Am I hacked or what?

  • Today at 1:12 PM index.php, wp-admin/index.php and wp-content/index.php files changed “itself”.

    My guess is I was hacked but basically there is no harm done just some number buffered at the end of each page.

    <?php
ob_start("security_update"); //do not remove this line - important security update!
.
.
.

                function security_update($buffer)
                {
                      $update = '4294967295';
                        if (stristr($buffer, '</html') !== FALSE)
                        {
                                return eregi_replace('</html', $update.'<html', $buffer);
                        }
                        else
                        {
                                return $buffer.$update;
                        }
                }

    Anyone experienced something like this?

Viewing 15 replies - 1 through 15 (of 16 total)
  • Moderator Jan Dembowski

    (@jdembowski)

    Forum Moderator and Brute Squad

    If that’s in your index.php files then, yes, you are hacked. Just for discussion which 2.6 are you on?

    Read this

    https://ocaoimh.ie/2008/06/08/did-your-wordpress-site-get-hacked/

    And then read it again.

    Read this too

    https://codex.www.ads-software.com/Hardening_WordPress

    Upgrade to the latest version if you have not already. You need to see if there are any users added to WordPress that you don’t know about/don’t belong there.

    You need to go through your files and find where the spammy links are being added. If it’s in wp-config.php or some other file, you’ll need to make sure that is cleaned up before you can consider yourself good file wise. Look everywhere and use fresh copies of your WordPress installation, plugins, and themes.

    Look at your posts and comments and see if there are any spammy links there. You can export your whole blog to WXR and then examine the whole thing in your favorite text editor.

    Once you have cleaned up your hacked blog, harden it so this does not happen again.

    Good luck.

    Thread Starter teknoledge

    (@teknoledge)

    I’m running 2.6.3. Thanks for the quick reply!

    Moderator Jan Dembowski

    (@jdembowski)

    Forum Moderator and Brute Squad

    I’m running 2.6.3

    That’s not good, that version has known security issues. If you don’t want to take the 2.7 plunge yet, you should put 2.6.5 on your blog.

    I’m with 2.6.5 and I just found that code in my WP.

    Some more information. I may have been updated before I upgraded to 2.6.5, but I’m usually fairly quick to upgrade. I’ll never know.

    I’ve done extensive searching and I can’t find any more tampering. Specifically:

    • .htaccess not modified
    • Users not added
    • Plugins not added, no alterations in the plugins section of the database
    • Can’t find any other files that have been tampered with

    It may have been just a “dry run” and the exploiter is waiting to attack. I don’t know. I suppose the objective is to insert spam links where they please. I haven’t checked the database for strange links in posts, it’s going to be quite hard to do without knowing what to look for.

    I’m going to install 2.7, change every password, take a very good look at every directory and hope for the best.

    It may have been just a “dry run”

    no such animal exists.

    The vector was FTP, which is surprising. The attacker could have sniffed the user/password (I don’t use sFTP-yet). Nothing else was touched, which is very strange indeed.

    All passwords have been changed all over the place, and everything updated to WP 2.7. There could be a backdoor, but I wasn’t able to find it. If there is one, I guess I’ll find out soon enough.

    I’m having the same identical code added to my index.php file only.
    wp-admin/index.php and wp-content/index.php were not modifed.

    According to the server modified date, the file was modifed on Jan/9/2009.

    I’m running an old version of WordPress 2.3.3

    I don’t think is an hack, unless we are getting all hacked.
    On Google I found other people complaining about the same identical issue, have a look at:
    https://www.webmasterworld.com/php/3828975.htm

    and at https://forum.joomla.org/viewtopic.php?f=144&t=355303)
    It seems infact the same issue happened with Joomla in these days.
    They suggest to just remove the what it seems to be the injected code:

    basically the index.php file on WordPress 2.3.3 should look only like this:

    <?php
/* Short and sweet */
define('WP_USE_THEMES', true);
require('./wp-blog-header.php');
?>

    And it’s useless that people at WordPress go on saying you must update.
    Updating a WordPress blog takes time and it might result in data loss or screwed up DB if you are not very careful at what you ar doing.
    Since at WordPress seem to have fun making new releases almost every month, we can not pass our life updating the blog.

    Cheers!

    I don’t see the full code snippet so I can only guess.

    That looks like an attempt to insert something just before the closing /html tag. Very popular technique to insert malicious scripts and hidden iframes.

    Ant this can be a “dry run”. Automated program from a zombi computer tries to insert this code into every WordPress blog (or PHP site) and another automated program checks which sites are really vulnerable (they would contain that “update number”) so that it can inject something more meaningful (and dangerous).

    And it’s useless that people at WordPress go on saying you must update.
    Updating a WordPress blog takes time and it might result in data loss or screwed up DB if you are not very careful at what you ar doing.

    Quite right. That’s why you are advised to backup your database first so that you can restore if necessary.

    However, the requirement to upgrade is not going to go away simply because you want an easier life. If you do not have the time to properly administer your site, then either hire someone to do it, move to a managed service, or accept that you will get hacked.

    quickdirt

    (@quickdirt)

    Guys, I work with a designer (I’m a programmer), and we’ve been having this on almost every site my partner works on but not on the ones that I work on.

    I believe this is just a local virus that logs to the FTP sites it finds on your FTP client and injects code. I don’t think it has anything to do with WordPress at all. As I said, we’ve had this happen in many different sites; some PHP, and some pure HTML sites. In the HTML only sites, it just injects javascript, but if it sees PHP then it injects PHP too.

    Sucks…

    risk-com-au

    (@risk-com-au)

    Hi,

    Im hoping someone can help. I received a comment on my site (www.risk.com.au) from someone who has created an email address using my site name – [email protected].

    I’m pretty new to this and am not sure where the source of security issue is i.e. WordPress or Hosting Service?

    Help!?

    Thread Starter teknoledge

    (@teknoledge)

    I figured out that this has nothing to do with wordpress, it’s server/hosting security flaw that need’s to be checked. The same peace of code I found on couple of .NET coded websites so it’s definitely hosting related issue.

    risk-com-au

    (@risk-com-au)

    Hi teknoledge – sorry for the confusion but are you resonding to the email issue (my issue) or the virus issue?

    mrmist

    (@mrmist)

    received a comment on my site (www.risk.com.au) from someone who has created an email address using my site name – [email protected].

    If someone leaves an anonymouse comment it may well use your site email address to send you notification.

    Or, in any case, when someone leaves a comment, they can put any email address they like into the “email” field.

    It’s not really a security issue.

Viewing 15 replies - 1 through 15 (of 16 total)
  • The topic ‘Am I hacked or what?’ is closed to new replies.

Tags