SQL attack on wpress 2.9.2

Also see: https://www.ads-software.com/development/2010/04/file-permissions/

Finally! Someone says it aloud. I was beginning to wonder if anyone was ever going to get around to questioning the elephant in the room.

– just my opinion, mind you.

Peace!

??

@clayton, I thought you’d be happy about Matt’s post!

You more or less asked shashib to define the “fundamental issue” that NetSol addressed with its fix. It would have been nice if they admitted it, but Matt’s post is enough for me.

Until next time . . .

I’ve spent days cleaning up after the siteurl hack and discovered I also fell victim to the globalwat footer hack.

https://www.ads-software.com/support/topic/382005?replies=4

Does anyone know if these two attacks are related?

So is this resolved as a server config issue at NetSol rather than a security issue with WordPress?

Is a possible and partial remedy moving wp-config up a directory level?
https://codex.www.ads-software.com/Hardening_WordPress#Securing_wp-config.php

This server is actively exploited by hackers. If your site happened to be hosted on this server, move ASAP. This is a really bad neighborhood. There are a lot of abandoned sites with vulnerable old versions of popular web applications – so hackers will easily regain access to it even if Net Sol change every password on this server

https://blog.unmaskparasites.com/2010/04/11/network-solutions-and-wordpress-security-flaw/#cloaking

Well, I see a new round of hacks on Net Sol servers. This time it is not a DB hack. Hackers inject a malicious script into files on disk. The script injects a hidden iframe from hxxp://corpadsinc .com/grep/. This new domain name points exactly at the same place as previous networkads .net and mainnetsoll .com iframes.

Not only WordPress blogs are affected.

Do you, by any chance, know which files are modified?

We are being hit by this as well. And yes, we have shared hosting on this “bad neighborhood” server.

The files affected (at least on our WordPress installation) are:

index.php
wp-content/index.php
wp-content/themes/index.php
wp-content/plugins/index.php
wp-admin/index.php

If you’re running WordPress, I highly recommend you download and install the WordPress File Monitor plugin. It will notify you of any files that get changed. I have it scanning every half hour. So far, we’ve been attacked 5 times since last night.

Fortunately, the code is easy to spot and remove – it’s at the end of the file, between <script> tags.

I know NS is working on the problem, but it’s hard to believe that they haven’t closed this vulnerability already.

One thing I did that may help is to change the permissions (CHMOD) on these files to 640, which should prevent write access by anyone other than the file owner. These files normally don’t need to be written to at all.

Thanks for the answer and advice! ??

I am on NS also. I think I am getting hit.

I backed up my project site this morning.

Here is the index.php form that . .
This below was my index.php from this mornings backup.

[Encoded hack script removed.]

Sorry about the formatting on the above post.

@steve D

you are hacked. See previous links on that issue.
don’t worry about “the formatting” as you put it.
Moderators would wipe it off as soon as they spot it.

In other words, it’s unwise to copy and paste such code.

bottleneck

Thanks I appreciate it. Guess I best call NS. This is turning into a real nightmare. I thankfully got a back up download early this morning which is clean. Looks like this latest attack started around 2:30 PM.

Appreciate your assistance.

Plus I haven’t even deployed my Website yet. In development. Plus I took extra precautions to secure it. I’m not public yet but developing on a NS shared hosting setup.

Complete the equation.