53 {{ upvoteCount | shortNum }}
53 {{ upvoteCount | shortNum }}

Sites Hacked--Would Appreciate Advice

by ecdavis
47 replies
Please see follow-up post at end or near end of thread

Hi. A few weeks ago I posted a thread regarding a number of my resellerzoom wordpress sites being hacked. I received much good advice about how to make wordpress sites more resistant. However, I've since had my sites hacked again in the same manner, and I don't know how to secure my domains. Would anyone be able to recommend a professional in the field who might be able to figure out and close the hole in my domains?

On a side note, I find that when I click on search engine links to sites, I am often redirected to some other site. The sites I am redirected to appear to be random sites of vaguely related subject matter. So, for example, if I click on a site having to do with insomnia, I might find that I am routed to some other sleep related site. Earlier, when checking a few squidoo sites and hubs, I found myself redirected to other sites related to Internet marketing. Anyone have any idea what is going on? This happens only some of the time and not every time I click on a search engine link.

Thanks,
Evan
#advice #hackedwould #sites
  • Profile picture of the author radhika
    Wordpress Security Tips and Hacks | Noupe

    This is a link which explains WP security. Make sure you have recent version WP files.

    If anyway you can customize file names/folder names, do it. Because hackers look for default folder names to hack it.

    .
    Signature
    Follow up Autoresponder PRO :: 33% Discount!!
    FREE Upgrades! IMPROVED Email Deliverability!!
    {{ DiscussionBoard.errors[640171].message }}
  • Profile picture of the author fthomas137
    Sounds like your redirection plugin, if you are using it, has been compromised. You will need to clean out your wordpress database and files of tampering. My recommendation is to backup the site, (did I say backup), and then remove and replace all of the files for wordpress, including themes, plugins and the such.

    Next, make sure your file rights are appropiate. Make sure you have the file rights 777 only on files that are necessary.

    Next, if you are using cpanel, jump into phpadmin and investigate the tables in your wordpress blog(s). Investigate for tampering. You will have fun for sure, IF you hadn't backed up your blog previously.

    Frank
    Signature
    Finally Stream Live Events With Ease and Get All The Ranking Goodness From Google, in Under 5 Minutes...
    {{ DiscussionBoard.errors[640223].message }}
    • Profile picture of the author TheRichJerksNet
      Originally Posted by fthomas137 View Post

      Sounds like your redirection plugin, if you are using it, has been compromised. You will need to clean out your wordpress database and files of tampering. My recommendation is to backup the site, (did I say backup), and then remove and replace all of the files for wordpress, including themes, plugins and the such.

      Next, make sure your file rights are appropiate. Make sure you have the file rights 777 only on files that are necessary.

      Next, if you are using cpanel, jump into phpadmin and investigate the tables in your wordpress blog(s). Investigate for tampering. You will have fun for sure, IF you hadn't backed up your blog previously.

      Frank
      No files on any server should be running 777, if it is then time to change host ....

      James
      {{ DiscussionBoard.errors[640271].message }}
  • Profile picture of the author Rob Whisonant
    Any chance did you install the zango toolbar on your computer? Or recently installed some other browser toolbar?

    Re's
    Rob Whisonant
    Signature
    FREE Email Marketing Quick Start Course! Start Building a Profitable Email List Today!
    {{ DiscussionBoard.errors[640284].message }}
    • Profile picture of the author abelacts
      Originally Posted by Rob Whisonant View Post

      Any chance did you install the zango toolbar on your computer? Or recently installed some other browser toolbar?

      Re's
      Rob Whisonant

      Any ones in particular to watch out for? And how do we remove unwanted/suspicious toolbars?

