

    Thread Starter David Cameron Law

    (@seo-dave)

    I think you are right about it not been WordPress per se, who ever the hacker is they are targeting my WordPress sites and possibly 2.8.4 in paticular for links.

    I’ve tracked down FTP access that resulted in the changes. I set FTP logs to save for just a month (in hindsight should have gone for 3 months) so got 1 month access data to work from.

    I haven’t a clue how the hacker got my FTP passwords, but it’s multiple passwords and they are very random: I create passwords by randmonly bashing the keyboard and then make sure each one has upper/lowercase, signs etc… and anywhere up to 20 charachters, there’s no way they could be guessed.

    I found a file under WordPress on one of the hacked domains wp-edit.php and a similar file under the stats folder (which is password protected) with a different name. It looks like the file was used to insert the code into the index.php files.

    I’ve zipped it and added it to one of my sites, is it wise to post a link for others to see what it is?

    I think I’ve cleaned all the domains that have been affected, but have no idea if the server has back doors to get back in.

    Done the obvious changing passwords (started anyway, have about 200 to change!!!!).

    I suppose I should be thankful the hacker so far has only been interested in stealing links, I had another server hacked a few years back and that was trashed!

    David Law

    Moderator Ipstenu (Mika Epstein)

    (@ipstenu)

    ?????? Advisor and Activist

    Generally passwords aren’t guessed so much as scraped from some method of non-secure traffic. This is why I only use SSH and SFTP (and other similarly secure connections).

    Thread Starter David Cameron Law

    (@seo-dave)

    I eventually ruled out WordPress as the cause of the hacking of my sites.

    Although I couldn’t 100% confirm this, the most likely cause was a vulnerability in an old version of Adobe reader browser plugin allowed a hacker access to my work PC, they used that vulnerability to gain access to my FTP username/password list stored in Filezilla which doesn’t secure the stored passwords! Big mistake saving password in an unsecure way in Filezilla, the programmers have really dropped the ball on this issue.

    Scanned my PC multiple times with a variety of products and nothing unussual showed up, so it might not be the above, but it is a known issue and the only one I could find that makes sense.

    After cleaning out the changed files and changing FTP passwords I’ve had no other problems on the server. There was no evidence of root access, was only FTP access that was logged.

    Was a pain in the butt deleting and reinstalling 129 domains and sub-domains to be sure there was no infected files under FTP access!

    David

Viewing 6 replies - 1 through 6 (of 6 total)
  • The topic ‘WordPress 2.8.4 Site Hacked’ is closed to new replies.