SQL attack on wpress 2.9.2

easysale

index.php
wp-content/index.php
wp-content/themes/index.php
wp-content/plugins/index.php
wp-admin/index.php

This is exactly where they hit me also.

At least two security professionals keep they eyes on NetSol rotten servers.

https://blog.unmaskparasites.com/
https://blog.sucuri.net/

NetSol’s shashib left this topic and posts elsewhere something like “We feel your pain”.

See the difference?

After your clean your blog, it would be hacked again and again until after NetSol fixes its flaws.

It’s up to you, David, to stay there or else.

But a professional has spoken already: “Run”

You could find all info on this forum how to migrate your blog on another host. All you need it’s your clean and usable database backup file. It’s unique. Anything else you will get on the web.

I’ve checked the backup I downloaded this morning at 10:30 AM. It’s clean. This latest attack occurred about 2:43PM today. I’ve been clean up until this afternoon.

All my index files on the NS server affected have 2:43 PM as the modified time and are loaded with this ugly script. Also my Simple Machines Forum index files are hacked with the same nasty code.

I wonder if NS is going to even be able to control this thing at this point. They say they’ve fixed it and they attack again.

@steve D: Can you share the file permissions of the hacked files?

@useshots

I have been checking permissions. I have found many of my permissions compromised and set to 660. When I set them back to 640 and come back later they are back at 660. And also I was not able to change my passwords on my datatbases. I’ve come to the conclusion I’ve been totally and completely compromised.

Thanks to easysale to advise the use of the WordPress file monitor plugin.
I found that I have been hacked again. In fact most of the index files that are on my website haven been modified. It’s not only WordPress, but any index.php that can be found.

@cacoline

I can’t even get into NS via SFTP this morning either I get a critical error. Not even sure if I want to log in and look at my NS account at this point although I do have good security on my end.

Really frustrating.

@steve D : I am in the same situation as you. My ftp and database passwords have been changed, and I cannot modify my database password.

I wonder if NS is going to even be able to control this thing at this point. They say they’ve fixed it and they attack again.

Change hosts. Period.

@songdogtech

. . . Change hosts. Period.

I don’t think even that’s enough security now days. To many abandoned and poorly secured sites on line, etc., etc.

ride on wordpress.com
it’s safe

I don’t think even that’s enough security now days. To many abandoned and poorly secured sites on line, etc., etc.

I didn’t say every web host out there was perfect. Find a host that does a better job than NetSol. Search the forums and security sites for recommendations on hosting.

Been a little while since I’ve posted here, been rather busy… still having trouble with my site since the attack.

NetSol has supposedly fixed it but I can’t prove they did or didn’t because I get an error when trying to access the site, or even the wp-admin page directly.

“Internal Server Error

The server encountered an internal error or misconfiguration and was unable to complete your request.

Please contact the server administrator, [no address given] and inform them of the time the error occurred, and anything you might have done that may have caused the error.

More information about this error may be available in the server error log.

Additionally, a 500 Internal Server Error error was encountered while trying to use an ErrorDocument to handle the request.”

This happened after I tried to update my wp-config based on a recommendation in this thread, however I did it from outside of WordPress (in Notepad, actually) and FTP the new file in. I later read that it was a big no-no.

Is there any way to fix this? I’m on hold with NetSol now, and after asking them for assistance twice and having them email me the same link about the blog post on the attack, I’m frustrated.

If this deserves a new thread, I apologize.

songdogtech . . . . .

What is ironic is I use WordPress but my project isn’t even about blogging or tech. Or even myself for that matter. It’s a general media delivery platform. I’ve spent 4 weeks on and off hardening security. Hackers will realize quick this isn’t going to be easy or worth their time. Anyway I’m still a month away from deployment.

Never expected to get hacked from the freaking inside!

I back up the database every night and all the WordPress files once weekly. Those are downloaded for storage. Just checked my account and all looks clean on the server. Now we’ll find out if any time bombs are getting ready to go off again.

We’ll see if NS has “fixed it” soon enough. Moving is a real possibility if they don’t get it together. Which I EXPECT. Not “hope” for.

@cacoline & @steve D: All of our FTP passwords (except one, inexplicably) were changed last night. Shashi B. at NS confirms this was done by their team and that it was so urgent that they couldn’t notify users. (OK, but why couldn’t be we notified afterward?) In any case, you can log into your Network Solutions Account Manager and retrieve the changed FTP passwords.

@steve D: when you reset your file permissions to 640, are you sure the CHMOD command is successful? I found that it failed on any files that were originally created by the NS WordPress installer. They are owned by root (user 0), so I couldn’t change the permissions. What I ended up doing yesterday, after removing the malicious code from all the index.php’s for the fifth time, was the following workaround:

• Upload the file with a different name that doesn’t already exist on the server, e.g., index-clean.php.
• In your FTP program, rename the file to index.php. The program will ask if you want to overwrite the existing file; say yes. Refresh your FTP directory listing, and you should see that you’re now the owner of the file.
• Now CHMOD the new file to 640. Refresh and then check permissions again to be sure it stuck.

Since I set all the index.php permissions to 640 mid-day yesterday, we’ve had no more problems. But of course, I don’t know whether that’s because of the permissions change or because of something done by Network Solutions.