      Some of my sites are hacked too. And I suspect they steal my ftp logins from my FTP client. I use Filezilla.
      Signature
      {{ DiscussionBoard.errors[640294].message }}
  • Profile picture of the author ecdavis
    Thank you everybody for your replies! I am using resellerzoom and have been strongly urged to switch to hostgator or security reasons. However, RZ does not use 777, and none of my of my folders are 777. No tool bars such an Zango. However, I do have that redirection plugin installed on all sites that have been hacked. Radhika, thank you for the wp security tips site. Frank, thank you for the advice . . . I dread getting into the database tables, but I suppose that's the only way to know for sure.

    Edit: One of the security tips from a site referenced above was to add this line to the .htaccess file: <FilesMatch ^wp-config.php$>deny from all</FilesMatch>. However, when I tried this, I got an internal server error. Anyone know why?

    Evan
    {{ DiscussionBoard.errors[640338].message }}
    • Profile picture of the author TheRichJerksNet
      Originally Posted by ecdavis View Post

      Thank you everybody for your replies! I am using resellerzoom and have been strongly urged to switch to hostgator or security reasons. However, RZ does not use 777, and none of my of my folders are 777. No tool bars such an Zango. However, I do have that redirection plugin installed on all sites that have been hacked. Radhika, thank you for the wp security tips site. Frank, thank you for the advice . . . I dread getting into the database tables, but I suppose that's the only way to know for sure.

      Edit: One of the security tips from a site referenced above was to add this line to the .htaccess file: <FilesMatch ^wp-config.php$>deny from all</FilesMatch>. However, when I tried this, I got an internal server error. Anyone know why?

      Evan
      It is a useless security tip Evan ... They can not read your config file unless they have access to your server, if they have access no sense in trying to add security to a file that they have access to..

      I know what you have done as far as security and I can tell you now that there is only 2 things left ... Your host has issues with security or your computer.

      * Scan your computer for anything and make sure it is secured.
      * Check your log files, especially the raw access logs on the server.
      * Check to see who your files are owned by because by default many host that do not run PhpSuExec the files are owned by "root" or "nobody" this is a huge security loop hole.. Your files should be owned by your server, in otherwords if your server username is "blinky" then your files should be owned by "blinky".

      To check who owns a file you should be able to see that information from ftp, the same place you check permissions. Many ftp programs are different, some shows this information and some don't.
      * Switch to hostgator.

      James
      {{ DiscussionBoard.errors[640447].message }}
  • Profile picture of the author ecdavis
    James,

    I'm following your advice and have scanned my computer using Malawarebytes anti-malware tool and also with spysweeper. The Malawarebytes sweep was clean and the Spysweeper search only picked up the usual cookies. How do I tell who owns the files? My ftp program does not apparently tell me who owns the files. It gives me the usual property data but does not specify owner of the file. I've also found that I apparently cannot access my server log files. This downloads as an MS-DOS application that I'm unable to open. However, I can examine recent visitor using the Latest Visitors tool in c-panel. What would I look for specifically to identify invaders?

    I just found this on AskApache Web Development

    "So who owns your blog's root directory? Your ftp user account/ you do..  but who owns the process that is trying to write/modify a file that is owned by your ftp user? The PHP Process that is actually executing the file access/write requests. This is the core way that 99% of all web sites get cracked into.. All these malicious robots and exploit bots do is attempt to write a file onto your server so that it can then be used to take over your site. If they can save a file on your blog's directory (uploads, insecure plugin code, not filtering user input, etc..) it inherits the permissions of the process that actually wrote the data bits onto the hard-drive."

    Evan
    {{ DiscussionBoard.errors[640889].message }}
  • Profile picture of the author ecdavis
    A new development. I just tried to access the admin panel for one of the wordpress sites, and I received a page saying, "You do not have sufficient permissions to access this page." I have reuploaded fresh, clean wp 2.7 files but I still cannot login to my site.
    I'll check with the hosting company to see if they can return permissions, but would anyone know what I can do to get permissions back?

    Thanks,
    Evan
    {{ DiscussionBoard.errors[640936].message }}
    • Profile picture of the author Catalin Ionescu
      The data for the permissions each account has is stored in the database, not in plain text files. Thus anything you can or will do via FTP will not restore the privileges to your admin account.

