dugbug

@clayton

Yes, different attack on the jquery, but still a pain in the a$$. Shees, its like hell has unleashed on us.

Note that cforms plugin comes with a copy of jquery, and there is one (as you say) that comes with wordpress. To NetSol users I recommend using filemanager from your account and doing a file search for jquery.js There may be a few other legit plugins that provide a copy of jquery.

It would seem what they are trying to do is replace a file of similar name that would occur earlier in the search path?

-d

Rif yes. I also posted in the suggestions form for wp to mod installation to include the 640

755 on folder and 640 on config

per latest ns blog
https://blog.networksolutions.com/2010/alert-wordpress-blog-network-solutions/

so again wpress during install make the config file 640

Why? Im changing the “other” setting. How would the owner of the folders matter (which is the same “owner” as the rest of the files… this is a network solutions hosted site, user is always the same as far as I have seen it). Group is always the same as well.

If I do 750 on the wp install folder I get this:

Forbidden
You don’t have permission to access / on this server.

This is how they access index.php, from the .htaccess file. Perhaps there are some subtle install differences between us.

If your file is 644 and not 640 then he can read your account info, can he not?

If your public folder is 750, then your website cannot be accessed by others.

This is at least what happened to me when trying to set my web folder (the www folder) at 750. Further, 640 works fine for wp-config.php. Can you explain why you would want it to be readable by other?

Ok folks correct me if Im wrong, because this is a killer hole (imho)

If the wp install folder is 750, folks can’t access your site, so it has to stay 755. If wp-config.php is **4 then anyone can read your wp-config.php file. I made my wp-config.php 640 and then modded it with a new db account.

Do you folks understand the ramifications? The guy read our SQL user and database passwords and server information, then just went to the database.

He could even install a local wordpress somewhere at home mod his config file to point to our database, create and delete users and edit posts (presumably with malware) as he wished… and your web site logs would show NOTHING because he never accessed our site.

-d

sucuri.net figured it out. The guy scanned for the wp_config.php files he could find on network solutions servers, and since the SQL user and password is kept in the clear by wordpress, he was able to do whatever he wanted to your database WITHOUT going to your website.

Take these steps:
1) Chmod your wp_config.php to be 750 using an FTP tool. This prevents him from reading the file again (assuming he didn’t hack your site.. remember he hacked your database).
2) On your network solutions account management interface, in the side bar select nshosting/configuration/databases and there, you can change the password of your SQL database.
3) Edit your wp_config.php with the new password (there is a field there called DB_PASSWORD). change what is there with what you changed it to.
4) obviously check siteurl again ??

I suggest you use one of the complex password generators on the net since we never have to manually remember it anyway.

And there you go! Thanks to everyone that took up my suggest to use sucuri… centralizing our efforts gave him all the info (no common plugins, clean installs, all the typical lockdowns, etc)….

-d

@sashilib,

Can you contact dd [at] sucuri.net so you and him can talk what you both know? I only can provide tools that are offered through nsHosting (like log files), but maybe you can give him the actual HTTP Post contents. It would go much faster.

Just an update… another networksolution user WITHOUT simplepress forum just got the identical hack. THe sucuri guy is helping more than one of us and is seeing that the only common vector in this seems to be network solutions.

So hold off. DISABLE the simplepress forum as a precaution, but understand this is a bit stranger than first thought.

Thanks Shashi

Always good advice. I also use network solutions and the network solutions safe site monitor, so I don’t have to worry right ??
(joking)

I knew without finding the attack vector we would be cleaning, hardening, and reinstalling forever without knowing why.

If it reappears after disabling the forum plugin Ill post here again to say my apologies and cry into a beer

and by post I don’t mean a forum post, but an HTTP POST. You will never see it.

sucuri.net found the back door! Its a post to the simplepressforum plugin. Do any of you have this plugin?

Ill get back with more info in a bit.

@kellgell

All these hosting sites have three day rollover backups and manual snapshots. If you only have the three day jobs and the hacker got in earlier in the week it won’t do anything but I REALLY hope it does! Just make sure you harden it after the reinstall or in a day they will just repeat the trick that got them in. It could even be a bot they are so automated these days.

@kulmu

Hardening would work prior to the hack (unless this is a new technique), but they have created a back door. They can do very simple things and they are in.

If you want to get your site back in order to salvage what you can (and later set yourself up with a hardened variation) do some reading or use a service like is mentioned above.

gosh good luck folks. Ill post if I get any relevant info.

@dpezzino, @kellgel

I am using sucuri.net to help get a better angle on things. Tell ’em Techulous (thats our site that got hit) sent you and he will hate me as they will be cleaning up wpresses all week ?? Note I am just as new to this scene as you are, but he seems well informed and their tools they host do some cool things with your site.

Maybe if we use the same site and you tell him we are all on the same service (network solutions, etc), more info can be gleamed from the larger data set.

This is my first attack and we (were) a reasonably popular gaming site so I felt I owed it to have some experienced help.

Also he will be able to see what plugins we all have in common, etc.