wordpress exploit, site hacked [newportalse.com]

Thanks for all of the advice in this thread, really appreciate it as I’ve just had this attack happen on my site.

I’ve used Sucuri and I can definitely recommend their service, will be following up with all of the suggestions in this thread so try and make my sites secure from this nonsense.

What caused the problem? I have sites but want to avoid this if possible.

Glen

Thank you for writing these posts. I used https://sitecheck.sucuri.net/scanner/
and found this was linked to my prettyphoto plugin. I aslo replaced the l10n.js file. Thanks again. This really saved me the headache of finding the file.

Chad

I’m trying to work on some preventative measures to stop this kind of attack. Did anyone notice if there were any strange files in your upload folder(s)? The default is /wp-content/uploads but could be changed via your settings. Or wherever images and other files are uploaded. (Not FTP)

Look for anything with a double extension. Like example.php_.jpg

Or even just a php file like example.php

There should be a setting to stop users uploading anything with the word php in it then. That would stop the problem, wouldn’t it?

Glen

daboss07 was that website where the problem came from? Or did you used it to see if you had the problem?

Glen

After replacing the files that https://sitecheck.sucuri.net/scanner/ claimed were infected with fresh ones, I seem to be okay. My functions.php doens’t seem to have the code from pastebin hellowoo kindly posted.

There should be a setting to stop users uploading anything with the word php in it then. That would stop the problem, wouldn’t it?

I don’t think that would have any positive impact. I think it would have virtually zero effect in preventing files from being placed on a website through access exposed by a vulnerability that allowed an intruder access to any of it’s directories.

ClaytonJames what do you think we can do to stop this type of thing happening? I just want a safe WordPress installation and site.

I think the best thing you can do right from the start is to research your host first. Take a look at the recorded history of issues, and see what you can find on the web about what others are saying about that company. You have to remember though, you will find very unhappy people who will say very unhappy things about every host, no matter what. Even though a hosting service may have had issues, it doesn’t mean they are a bad bet. It happens to everyone sooner or later. You have to look at how they responded to the issue, as much as why it happened in the first place. Run that stuff through a logic filter before you make a decision. A good indication is how willing your hosting company is to answer your questions, and if they seem to be willing to work with you, and really want your business.

Learn about the correct file and folder permission for your environment. Being on a shared server is very different from being on a dedicated server. Don’t be afraid to ask your host – or anyone else – about these things, and research their answers if you think you should.

Learn how, and be diligent about, keeping your own pc and the tools you use to manage your site (ftp clients, usernames, passwords, etc…) secured and free from password harvesting infections and malware in general.

Keep up to date with the most recent security and bug-fix releases for wordpress. I can’t stress this enough. Stay on top of it. Also make sure that you make scheduled, regular backups of your database and all of your files. You would be surprised how many people just don’t do this. It really can be a major life saver.

Be cautious when using third part themes, plugins, applications, scripts, add-ons, etc… do the research first. If it’s a bad idea, you can bet someone has posted something related to it somewhere. Keep your plugins and themes up to date.

Read all the resources you can find. Nothing is 100% sure, but there is no reason why you shouldn’t look out for yourself (and your readers and visitors) first, by using all of the tools at your disposal.

Good place to start: Hardening WordPress

After replacing the files that https://sitecheck.sucuri.net/scanner/ claimed were infected with fresh ones, I seem to be okay. My functions.php doens’t seem to have the code from pastebin hellowoo kindly posted.

Update: it seems that this method DID NOT clear the issue. My browser (Chrome) still claims that newportalse. com has content on my site. This occurs despite Sucuri claiming my site is clean. It only makes this claim in the backend, about once every ten loads, never in a pattern. That’s the part that really confuses me – what could possibly be loading only every so often?

@ a4jp.com

There should be a setting to stop users uploading anything with the word php in it then. That would stop the problem, wouldn’t it?

Glen

I believe WordPress and most plugins that use the uploads folder already do this via php code that it is written with.

From a particular plugin:

if ( ( !empty( $file['file']['type'] ) && !preg_match('/(jpe?g|gif|png)$/i', $file['file']['type'] ) ) || !preg_match( '/(jpe?g|gif|png)$/i', $file['file']['name'] ) )
		return false;

But hackers get around this by uploading a file with a double extension or by using null bytes.

script.php.jpg or script.php%.jpg or something like that. But I believe WordPress doesn’t allow the use of special characters so the null byte method won’t work. Also I believe WordPress will add an underscore after the first extension resulting in script.php_.jpg after the file is successfully uploaded.

And since the file permissions on the uploads folder are usually pretty loose, it could result in an issue.

As ClaytonJames mentioned, it could also rely on other vulnerabilities in the code of the theme or plugin.

My question is, has anyone checked the upload directory of anyone using the timthumb.php code or any variants there of, that are inflicted with this attack and/or similar ones. This could be your wp-content/uploads or somewhere else. Just check and see.

I helped another webmaster solve his entry of attack by finding scripts in his uploads folder where there should be done. It may not be related, but I’m still investigating and researching. If anyone has anymore positive information, I’d gladly appreciated the input.

After replacing the files that https://sitecheck.sucuri.net/scanner/ claimed were infected with fresh ones, I seem to be okay. My functions.php doens’t seem to have the code from pastebin hellowoo kindly posted.

Update: it seems that this method DID NOT clear the issue. My browser (Chrome) still claims that newportalse. com has content on my site. This occurs despite Sucuri claiming my site is clean. It only makes this claim in the backend, about once every ten loads, never in a pattern. That’s the part that really confuses me – what could possibly be loading only every so often?

Just another update with me (in case someone in the future reads this thread), because the only time I every encounter an alert from Chrome while in the backend, and Sucuri claims my site is clean, I assumed that the issue is backend only (thus Sucuri can’t access it and the users are safe). My next idea was to use WordPress’s built in reinstall feature. It seems to have worked. I will update this thread if I encounter the message again. Again, I only got it about 1 out of every 10 reloads, so it’ll take time to figure out if my install is really clean or not.

@mickeyroush

I just checked my uploads. Nothing unusual as far as I can tell.

(Sorry for double post)

@maners

Don’t you lose all of your links when you re-install?

I haven’t gotten any more warnings on the backend (yet), can Sucuri comment on what they think is going on here?

Why would the site come up clean if there was still code apparently on his site, does the scanner miss these filed?