      What you can do is log in to your host CPanel and from there to phpMyAdmin, the web based database management application. The steps you'll have to follow are pretty technical, but in general terms you have to manually edit the record for your admin account and add the missing rights to it.

      While you're at it, you may also wish to check for any other WP user accounts that have been added. More often than not, this is one popular attack vector. You may wish to delete those accounts.

      Finally, once you get your admin rights back and log in to the WP admin panel, you should disallow new account creation. This simple step will prevent many automated attack scripts from working.

      Hope this helps.

      - Catalin
      {{ DiscussionBoard.errors[640983].message }}
      • Profile picture of the author TinkBD
        Originally Posted by Catalin Ionescu View Post


        Finally, once you get your admin rights back and log in to the WP admin panel, you should disallow new account creation. This simple step will prevent many automated attack scripts from working.

        Hope this helps.

        - Catalin
        Hi Catalin -

        When you say *disallow new account creation*...

        Is this the same as

        >>> General Settings/Membership/Anyone can register <<<

        I am still learning my way around the *new* WP interface! (I know, I know... I am SLOOOW! LOL)

        Thanks,
        Tink
        {{ DiscussionBoard.errors[642054].message }}
    • Profile picture of the author TheRichJerksNet
      Originally Posted by ecdavis View Post

      A new development. I just tried to access the admin panel for one of the wordpress sites, and I received a page saying, "You do not have sufficient permissions to access this page." I have reuploaded fresh, clean wp 2.7 files but I still cannot login to my site.
      I'll check with the hosting company to see if they can return permissions, but would anyone know what I can do to get permissions back?

      Thanks,
      Evan
      The problem here is WordPress uses MD5 on passwords in the database which is one of the most stupidest things you can do.. Encrypting a password in the database means nothing, if someone has access to your database they do not need to know the passwords and can do pretty much what they want...

      Don't you just love so-called wannabee security people

      The permissions happens for 2 reasons

      1. Your changed the username on admin and in 2.7 this requires other changes If I remeber..

      2. You missed edited a prefix of a table in the database..

      James
      {{ DiscussionBoard.errors[641653].message }}
      • Profile picture of the author ecdavis
        Thank you again everybody for your input. I'm apologize for taking so long to reply--it looks as if I've abandoned the thread. Due to severe and pressing issues, I've just now been able to get back to the computer.

        Originally Posted by TheRichJerksNet View Post

        The permissions happens for 2 reasons

        1. Your changed the username on admin and in 2.7 this requires other changes If I remeber..

        2. You missed edited a the prefix of a table in the database..
        James,

        The strange thing about this is that last night I could get in and out of the back admin panel without problem. Then, this morning, I found that the permissions seem to have been changed. Further, on the other sites, the links in the admin panel appear to have been disabled, so I can't post, edit, get to plugins and so forth. At this point I'm tempted to delete the site and do a complete reinstall.

        Evan
        {{ DiscussionBoard.errors[642962].message }}
        • Profile picture of the author TheRichJerksNet
          Originally Posted by ecdavis View Post

          Thank you again everybody for your input. I'm apologize for taking so long to reply--it looks as if I've abandoned the thread. Due to severe and pressing issues, I've just now been able to get back to the computer.



          James,

          The strange thing about this is that last night I could get in and out of the back admin panel without problem. Then, this morning, I found that the permissions seem to have been changed. Further, on the other sites, the links in the admin panel appear to have been disabled, so I can't post, edit, get to plugins and so forth. At this point I'm tempted to delete the site and do a complete reinstall.

          Evan
          This is my point .. Either it's your computer or your host.. There is no way after doing the security that you did that a hacker would have known what to do in order to get access. You are using unique names and etc that hackers would not know what they are..

