Website hacked

  • abwatson

    (@abwatson)


    14 years ago

    Hi there well my website has been hacked and it always seem to be in the same place. But I can’t seem to figure out where this hack code is in my wordpress files. It seem to always be just after my image link. example below

    <img src="https://abwatson.com/wp-content/uploads/2011/02/5146515283_cce1a94b75_b.jpeg" <a href="https://basicpills.com/">buy prescription drugs online without prescription</a>  alt=”" title=”5146515283_cce1a94b75_b” width=”533″ height=”800″ class=”aligncenter size-full wp-image-680″ /><br />
<img src="https://abwatson.com/wp-content/uploads/2011/02/Picture-1-556x370.png" alt="" title="Picture 1" width="556" height="370" class="aligncenter size-large wp-image-681" /><br />

    This hack has come up time and time again. I have updated wordpress, but still it came back. I reintalled wordpress from scrach, reinstalled plugins and reinstalled my database. Yet this hack still comes back. You can check out my website and see where it has been effects at abwatson.com came anyone help me out? Thanks

Viewing 9 replies - 46 through 54 (of 54 total)

  • I just noticed this thread and the problem of spam getting directly inserted into posts seems like the one I mentioned here.

    https://www.ads-software.com/support/topic/spam-content-and-links-got-inserted-into-my-blog-posts

    So, I can assume from this thread that the database must have been compromised and all sites on that account were hacked means that it must have someway related to the hosting company. I told my hosting company that it might be related yesterday before I made the thread here and they were adamant that there is no mistake on their end. They said it is a mistake on wordpress end and blah blah. But I noticed that no other part of wordpress or theme files were compromised. All files were also chmoded correctly and I was still wondering how could the spam have got inserted. So, it was their mistake partially and they are blaming on wordpress. I am sure they must have got other customers also facing the same problem but they acted as if they never knew the problem. Bunch of bus***ds. [/end of rant]

    FYI check your blog roll links have found new links that have been inserted into the list.

    @dagbar

    Whom are saying to check the blogroll links. I do not have any blogroll links.

    I spoke to my hosting company again and they are not willing to accept at all that anybody could have got access to their database server. They are saying wordpress not getting updated etc. is the issue and nothing is wrong on their part. But one of the websites was also using wordpress 3.1 which is latest. So, I am confused but they are not ready to listen to any suggestion too. They are adamant that the problem is not with their server and nobody else can get access to their database server. Cannot do much when the hosting company is adamant on not listening to any suggestions. Anyways I have removed and rolled back all the affected wordpress blogs and upgraded them with a lot of further hardening. Please update this thread if anyone can find the actual reason as to how the spammy links got inserted into the content of the posts. I will also inform if I face the same problem again.

    Please post your hosting company too so that we know if this is related to a few hosting company and servers or is across all companies.

    My hosting company where the sites were affected is ScalaHosting.com

    Come on boys, we have to stop these bastards! ??
    Any help will be appreciated

    Hi,

    Not sure if this is relevant, but I found some dodgy stuff in the images folder of an OsCommerce installation which was hosted in another account on the same server. The write permissions on the images folder was set to 777 (that’s how OsCommerce likes it apparently), and they had managed to upload files into there.

    I think perhaps they came in through this and then managed to place a .htaccess file in the images folder which then ran a script which they put in /tmp/, which possibly then gave them access to other user accounts on the server.

    I’ve removed all this dodgyness and then also changed the file permissions on the wp-config.php files in each installation to 444 to stop any user other than the file owner from reading the file.

    Along with this I’ve also ensured that each account runs as it’s own user using by running PHP with suPHP.

    I’m hoping this will fix it and stop them coming in again, but I’ve now also written a script which crawls our entire site every 5 minutes and sends me a text message if it spots one of the dodgy links.

    Does anyone have a list of all the dodgy sites, including basicpills .com which I can add to my watch list?

    This is a real pain in the ass and I’ve lost a couple of days work to this!

    Also out of interest does anybody else have OsCommerce on the same machine?

    Btw, if anyone need a simple script to remove the spam from all the posts, we posted it in here:

    https://blog.sucuri.net/2011/03/solution-for-the-link-injection-spam-from-basicpills.html
    https://tools.sucuri.net/malware/helpers/spam-postremoval.txt

    Just rename to PHP, upload to your site and execute it from your browser.

    thanks,

    it runs better and is more easy to use than my sript ??
    BTW:

    update:
    $listofspam = array(“basicpills”, “generic-ed-pharmacy”, “rx-prices.com”,
    “getrxpills”, “antibiotics-shop”, “hotspill”);

    found another server , the hotspill one

    Update on whats going on with my sites.

    I have a few WP 3.1 blogs 1 of them was over looked when I was updating not long ago and its WP 3.01 that site has not been touched but all others have been hit several times. The only was I was able to stop the injection on the other sites was to move the WP config file up one level to the non web accessible dir. I had tried every CMOD I could think of to try and stop it. But since moving the config non of the sites have had a problem.

Viewing 9 replies - 46 through 54 (of 54 total)
  • The topic ‘Website hacked’ is closed to new replies.