WordPress 2.8.4 Site Hacked

The main index.php file had hidden content at the bottom. Also found it in an index.php file associates with the PHPBB forum

That sounds like more of a server hack than a WP hack, since it’s hitting WP and phpBB. I’d check your FTP logs. If it’s JUST php files getting changed, it’s more likely to be a regular server hack than a SQL injection via WP.

I’ve found other WordPress 2.8.4 sites of mine (same server) compromised.

So far four domains, still checking others.

The theme so far is files I’ve checked have had their permissions changed to full write access (though one domain just had the index.php file changed), on the latest domain a file was uploaded to

/wp-admin/web/doorway-2009-10-18_20-56.zip

Which was unzipped to over 1,000 web pages of porn/viagra links etc… some of which was linked to from the home page (via the WordPress index.php file).

The hacked WordPress sites that have this content on are PR4, PR4, PR4 and PR5 (first hacked was the PR5), so far my lower PR domains are not touched, so looks like the higher PR domains are being cherry picked.

I’ve run chkrootkit that didn’t find anything.

I’ve looked through the logs, but I’m not proficient with server security, so nothing has jumped out at me as an issue.

I realise it could be a hacked server, but the cherry picking of higher PR WordPress domains suggests WordPress has something to do with this, particularly the 2.7 version of WP that wasn’t changed when two 2.8.4 version on the same domain was changed.

If someone had full root access to the server they could change all the index.php files from 50+ WP installations easily. Also the dates the files for each domain have been changed are different, last two I’ve found are the 16th and 18th of October. Why go to the hassle of hacking a server and change domains one by one over a period of weeks (first domain I found hacked was hacked before the 12th).

To rule out a hacked server other than chkrootkit (which found nothing) what else could I check?

If you are running WordPress 2.8.4 and have a PR4+ home page view source of the home page and see if you have any hidden links. I’ve found them mostly below the footer, but on one domain it was below the body tag.

David Law

Why go to the hassle of hacking a server and change domains one by one over a period of weeks (first domain I found hacked was hacked before the 12th).

Because it may not be a hacked server so much as a compromized FTP password.

The reason I’m fairly sure it’s your server/accounts and not WordPress is how limited this hack is. If it was a WordPress hack, it would spread across all your installs pretty fast, wouldn’t it? Your argument lends more credence to ‘someone has limited access to your server and is being a di**’ than ‘someone’s hacked wordpress and is selectively attacking my blogs’. Also a WordPress hack tends to be the sort that affects more than just the index.php file.

Personally, I refuse to rationalize why some blogs are hit and others aren’t. It never makes sense. If I wanted to speculate, I’d say they’re hitting higher PRs because they found them first.

Check your FTP and SSH logs and see if people are logging in around the same time as those files being added.

Go through the regular advice here too: https://ocaoimh.ie/did-your-wordpress-site-get-hacked/

I think you are right about it not been WordPress per se, who ever the hacker is they are targeting my WordPress sites and possibly 2.8.4 in paticular for links.

I’ve tracked down FTP access that resulted in the changes. I set FTP logs to save for just a month (in hindsight should have gone for 3 months) so got 1 month access data to work from.

I haven’t a clue how the hacker got my FTP passwords, but it’s multiple passwords and they are very random: I create passwords by randmonly bashing the keyboard and then make sure each one has upper/lowercase, signs etc… and anywhere up to 20 charachters, there’s no way they could be guessed.

I found a file under WordPress on one of the hacked domains wp-edit.php and a similar file under the stats folder (which is password protected) with a different name. It looks like the file was used to insert the code into the index.php files.

I’ve zipped it and added it to one of my sites, is it wise to post a link for others to see what it is?

I think I’ve cleaned all the domains that have been affected, but have no idea if the server has back doors to get back in.

Done the obvious changing passwords (started anyway, have about 200 to change!!!!).

I suppose I should be thankful the hacker so far has only been interested in stealing links, I had another server hacked a few years back and that was trashed!

David Law

Generally passwords aren’t guessed so much as scraped from some method of non-secure traffic. This is why I only use SSH and SFTP (and other similarly secure connections).

I eventually ruled out WordPress as the cause of the hacking of my sites.

Although I couldn’t 100% confirm this, the most likely cause was a vulnerability in an old version of Adobe reader browser plugin allowed a hacker access to my work PC, they used that vulnerability to gain access to my FTP username/password list stored in Filezilla which doesn’t secure the stored passwords! Big mistake saving password in an unsecure way in Filezilla, the programmers have really dropped the ball on this issue.

Scanned my PC multiple times with a variety of products and nothing unussual showed up, so it might not be the above, but it is a known issue and the only one I could find that makes sense.

After cleaning out the changed files and changing FTP passwords I’ve had no other problems on the server. There was no evidence of root access, was only FTP access that was logged.

Was a pain in the butt deleting and reinstalling 129 domains and sub-domains to be sure there was no infected files under FTP access!

David