How do I verify & recover from a hack?

OK, I just tried to go to the Sermons blog and it works now. I don’t get that. I even tried going to a page that doesn’t exist, and now I’m getting the 404 page in my theme.

This is NOT what happened last night!

I’m soooo confused!

The 404 page you see could be coming from your host, though I’m not sure why that would be the case unless something on your host’s end is messed up.

You can also read https://codex.www.ads-software.com/FAQ_My_site_was_hacked if you think you’ve truly been hacked. Though I haven’t heard much about 3.0.1 being directly vulnerable.

I’ve also got bbpress installed on this site & I’m wondering if that’s where the damage is coming from. There are lots of spam hot tags but no posts over there. I don’t go to that part of the site often.

I’m at work & I can’t seem to log into either WP or bbpress on IE7 here. Further, my banner isn’t displaying at all in IE7, but it used to. IT does display in Firefox & IE 8.

But I can’t log into the Admin panel in Firefox here at work, either.

Something s definitely wrong!

I guess my last problem with not being able to reach my admin pages was a traffic issue on the host. I’m in there now.

Using my host’s file manager tool, I went into the folder on the machine for the sermons blog . There was no .htaccess file. I changed the permalink structure & saved it, then changed it back. There is now an .htaccess file & a .htpasswd file. But I still can’t access the video.

Here’s the URL directly to one of the affected files:

[video src="https://churchonhigherground.org/worship/sermons/files/2010/04/10-0411-01.flv" /]

When I navigate directly to this URL (I open a new tab & paste the URL into the address bar), I get a 500 Internal Server Error from the server. This is the issue I’ve been having for a long time now, and I don’t know what to do about it.

Please help.

Tony

OK. I think the problem is someone has commandeered my forums. When I go into bbPress, there are 11 tags that weren’t there & a number of “recently moderated items” that I didn’t even see until now. And, when I go to the Posts link in bbPress, I don’t see these “recently moderated items”.

Time to close up bbPress.

Now, when I click on the link for the “sermons” blog in the menu bar, I get a 404 error. And the 404 page that is displayed is NOT the one from my theme. Am I right in believing that my site has been hacked?

No, that;s not a hack.

Well, there’s something wrong with my wordpress mu install now. I changed my password and now, when I log in, I keep getting taken back to the login page without any mention of an incorrect password or any problems. I actually had to log in on the bbPress side of my site.

I’m going to follow the instructions on recovering from a hack & see if that fixes my problems, unless someone has a better idea?

Thanks

Tony

You could have something messed up on the bbpress side, so I;d disable that for sure.

Here’s what I did last night.

1. My Macbook had the bad 404 page cached. I looked at it & it had an iframe that referred to https://www.dsnextgen.com/. This wasn’t ever in my theme.

2. I erased all of the WPMU php, css, js, images, and other files in the /worship (Where WPMU is installed), /worship/wp-includes and /worship/wp-admin folders. I used my FTP tool to delete these files. While I was at it, I deleted all of the files for my theme, which the Antivirus plugin thought were suspicious.

Next, I had WPMU 3.0.1 installed on the macbook, so I uploaded it to the host. Next, I went through the automated download & install of WP 3.0.1. Finally, I uploaded my theme back into its folder.

I then ran the Antivirus scan of my theme. It gave all but one file a clean bill of health. 10 or 20 minutes after that, I scanned the theme files again and it marked just about every file in the theme as suspicious.

As I didn’t touch any of the plug-ins, I think that one of them is infected with something & it’s screwing with my theme. So I’m going to redo everything I did last night, and blow away & reinstall the plugins. But I’m going to do the plugins one at a time. And I’m only going to install the ones that my site is actually using.

Oh, about the bbPress install. I didn’t do anything with it, though I think that is working OK. Still, it’s attracting spammers and no one at my church is using it. So I’m going to deinstall it entirely. I’ll have to delete some pages from the wordpress side, but that’s no biggie.

Does anyone have any other ideas?

