Got Hacked 12/08

  • Hi everyone, I am totally new to wordpress and was running 2.6 that my webhost provided. Someone on this forum spotted this code:

    <div style=”position:absolute;left:-69982px;top:-56983px”>
    <!–ex–><!–648111413–><h1>FATBLAST EXTREME ONLINE</h1> fatblast extreme online<!–657051976–><h5>FML FORTE (FLUOROMETHOLONE) ONLINE</h5> fml forte (fluorometholone) online<!–312400486–>
    </div>

    Before I go further I read the codex, I read the forums, so please don’t refer me there. I need simple, specific answers because I am a newbie. Many posts are written assuming you know css, php etc.

    So I installed a clean 2.7 but I am using the same database. Does anyone think that could be a problem?

    I am a little out of my element with MSQ Database and css php. So please speak slowly >;)

    The site does not seem to running any funky code at this time:
    https://www.warrior-scholar.com/wordpress

    I basically deleted the old copy completely and installed 2.7 fresh but to my surprise it used the same data so it was not too much work.
    I installed exploit scanner, and hash checker (which does not seem to be working with 2.7).

    So my question(s) are:
    Did I take the right steps?
    Is the fact that I am using the same database problematic?
    If so how do I remedy that?
    And how do I toughen up wordpress to avoid this?
    Any additional plugins to help assist this?

    Thanks

    Dan

Viewing 7 replies - 1 through 7 (of 7 total)

  • Did you delete your theme? It is possible that your theme was injected and in that case it isn’t wise if you keep the same theme. You also might want to have a look in your database to see if there are funny tables, extra users, etc.
    If you have read the codex, I am sure you ran into the article called “hardening wordpress”? I find the Ask Apache Password Protect plugin very usefull.
    Oh and speaking about plugins, make sure you don’t have a plugin with a known vulnerability that you keep using.

    Then: change ALL passwords, including control panel, the database, FTP, WordPress. Have a look at the “secret key” functionality that came with 2.6 and stay updated (from what version of WP did you come?).

    Thread Starter dblast

    (@dblast)

    Thanks, I deleted everything and I am using the classic theme. I check both the style,and RTl from my previous copy then copied them over they seem to be clean (I’m not an expert though) I can post them if you’d be kind enough to take a look.

    I used the secret key.

    I came from version 2.6 now 2.7.

    I’m trying to get this blog up and ready for public consumption but I want to make sure its safe first.

    I hate hackers. We should have very harsh laws for this crime.

    Dblast, 2.6.what? I hope no 2.6.5? That was a security fix upgrade.
    In any case, it seems you you’ve handled rigid enough, but be sure to have a look through the database (just to make sure, it’s probably just a spam injection) for extra tables, entries and especially users and change ALL passwords, you can never be sure enough that somehow somebody got a password and still has it.

    Thread Starter dblast

    (@dblast)

    Stupid question but is there any files you should delete after install? Sometimes when you install software they tell you to delete a setup program etc immediately. I know during the wp install I had to change wp-config-sample to wp-config am I supposed to do anything after that.

    Thanks

    Thread Starter dblast

    (@dblast)

    Also I called my webhost support to change the database password and she said if I change the password in wordpress that will change the database password. That sounded funky to me, is that correct? Is it that easy?

    Thanks Again,

    Dan

    He, my previous reply didn’t come through.
    No if you did a manual upgrade, there are no files to delete.
    You created your database yourself, right? In that case you can change the password through your PHPmyAdmin/(plesk) control panel or whatever you have. The WP password is something very different from the database password.
    Btw. It’s not too likely that the hacker has direct access to your database, but this is just to be sure. Oh, and after you changed the database password, you have to edit the wp-config.php of course!

    OK, the solution for the extraneous div added to the pages is listed here: https://www.bluehostforums.com/showthread.php?t=15360

    Here’s what happens. A vulnerable file on your server (it can be anywhere, even on a different domain, like in my case) writes the bad code into your WordPress files. Here’s how to get rid of it.

    Look for eval(base64_decode in your WP files. In my case, it appeared in 206 cases, of which 194 looked like this:

    <?php /**/eval(base64_decode('crazy-looking-code-here')); ?>

    Copy the code between the quotes in the parentheses and go here to decode it: https://www.opinionatedgeek.com/dotnet/tools/Base64Decode/

    In the decoded script, you will see a path to the bad file on your server that is writing the extraneous div code into your files. In my case it was on a different domain on the same box, in an old backup folder. It was a phpBB mod from many years ago. For other people it’s Gallery2 or some software other package.

    Find that file and either upgrade it to a non-vulnerable version or delete it, like I did.

    Finally, you will have to remove the code that the rogue file has already written into your WordPress files. In my case it was in 194 files that it has been inserted.

    So get all your files from the server, and do a find and replace for the bad code, which should look like above, just that much longer.

Viewing 7 replies - 1 through 7 (of 7 total)
  • The topic ‘Got Hacked 12/08’ is closed to new replies.