0wnz by M4d3X hack

These are the suggested resources for hacked sites – unfortunately there is no quick/easy way to deal with this:

https://codex.www.ads-software.com/FAQ_My_site_was_hacked
https://www.ads-software.com/support/topic/268083#post-1065779
https://smackdown.blogsblogsblogs.com/2008/06/24/how-to-completely-clean-your-hacked-wordpress-installation/
https://ottopress.com/2009/hacked-wordpress-backdoors/

Additional Resources:
https://sitecheck.sucuri.net/scanner/
https://www.unmaskparasites.com/
https://blog.sucuri.net/2012/03/wordpress-understanding-its-true-vulnerability.html

Thanks for the reply and list.

Still three questions left:

1. Does anyone knows how they got in?
2. Does anyone in general knows anything about this hack?
3. Anyone else already been hacked this way?

Hi, I have had the same problem and not come across a hack like this before. I restored a backup of the database to a time before the hack happened and I uploaded a backup copy of all the files to overwrite all the changes the hacking script had made and I STILL get the message “Ownz by m4dsx”, surely I must have missed something because restoring all the files and db would normally sort everything ( scratch head ). Next I went to check the log files to see if I could find where and when the hacker was gaining entry but unfortunately the logs folder was empty. This is all very odd and took down all my WordPress sites but did not touch a bog standard HTML or ASP site, so I guess the vulnerability is something to do with WordPress or a plugin. I will keep searching and trying to solve and if I find out anything useful I will update you here.

I could fix it (for now) by just replacing the overwritten index.php files with the original ones. I installed 3.7.1 again and checked all the other index.php files if the code was gone. I was quite easy to find them because all changes were on the same date/time.

I think the hacker deletes part of the access log file, since you also didn’t have records.
This IP address was used btw 84.240.30.56, but probably doesn’t say much.

Here is a list of plugins that were installed at time of the hack.

Akismet
AP HoneyPot
Google Analytics for WordPress
Keyword Statistics
Monitor Pages
Relevanssi
StatComm (StatPress Community) Multisite Edition
WordPress SEO
WP Maintenance Mode

Permissions are all set default, so 644 for files and 755 for directories.

HI, Thanks for the update. I have managed to clean it from one site, however for some reason on another site I have had no joy so far even though I have uploaded a backup copy of all the files. I have got the webmail package Roundcube installed on one site and when I go to login to the webmail I get the hackers message, I have deleted the roundcube files off the server and re-uploaded a backup copy and my hosts tell me they have uploaded a backup copy of the DB but still the hackers message remains, very puzzling. With regards to the plugins none of my sites were using the plugins you mentioned above so it is probably not a plugin vulnerability that is allowing the hacker in. However I had not got round to updating my sites to the latest version of WordPress and they were running the previous update so that might be the issue. I found out that this hacker originates from Indonesia, and as my target audience is 99% in the UK then I think I am going to block the usual suspects country IP’s from accessing my sites in the future, like Russia, China, Nigeria, Ukraine etc.

1. Does anyone knows how they got in?
2. Does anyone in general knows anything about this hack?
3. Anyone else already been hacked this way?

No idea to any of the above. It could have been via a theme, a plugin, your host or perhaps the attacker managed to capture your ID and password for your WordPress installation. Or as you’ve other apps on that server one of those apps could have been compromised and they got into your WordPress installation that way.

The data is usually in your logs but identifying the how right now is less important than making sure your installation is secured.

I restored a backup of the database to a time before the hack happened and I uploaded a backup copy of all the files to overwrite all the changes the hacking script had made and I STILL get the message “Ownz by m4dsx”

Which is why the next quote won’t work either…

I could fix it (for now) by just replacing the overwritten index.php files with the original ones.

That doesn’t actually fix it as much as make the symptom go away for only a little while. Until you delouse and harden your WordPress installation then you’ve not really fixed it.

Give those links WPyogi posted a good read. They will help you get a handle on your situation.

ok guys i just had this done to me as well same wa**er they seem to be getting in by the plugin contact me form as thats where I’ve just found the code on 2 of my sites have a look see if you got that your self if not turn off all of your plugins and see if that helps

rory

Hi all, this same bar steward has done it to me, too. I’m not using the Contact Me plugin on any of my sites. I have around 20 WordPress sites, all hosted with the same company. They serve a range of different purposes and so have different themes and plugins installed. I don’t think there is any one plugin that is present in every site. About half the sites were running older versions of WordPress, with the others all up to date. The odd thing is that they were all hacked on the same day, which leads me to believe the attacker managed to get into my hosting account and give himself access to the WP sites. I also have other sites on there (Apache/ PHP), which were not touched.

So it’s worth changing your hosting passwords everyone!

[Content removed by poster]

@segana Yes, we know, but the question is: how?

@wendihihihi: If you require assistance then, as per the Forum Welcome, please post your own topic.

@esmi I don’t need assistance and this topic is my own topic.

Oh – I am sorry! My bad!

To answer your question, it’s virtually impossible for us to determine how the hacker managed to get into your site. Your hosts are better placed to help with this as they have all of the server’s access logs.

Yeah, I was just hoping that someone got an undeleted access log… The host where it happened isn’t a very helpful one, so I can’t expect anything from them. This hack is easy to fix, but I’m just curious how they got in.

WordPress itself doesn’t log anything by default unless you turn debug on and, frankly, I doubt that would have helped much in this situation. And obviously, we have nothing here as www.ads-software.com distributes and documents the WordPress application but has no connection with any site running that software.

Generally speaking, there are only 2 ways the hacker could have penetrated your site:

1. via another insecure site or application on the server.
2. via your site itself.

There’s little you can do about (1) although your hosts should have something in place to try & stop potential hackers getting access to all sites on the server via 1 insecure site. You might want to ask them about this.

With respect to (2), you may have been using an insecure theme or plugin. Or the hacker may have gained access via FTP using logins stored on an infected computer. I assume you have changed all FTP, hosting account and site passwords yes? Have you virus scanned all machines that you used to access the site?