Thanks

I then ran the Antivirus scan of my theme. It gave all but one file a clean bill of health. 10 or 20 minutes after that, I scanned the theme files again and it marked just about every file in the theme as suspicious.

The odds are that either your server has been compromised or you have a bad plugin. Get rid of the plugins NOW. Dump them all and get new, fresh, copies from www.ads-software.com. Then secure your server.

Server Security 101.

1) Change your passwords. All of theme. From FTP and email to the Database and your WP admin password. Do it NOW.

2) NEVER access your site’s backend insecurely. SFTP, SSH only.

3) Read this: https://codex.www.ads-software.com/Hardening_WordPress#File_permissions

I have changed the passwords of all administrator accounts on the site. I deleted all wordpress executables in the /worship, /worship/wp-includes, and /worship/wp-admin folders. I deleted all plugins and themes.

I then downloaded a fresh copy of wp 3.0.1. I then uploaded it back into the /worship folder. I recovered wp-config.php from a backup and copied that over the default one that comes with WP. I then uploaded Akismet & a plug-in that I wrote and the various themes I have installed on my macbook development copy of the site.

After doing all of that, I downloaded & installed the Firewall 2 and
Antivirus plugins. Then I downloaded other plugins that the site uses like NextGen Image Gallery and Vipers Video Quicktags.

I’m happy to say that the antivirus no longer reports any problems with my theme files. So it looks like the security issues are resolved, for now.

However, I’m not 100% out of the woods yet. NextGen Image Gallery cannot access any of the images in its galleries. And the site still can’t serve up most of the videos on my site. I’m going to try tonight to download one of the videos using FTP & see if it will play on my macbook. If it will, then I know the files are ok & there’s still some other issue going on.

The videos all have 755 permissions. I know that three of them get served up fine, so it could be that the problem is with the video files themselves. I don’t know how they could have gotten corrupted, but it’s possible.

I think I have backups for these files on a backup drive at home. Hopefully the problem is the files & I do have the backups.

It’s 5 hours later & I just did a virus scan on my theme & now 2 files are flagged as suspicious. It flags the following line in 2 different files:

<?php include(TEMPLATEPATH . ‘/sidebar2.php’); ?>

The word “include” is highlighted in yellow.

Can anyone tell me how this thing works & why an PHP include statement can be suspicious? The files affected are 404.php & archive.php.

I just installed 2 plugins right before I ran this check. Perhaps one of those 2 is infected with something?

Also, this is the .htaccess file in the blogs.dir folder for one of my blogs:

<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /worship/sermons/
RewriteRule ^index\.php$ - [L]
RewriteRule (.*) /worship/sermons/index.php?uamfiletype=attachment&uamgetfile=$1 [L]
</IfModule>

I can’t find a file called index.php in /worship/wp-content/5/files, which is the folder that maps to /worship/sermons. where should it be?

This <?php include(TEMPLATEPATH . '/sidebar2.php'); ?> is a perfectly normal call for a theme to make.

This

<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /worship/sermons/
RewriteRule ^index\.php$ - [L]
RewriteRule (.*) /worship/sermons/index.php?uamfiletype=attachment&uamgetfile=$1 [L]
</IfModule>

I’ve never seen before…

Did you install a plugin for sermons? I know there’s WP-specific one for this.

ipstenu:

I think that may have come from a plugin I had installed called User Access manager. When I first built the site, I wanted a “members only” area & I used that plug-in to set it up. Now I’m suspicious of it as that was one of the plug-ins I installed this afternoon, just before the antivirus scan flagged those lines as suspicious.

The thing is, those lines were there this morning & it didn’t complain about them, either.

I’m going to delete the .htacces file & see what happens.

Andrea_r:

I wrote a plug-in to do searches of the posts in the sermons blog. Each video is in a post of it’s own; I record information in the post’s meta data using a form included in the plug-in, and it scans the meta data using criteria you specify in another form. It works, but I didn’t find anything that could do what I wanted when I was looking, so I built it.

Tony