Security breach, unknown cause…?

  • jefferisp7

    (@jefferisp7)


    14 years ago

    Hi folks, I went onto our site and found a folder at our web root, where our WordPress is installed, called “undeniable” which was 777 in permissions. When I looked in there, I found a lot of pages that put header spam advertizing content on our pages (including our vBulletin forum pages in a subfolder where it used existing pages with renamed urls) But it also created SEO friendly URLs. The ad pages don’t show up in our main website or forum itself but are visible only by accessing this rogue folder.
    A sample page might be named zachary-walker-argus.html
    And I cannot find any links in the pages that go outbound to any particular ad site, but there is content added to the page in the comment and post areas like:

    <title>"Argus cam lock || electronic ballast argus diagram"</title>
<div class="art-sheet-bl">One under-20 he had forced with frank, and after that she had to raise her impression then, argus cam lock.
Macarthur had the correspondent of eating over a preferred japan.
These unusual problems require have the claim including current.
Real samples are less strategic to hinge absence if they are organic the pinfall would be dragged and the club would be subjected.
Same accounts debating of the medicaid didn as mo healthnet was mastered as a communication.
North american spots is such a new life that the time has to engulf more than well a haven to drive estimates to crack up.
<li><p>argus firearms</p><p>brinkley argus online paper</p><p>brighton argus michigan</p><a href="https://www.OURWEBSITE/2011/01/sti-month-january-2011/" >STi of the Month – January 2011</a></li>

 </div>
<div class='wpsc_categories wpsc_category_grid'><p>argus bean digital camera reviews</p><p>bayliner capri 1802 cuddy 1990 argus</p><p>argus observer classifieds</p>

    I was wondering if anyone knows has seen something like this before, what kind of plugin breach might allow this, or how to tell where the hack came from, or how to protect against it.

    Our webroot has a wordpress install but the pages in the undeniable folder had links to both WP and vB post pages….
    Many thanks in advance.

Viewing 8 replies - 1 through 8 (of 8 total)
  • @mercime

    (@mercime)

    Seen different hacks but not to the extent of a whole folder packed with malware uploaded to server. First order, backup server files and DB. Change usernames and passwords esp. FTP/SFTP

    We’ve just been discussing hacked site at BP.org forums and filled up topic with helpful links etc. https://buddypress.org/community/groups/installing-buddypress/forum/topic/our-webiste-was-hacked/

    Moderator Ipstenu (Mika Epstein)

    (@ipstenu)

    ?????? Advisor and Activist

    I would say that’s a server hack.

    https://codex.www.ads-software.com/FAQ_My_site_was_hacked

    Thread Starter jefferisp7

    (@jefferisp7)

    thanks guys

    Thread Starter jefferisp7

    (@jefferisp7)

    We found that the owner’s computer was breached via a spam hack on his windows based computer. An IP in IRAN uploaded files using his ftp account! We’ve changed passwords, but I just want to check something else. I’m getting continuous warnings about files being modified. Some of the changes I recognize as my own, and I tried to turn off file warnings in the file monitor, but they keep coming. I just want to make sure that nothing is going wrong. We’re trying to use Tribulant software’s Checkout shopping cart and I think part of the path indicates those files EVEN THOUGH it disabled:

    This email is to alert you of the following changes to the file system of your website at https://www.igotasti.com
    Timestamp: Tue, 15 Mar 2011 23:36:14 +0000

    [A] wp-content/gt-cache/mk/_mk
    [A] wp-content/gt-cache/de/_de_about_contact
    [A] wp-content/gt-cache/pt/_pt_vBforum_showthread.php_1116-Paint-Bay-need-ideas-thoughts-info-etc………._page2
    [A] wp-content/gt-cache/hr/_hr_vBforum_album-picture.php
    [A] wp-content/gt-cache/ro/_ro_products-page
    [A] wp-content/gt-cache/vi/_vi
    [D] wp-content/gt-cache/stale/mk/_mk
    [D] wp-content/gt-cache/stale/de/_de_about_contact
    [D] wp-content/gt-cache/stale/hr/_hr_vBforum_album-picture.php
    [D] wp-content/gt-cache/stale/ro/_ro_products-page
    [D] wp-content/gt-cache/stale/vi/_vi
    [M] error_log

    [A] vBforum/error_log
    [A] wp-content/gt-cache/lv/_lv
    [A] wp-content/gt-cache/pl/_pl_category_news-updates
    [A] wp-content/gt-cache/pl/_pl_2010_10_sti-month-october-2010
    [A] wp-content/gt-cache/et/_et_products-page_stickers-and-decals_igotasti-car-logo-sticker-white-size-5×3
    [A] wp-content/gt-cache/sv/_sv_sti-month

    If anyone recognizes these as dangerous, please let me know. We’ll have to do something deep.
    FWIW, we’ve changed all passwords, and I tried to turn on Bulletproof security but it seems to be interfering with our vBulletin forums in a subfolder.

    PowerfulEnglish

    (@powerfulenglish)

    Hi,

    This is the same issue have with WordPress, it is highly persistent and Google has deindexed us four or five times. I would use a new translator plugin.

    All the best,

    Laura

    Thread Starter jefferisp7

    (@jefferisp7)

    Any translator that you recommend?

    PowerfulEnglish

    (@powerfulenglish)

    We just used Transposh, will keep you updated as having security check in two days.

    Thread Starter jefferisp7

    (@jefferisp7)

    Thanks, I appreciate it.

Viewing 8 replies - 1 through 8 (of 8 total)
  • The topic ‘Security breach, unknown cause…?’ is closed to new replies.