SQL attack on wpress 2.9.2

So I had NetSol help me restore my backup, but that too was infected. Guess I better get in the habit of checking the site every day… who knows how long it was hacked.

I’m just gonna start over and try to salvage the posts. I’ve already started a new WordPress install, and will go one-by-one with the posts and try to restore them.

Is it possible to simply drag and drop the posts into the WordPress directory using the FTP, and then just rebuild the links afterwards?

Is it possible to simply drag and drop the posts into the WordPress directory using the FTP, and then just rebuild the links afterwards?

The posts are in the DB, not in any file…..

Doh! >_<

sorry!

dunno how messed up your db is? If it possible to reuse….

export, clean up, import….

This is all really new to me… apologies for being such a noob, but thank you so much for all the help and suggestions thus far.

I’m looking through the wp database now. Couldn’t see any odd users that registered so I don’t think it came in that way.

Checked a few posts, didn’t see any malicious code there either, but I haven’t looked everywhere yet.

I guess I could go post-by-post and restore the data, I mean there’s only 150 posts or so… could be much much worse.

I did set up a new install of WordPress on the server and updated to the newest version immediately (NetSol does not install the newest version via their server, FYI) but now I’m blocked out of automatic plugin updates… got a ticket filed to fix that.

@samboll – you are right, this fixes the symptoms but not the underlying cause which after several hours digging through your links (many thanks) I was not able to uncover.

I am NOT using simplepress plugin. Try harder…that’s not the common backdoor.

I should add that I also did these steps:

1. Disable XML-RPC functionality which is a moderately likely attack vector, but I’m not convinced
2. configured the “secret keys” feature that adds password salting to make brute force attacks by guessing weak passwords MUCH, MUCH harder…although this is unlikely attack vector
3. I used the WordPress Exploit Scanner plugin to search all source and theme files for “eval()” and “base64_decode” related backdoors. The podPress plugin has a lot of false positives and nothing appeared malicious.
4. I searched database tables for “base64_decode” and “edoced_46esab”…no results
5. setup an email alert using ChangeDetection.com that will alert me daily if the site’s content changes. I can safely ignore changes from new posts, but the intent is to automate capturing these iframe / cross-site-scripting attacks so we can recover zero day.

Bottomline – I believe Network Solutions’ database server farm is infected thus allowing the intruder to touch all MySQL hosted databases powering WordPress and change the siteurl value.

I contacted Network Solutions and they do NOT provide Intrusion Detection/Prevention Services or any means to monitor your FTP file space for file modifications. I’m seriously considering moving our site BACK to our corporate servers for the added control as the benefits of outsourcing the hosting no longer seems worth it.

Network Solutions could prove their competence by looking at the MySQL server logs (SNMP?) for all affected customers, identify the SQL UPDATE command that infected the siteurl value, find which process or host issued the SQL command and work backwards to find the backdoor. Once found, all affected customers (not just those with open tickets) would be informed by email to the incident and the resolution and educate everyone how to prevent future attacks. I’m shocked that logging and database backups aren’t enabled by default….security is just an afterthought.

Based on the repetition of the attack, I believe a cron job (either Linux’s crontab feature or using the wp_cron functionality) is responsible and automates the re-infection on a schedule.

Only time will tell…

I have seven WordPress Network Solutions hosted sites affected by this. However, I also manage two other WordPress sites and have them hosted by Network Solutions and they have not been affected (yet!). So it is not all WordPress sites on all Network Solutions servers. I do not use SimplePress forum. All of my sites use the “secret keys” feature.

2 of these sites were also affected by a previous Network Solutions WordPress attack (several months ago). I also am considering a move to another host. I am so angry my hands are shaking as I type this.

Hi All,

I have 2 WP sites hosted on Network Solutions that were hacked into yesterday. Apparently, the problem is in the databases, but my database auto backup was not turned on. NS default is not to back up the databases – they they don’t tell you that that’s a bad idea. So make sure your database backup is turned ON.

Luckily, my awesome web admin Michelle, was able to fix my sites within a few hours and is now working to secure everything.

If you are looking for someone to help you get your WP site/blog back up, she is wonderful (although not cheap). This is her site: https://www.midcolumbiawebs.com/
Or contact her via twitter: @michellegust

seems hackers are finding host vulnerabilities and exploiting them lately. I’m seeing Network Solutions a lot this week.

About a month ago, there was a rash of godaddy WP sites hacked…..

Honestly not sure how much can be done to prevent these things if they are host weaknesses rather than user.

Of course its a good idea to harden as much as possible to alleviate potential weaknesses……

Official Network Solutions response. Glad to see they’re working hard to solve this.

“From what we can determine at this time, the changes look like they were made by a user with admin credentials to your WordPress blog. This could be an issue with the WordPress installation or a WordPress plugins on the site. This is not an issue on our web hosting servers”

This does not bode well. I’ve got one hacked blog, and a reader notified me that another blog – also WordPress and hosted on NetSol – gave him a malware alert, despite the fact that it shows no evidence of a hack and still allows me access.

It has to be a database or host problem, so screwing around with WordPress is a waste of time – except to eliminate that “siteurl” problem. I removed all my files through FTP yesterday and did a clean reinstall of WordPress and got nothing for my trouble except an internal server error.

If others have had a different experience, I’d like to hear about it, but messing with WordPress files or the content of your site seems to have no effect.

@burkestar – Did you make NetSol aware of this thread. Kind of hard to believe that we all got infected at once because of bad admin credentials. Mine was one that couldn’t be determined through normal dictionary style attacks. Not to mention there were no attempts to access /wp-admin/ in the past week.

Also let us know if you discover an issue with a wp_cron task.

Thanks everyone for your comments and suggestions. I implemented quite a few for my client in hopes that it prevents this issue from happening again. The WP community rocks!

sucuri.net figured it out. The guy scanned for the wp_config.php files he could find on network solutions servers, and since the SQL user and password is kept in the clear by wordpress, he was able to do whatever he wanted to your database WITHOUT going to your website.

Take these steps:
1) Chmod your wp_config.php to be 750 using an FTP tool. This prevents him from reading the file again (assuming he didn’t hack your site.. remember he hacked your database).
2) On your network solutions account management interface, in the side bar select nshosting/configuration/databases and there, you can change the password of your SQL database.
3) Edit your wp_config.php with the new password (there is a field there called DB_PASSWORD). change what is there with what you changed it to.
4) obviously check siteurl again ??

I suggest you use one of the complex password generators on the net since we never have to manually remember it anyway.

And there you go! Thanks to everyone that took up my suggest to use sucuri… centralizing our efforts gave him all the info (no common plugins, clean installs, all the typical lockdowns, etc)….

-d

@dugbug

Would you cite the source of your information please. I see some things that may not be completely on the mark. Specifically this:

“1) Chmod your wp_config.php to be 750 using an FTP tool. This prevents him from reading the file again (assuming he didn’t hack your site.. remember he hacked your database).”

I would like to visit the site that is the source for that information so that I can read a little more.

See my comments here, please.

https://www.ads-software.com/support/topic/386304?replies=3#post-1472370