Security issue, multiple sites

okay, I figured a couple things out…

there’s a few strange looking databases in my phpadmin area, most look similar to this :

“rss_1f6c214c60d29cacd0400469cc53ff37”

and then, inside those, there’s RIDICULOUS lines of code filled with all sorts of link bait and queries I’ve been seeing hit my blog.

So I’m going to delete them now. I figure I have a backup of te whole database so if I break something I can restore it… but I’m feeling pretty confident here since inside those entries I’m seeing all sorts of evil looking copy and links :

O:9:"MagpieRSS":17:{s:6:"parser";i:0;s:12:"current_item";a:0:{}s:5:"items";a:1:{i:0;a:3:{s:5:"title";s:16:"No results found";s:11:"description";s:43:"No results were found for https://burst/blog";s:7:"summary";s:43:"No results were found for https://burst/blog";}}s:7:"channel";a:10:{s:9:"generator";s:15:"Technorati v1.0";s:9:"webmaster";s:43:"[email protected] (Technorati Support)";s:4:"docs";s:37:"https://blogs.law.harvard.edu/tech/rss";s:3:"ttl";s:2:"60";s:4:"tapi";a:3:{s:6:"result";s:5:"
    ";s:10:"result_url";s:17:"https://burst/blog";s:19:"result_rankingstart";s:1:"0";}s:6:"result";s:16:"

";s:5:"title";s:23:"Technorati Search for: ";s:4:"link";s:17:"https://burst/blog";s:7:"pubdate";s:29:"Thu, 01 Jan 1970 00:00:00 GMT";s:7:"tagline";N;}s:9:"textinput";a:4:{s:5:"title";s:17:"Search Technorati";s:11:"description";s:43:"Search millions of blogs for the latest on:";s:4:"name";s:1:"s";s:4:"link";s:32:"https://technorati.com/search.php";}s:5:"image";a:3:{s:3:"url";s:50:"https://static.technorati.com/pix/logos/logo_sm.gif";s:5:"title";s:15:"Technorati logo";s:4:"link";s:21:"https://technorati.com";}s:9:"feed_type";s:3:"RSS";s:12:"feed_version";s:3:"2.0";s:5:"stack";a:0:{}s:9:"inchannel";b:0;s:6:"initem";b:0;s:9:"incontent";b:0;s:11:"intextinput";b:0;s:7:"inimage";b:0;s:13:"current_field";s:0:"";s:17:"current_namespace";b:0;s:19:"_CONTENT_CONSTRUCTS";a:6:{i:0;s:7:"content";i:1;s:7:"summary";i:2;s:4:"info";i:3;s:5:"title";i:4;s:7:"tagline";i:5;s:9:"copyright";}}

FYI, this exploit extends to 1.5.2 as well. Yeah, I know I have blogs that I need to upgrade… sigh.

I could not find wp-info anywhere, but had several instances of the backdoor code in php files, several _old.jpgg etc, a phantom wordpress() user and it does indeed say its running 2.5… I am having problems getting into phpMyAdmin (probably unrelated), so I can’t say for certain what is in there. From the date codes it looks like I was hit twice, one time on the 16th and once on the 25th, IIRC.

After almost 12 hours, was able to finally fix the WordPress 2.5.1. “still needs to upgrade to 2.5.1.” issue. Most of the suggestions were mentioned already but here are links and steps that might help.

MAKE SURE YOU BACK UP YOUR DATABASE BEFORE DOING THIS!

After upgrading my WordPress version 2.5 to 2.5.1., the dashboard is still telling me that I’m still on version 2.5. That’s what brought me to the forums and eventually I found out I have those _new, _old, .pngg.php, .jpgg.ph, etc files in my content directory. So I immediately deleted that. For some reason though I can’t find the ‘wp-info.txt’ file, even while viewing the hidden files (using filezilla).

This was the most helpful link I got:

1. https://wordpressphilippines.org/blog/has-your-wordpress-been-hacked-recently/ – read carefully and follow as instructed.

2. Make sure you delete the phantom “WordPress” user. To instantly check if you have that user, go to your WordPress admin “users” page, enter “WordPress” under Search Users, if you DO NOT get a “No matching users were found!” you definitely have the phantom user in your database. You will notice a weird blank box appearing if you have that user. Another easy way is to Write Post, scroll down to Post Author, if there’s an “invisible” author, that’s the phantom WordPress user.

Check the link provided on #1, and delete it by accessing your database.

3. As mentioned in one of the entries above, look under database wp_options the VALUES ‘active_plugins’ and ‘deactivated_plugins’. It is very likely you will notice a plug-in that’s not supposed to be there. Here’s what I get in mine:

i:0;s:117:”../../../../../../../../../../../../../../../../../../../../../../tmp/tmpw6d0cG/sess_dea436 and so on (a very long plug-in entry)

Remove that entry. If it works, then fine. If it doesn’t, you can delete the entire line entry (active_plugins and deactivated_plugins) and WordPress will automatically create new entries BUT MAKE SURE YOU BACKUP FIRST! THIS HAS NOT BEEN VERIFIED TO WORK FOR EVERYONE, but that’s what I did on mine and it worked. When I enter the admin page, I just have to re-activate the plug-ins.

