Website hacked

We have many plugins installed but the only one in common with spinorbinmusic is only the Akismet (so i think they went in in another way).
[email protected] do you think the used some hack to arrive to the mysql via wp or just they attached the mysql server?
The strange thing is that all the wp sites in a shared server were infected (but they are mounted each with its own username and password like differentusers, no one can’t access to other space data (we decided iin this way to avoid things like that). Impossible they discovered 25 different passwords so any idea?

I have no idea how they could have gotten access to my database, but going to try to harden things. This is definitely a clever hack. We should continue to try to figure out how it was done.

The sons of bitches managed to hit every wordpress 3+ site on my server but interestingly not some older wordpress-version sites.

While I would like to repair the sites, I am wondering if anyone here wants to take some kind of action against the owner of basicpills.com. Can we take legal action? Or how about a DDoS in response? I don’t know, I just think they shouldn’t be allowed to get away with it.

I’vew sent a complain to the abuse hosting comany. If i don’t get enay answer I’ll forward the email to spamlist to take some action.
About sites…. we have many version of wp…so I don’t think is a version problem.
I thought also to a ddos if the hoster doesn’t take action on that.
if all the sites infected will do a ddos on their full subnet the next time thye will red the email. I’ll keep u informed on that.

My ultimate concern now is the remove all the spams starting from the 1st blog post and then making sure the ‘virus’ do not infect the rest of the posts.

I have tried removing the links manually but it doesn’t solve the problem. The ‘virus’ is still there, somewhere.

Appreciate much if someone will help. Thanks!

@spinorbinmusic : backup your DB first of course, if you need an automated removal method, I’d suggest this :

https://lorelle.wordpress.com/2005/12/01/search-and-replace-in-wordpress-mysql-database/

This works ONLY for updating the contents of the posts, not other database fields, I’ve been using it for two years now.

It works in my personal case for replacing ../ with the absolute url of my blog (relative URLs are old enemies of mine), however, frank disclaimer, I never tried to replace actual source code with html tags, you may try to experiment to be sure it also works.

Ye, this could be a way…. the fact is that must be changed all the enries of teh spam server (we have found that they used some combination of words).
Another way I’m thinking of using is to export the posts into xml file…. and afte rusing a perl miniscript to pars eit and than clear all posts and reimport the file.
ALternatively for not perl addicted you can edit the xml with notapad and use search and replace.

Mr securi has surelly a mysql statement to clean the dirt but they do it fo job so i don’t think they will share it or free, don’t they (Mr securi try to think to do a more cheap account price list, no everyone can spend all those $ for the service….ost of all if the blogs he has are free to friends ;-D)

Btw, the real actions to take against them is the following:

1-Report to Google. They do that for SEO reasons. If Google blocks them, they lose.

2-The best way to report is to ping https://twitter.com/mattcutts on Twitter (works at Google). If more people sent him this thread and this post: https://blog.sucuri.net/2011/03/link-injection-basicpills-com-and-blackhat-seo-spam.html they might do something.

3-I wish I could share a clean up script, but it is integrated with our package (since it needs access to the db, has a bunch of variations, etc), and I can’t share everything… Sharing only that part won’t work as well because of the dependencies.

*btw, if you can’t clean up, I suggest just restoring all posts to a previous version (using the revision option).

3) Working to a clean script… probably it will not work at 100% but surelly will clean 99,9%
I’ll post tomorrow for free LOL ??

ok, here we go.
I?ve cleaned yet 20 of our 25 sites…
as said. it cleans about 99,8% of **it. If you run it… i don’t get any responsability on that, you know! SO is you own risk!
Better would be to make it as a mysql script to execute on server… but since is a lot of time that I don’t do it… was better for me… to do it in perl and manage the xml.
So you need to have perl installed to run it.

1)as suggested check the config permission (or the server will be hacked again). Change your password.
2)Export with the wp (tools export) to a xml file. Download it locally.
(supposed the scrept name is cleaner.pl)

linux/*nix machine
cat dirty.xml | perl cleaner.pl > cleaned.xml

dos/wndows box

type dirty.xml | c:\perl\bin\perl cleaner.pl > cleaned.xml

after that i suggest you to open the new file and inspect it manually to see if some references of “buy” “viagra” or others are still there. You can add those key into script and run it again or you manually cancel them.

Once done…. return to wp.
Delete all your posts (manually or with a plugin called mass post manager

https://www.lordtime.com/blog/products/mass-post-manager-for-wordpress/

and now import the xml (tools, import, and choose the last entry, worpress xml file).
Now you should have all you post cleaned and site like before.

In the next post I’ll post the script.

Some thoughts:

1)is better for you to install a plugin that does the backup (weekly) and send it to you via email (we were installed it in some site the day before that happened..so we had only some backups).

2)the script could be written more short less rendundant and so on.
I’ve chosen the LONG way because I had not time to make all tries…needed so… was faster to add the key. I’ve tried a generic clean with a short script but found he mistaked som eways cutting also good links..so was safer this way.

Hoping tha’ts. Help.
If you find it usefull…write me in private and as “$” i ask you to send me apostcard from your city…. with your thanks, I’ll send my address.

pubblivori – Please post that script somewhere else (like Pastebin or your own site) and LINK to it ??

Here, but can I ask why?

https://pastebin.com/49Cjt2cB

We are also having this issue with some of our client sites.

This is what i’ve noticed:

Affects these versions: 2.9.2, 3.0, 3.1

Eeven sites that dont get indexed by google and no one is linking to are still getting hit.

One way we replicated these sites was to use the same wordpress files, if these files had been compromised could this explain why non-linked and non-indexable blogs were getting hit?

Here is a list of plugins that all our site sthat have been hit have:

Askimet,
Contact 7,
Hello Dolly,
Really Simple Captcha,
TagCloudShortCode,
User Avatar,
WP-reCaptcha,
WP Post Thumbnail,
Nextgen Gallery

Hopesomeone can help.

I’ll keep you updated on our progress as we try various fixes

Thanks

pubblivori – Cause it blew up this thread, code wise. Also, we just don’t like huge code chunks in the forum. ??

liam_cs – To me that looks like a SERVER level hack, versus a hole in WP, as it were.

As [email protected] said:

What we saw is that the shared server itself was compromised, allowing the attackers to inject links directly in the DB.

Which means there is a LOT of DB cleaning to be done :/

update… after cleaning and securing sites with password change, database password change , right on file changes…this morning we have been “infected” again….
so seems or a mysql problem… or a plugin problem… there is not other way to access….. to the table…
?? any idea?

pubblivori, like it’s been said, it’s most likely a server hack. There’s close to nothing you can do about it, so I suggest you talk to your host. Remember, a shared server is only as save as the least hardest website on it (and of course as save as the host makes it.)