Sites compromised

  • I run a handful of sites on WP 3.0 (now 3.1). Each morning over the past couple of days I awaken to broken sites. The primary busted file is usually wp-includes/functions.php but there are others. Been able to find them quickly via the php errors reported.

    I upload a clean file and that fixes the problem temporarily until the next incident. I’ve been unable to find the malicious code that’s causing the problem. Have changed db passwords, ftp passwords, toughened chmod on wp-config and other content folders, but I’m getting nowhere. I guess the problem is buried somewhere in my database.

    They are also breaking my admin panel. I’ve had to reupload the entire wp-admin folder. These are temporary fixes because overnight, and sometimes during the day the sites break again.

    Has anyone else had this problem and found where the vulnerability is? I’m tearing my hair out. Even upgrading to 3.1 did not fix the problem.

    My “hosing” company is Rackspace. They tell me that this is a widespread problem affecting many of their WP users. Why is there no news or info on this anywhere?

Viewing 6 replies - 1 through 6 (of 6 total)

  • Your database can have bad code hidden in it too. I seen some sql commands for finding and cleaning but cant find the blog post now.

    One thing you can do is in phpMyAdmin search the whole database for base64 and 46esab

    Edit: here is a very detailed post.
    https://smackdown.blogsblogsblogs.com/2010/06/14/rackspace-hacked-clients-check-your-databases-wordpress-wp_optimize-backdoor-in-wp_options-table/

    SELECT * FROM wp_options WHERE (option_id LIKE '%base64_decode%' OR blog_id LIKE '%base64_decode%' OR option_name LIKE '%base64_decode%' OR option_value LIKE '%base64_decode%' OR autoload LIKE '%base64_decode%') order by option_id

    https://www.ads-software.com/support/topic/have-i-been-hacked-username-amin?replies=42

    Thread Starter Lee Adler

    (@drstool)

    thanks! will try that!

    Thread Starter Lee Adler

    (@drstool)

    Found this-

    SELECT *
    FROM xxxxx.blogname_options
    WHERE (
    option_id LIKE ‘%46esab%’
    OR blog_id LIKE ‘%46esab%’
    OR option_name LIKE ‘%46esab%’
    OR option_can_override LIKE ‘%46esab%’
    OR option_type LIKE ‘%46esab%’
    OR option_value LIKE ‘%46esab%’
    OR option_width LIKE ‘%46esab%’
    OR option_height LIKE ‘%46esab%’
    OR option_description LIKE ‘%46esab%’
    OR option_admin_level LIKE ‘%46esab%’
    OR autoload LIKE ‘%46esab%’
    )
    LIMIT 0 , 30

    That’s the bad stuff?

    Running that command will give a result of records if there is anything. On very very rare instance do I find legitimate code using base64 (but in the PHP itself) but usually not 46esab when legit.

    Thread Starter Lee Adler

    (@drstool)

    thanks again. will delete.

    Thread Starter Lee Adler

    (@drstool)

    After reading that thread, and considering the poor response that I’ve gotten from Rackspace and the fact that it was THEIR NEGLIGENCE that was at the root of all this crap, I put in a call to my attorney who happens to specialize in class action suits. I think Rackspace owes me and everyone else who has spent countless hours dealing with this crap, something.

    In general, my experience with them since moving over from managed hosting to the Rackspace Cloud has been atrocious. I’m wondering if others have the same experience. Something needs to be done.

    Problem is that in 12 years of running websites I’ve yet to find a webhost that didn’t have tons of “issues” so I’m reluctant to move again.

Viewing 6 replies - 1 through 6 (of 6 total)
  • The topic ‘Sites compromised’ is closed to new replies.