Check your dashboard. You’ll read the message: “This is WordPress version 2.5.1.”. BACKUP your database immediately to help you against new or missed exploits.

What I noticed is that removing the offensive files will still give you the false version message in your dashboard. What cleared it are steps #2 and #3.

I strongly suggest you download the WP Security Scan plug-in (newly updated, just google it). It checks your writable directories as an added insurance that your directories have the correct chmod. If you tend to edit your themes often, don’t forget to give them back their original permissions for added security.

I hope this helps. BACKUP first before trying.

ultrasonic, this was a HUGE help.

I’ll be keeping an eye on my db for a while to see if more problems crop up.

Thanks so much for all the sleuthing.

I don’t know if this is helpful information to anyone trying to track down the source of this problem, but I’ll post it just in case.

I discovered the hack today when I tried to upgrade from 2.5 to 2.5.1. After following this thread, I found the offending lines of php code in one of my templates, plus all the rest.

Up until April 19, I was running WP 2.0.4. On April 19, I backed up my entire site in preparation for the move to 2.5.

I’ve had a look through that backup. On that date, my template files were OK. So the hack hadn’t been triggered yet. However, in my wp-content/uploads folder, there is a file called js.php, dated April 3.

This file seems to be the one with the payload for the hack. I’m not really a php coder but have enough of a software background to recognize it’s not doing nice things, and believe I’ve found the piece of code that injects the offending line of PHP code into the beginning of people’s files. The file makes several references to the following URL https://unurex.cn

Is there anyone I can send this file to for study? I’m not that familiar with the system around here.

Katrina

Me again.

After studying the payload file, I would really appreciate someone more competent than me having a look:

1) To tell me the extent of the damage to my security. What exactly did the hack do and what did the hackers get from me?

2) To tell me if the steps mentioned by above posters are sufficient for getting rid of it. js.php seems to try to restore the hack, or embed stuff to restore it. It also seems to affect wp-includes/functions.php, or try to, which worries me, because I hadn’t seen that mentioned by anyone yet. I’m assuming my update to 2.5.1 clobbered whatever it did to functions.php, but I can’t be sure.

Just tell me who to communicate with to send the file to and I will pass it along.

Kat

Hm.. my site got hacked too.. It seems that all the index.htm/index.php files contained in my public_html folders were deleted and switched. I’m using wordpress version 2.5. In additions, index files in subdomains that were locked up were also switched.

https://sgorchids.com/

I will be leaving my site the way it is for a while till about two weeks later. Just wondering if anybody experienced security issues with wordpress version 2.5.1 yet? I’m hoping to rebuild my site on a security stable version of wordpress.

ultrasonic: thanks for all your hard work on this – I finally got everything cleaned up on my installation. Much appreciated.

I’ve had a couple of sites hit by this, and spent a while cleaning up the mess. Now that’s done, I’ve been looking at the logs and all the accesses I can find so far for the hacked files are from two IP addresses, both in the same block:

194.110.162.23 and 194.110.162.79

The earlier accesses are with the .23 and later ones .79. The block is registered to extendedhost.com in Canada, though there is no website there I can find.

Will continue to dig a little and see what else I can find.

I have installed wordpress 2-3 times taking new build from www.ads-software.com. But after some hours, it get hacked by some person called cesar. Can you please check if there is some loophole that needs to be patched!

my site URL is https://aksblogger.com

Regards,
AKS.
https://Shrink2One.com

As a final clean-up note for your databases, not only should you check your active plugins database entry in wp_options, but in your wp_posts, and wp_postmeta tables, look for the following and delete these entries:

in wp_posts:
any post titled rzf.txt (or a filename/title you do not recognize). Make a note of the post_id if you find any of these.

in wp_postmeta:
entries that list an attachment for the post_id you noted above. They will have meta_keys of _wp_attached_file and _wp_attachment_metadata and post_ids matching any hidden posts you found above. the meta_value will point to files like rzf.txt, or the bad pngs and jpegs mentioned in prior posts

I was just doing some extra surveying of my site when I came across these entries I overlooked the first time around. Since I’d cleared the attachments out of uploads already, no extra harm done.

You should check this article too: https://www.bloggerguide.net/blog-platform/wordpress/wordpress-exploit-giving-backlinks-redirects-and-headaches-but-no-visitors/

Crazy hackers…

Seems to me a hundreds of thousands of wordpress sites got hacked and wordpress doesn’t know exactly how it happened.

I was using the current version each time my site was hacked.

I too have undergone to attack at myself on a blog I have found out the same plug-in only the modified

source code here

https://wordpress.pastebin.com/f7e85d3e4