          Unless -- They get access through your computer or your host. If you feel your computer is safe then the problem is with the host. Trust me the host is not going to admit they are in the wrong.. I have built way too many sites which I put security into every single site I build.. According to your email to me there is no way wordpress itself was hacked.

          Seriously Evan I think it is time to change host...

          Oh one thing you can check also, login ftp and check your themes pages to see if they have some weird code in there that should not belong.

          James
          {{ DiscussionBoard.errors[643035].message }}
  • Profile picture of the author ecdavis
    Catilin,

    Thank you for your advice. I will look into this.

    Edit: Any chance you could be more specific about how to return permissions to myself?

    Thanks,
    Evan
    {{ DiscussionBoard.errors[640996].message }}
    • Profile picture of the author sachibhat
      Also make sure you keep on updating to the latest wordpress releases
      {{ DiscussionBoard.errors[641091].message }}
      • Profile picture of the author TheRichJerksNet
        Originally Posted by sachibhat View Post

        Also make sure you keep on updating to the latest wordpress releases
        That's bad advice .. new relases have issues that hackers have access to..

        James
        {{ DiscussionBoard.errors[641631].message }}
  • Profile picture of the author fthomas137
    Hey man,

    Crap, it sounded like a redirect hack! After you confirmed it, there's an easy fix. All you have to do is go into the redirect panel inside the wp admin and tell it to delete all redirects. This will cleanse the database and shut off the redirect plugin. All you have to do is then test your site and if everything is 100% return on the redirect and test again.

    F
    Signature
    Finally Stream Live Events With Ease and Get All The Ranking Goodness From Google, in Under 5 Minutes...
    {{ DiscussionBoard.errors[641472].message }}
  • Profile picture of the author SurviveUnemployment
    Wordpress is not a good solution for serious e-commerce. It's easy, which makes it great for blogs by non-techies and crackers.

    Suggest you look at Drupal or PHPNuke.
    Signature

    The best link-building strategy you never heard of...

    Article Spinning Is Not a Crime    !

    {{ DiscussionBoard.errors[642766].message }}
    • Profile picture of the author fthomas137
      Or you could make sure that you backup your files daily or weekly to protect in the future. As I mentioned earlier, cpanel has a built-in backup facility. Works like a charm and it's not hard to use. I would also chat to your provider on how you could use their help to restore if you are hacked before it happens.

      In my opinion, doesn't matter what the platform is, if it's online, it's hackable.

      Frank
      Signature
      Finally Stream Live Events With Ease and Get All The Ranking Goodness From Google, in Under 5 Minutes...
      {{ DiscussionBoard.errors[642779].message }}
      • Profile picture of the author SurviveUnemployment
        Originally Posted by fthomas137 View Post

        Or you could make sure that you backup your files daily or weekly to protect in the future. As I mentioned earlier, cpanel has a built-in backup facility. Works like a charm and it's not hard to use. I would also chat to your provider on how you could use their help to restore if you are hacked before it happens.

        In my opinion, doesn't matter what the platform is, if it's online, it's hackable.

        Frank
        True, but some platforms are better reinforced than others.
        Signature

        The best link-building strategy you never heard of...

        Article Spinning Is Not a Crime        !

        {{ DiscussionBoard.errors[642831].message }}
  • Profile picture of the author ecdavis
    By now I'm convinced that it's time for a host change. However, I'd like to stabilize the sites, but if someone has control of the server, that's not going to happen. I think my computer is secure, but then I find that when I click on search engine links that I'm often redirected to other sites. That sounds like trojan activity, but I've done a couple of scans and haven't found anything. By the way, RZ tech says that they do use phpsuexec on all servers.

    Evan
    {{ DiscussionBoard.errors[643117].message }}
    • Profile picture of the author TheRichJerksNet
      Originally Posted by ecdavis View Post

      By now I'm convinced that it's time for a host change. However, I'd like to stabilize the sites, but if someone has control of the server, that's not going to happen. I think my computer is secure, but then I find that when I click on search engine links that I'm often redirected to other sites. That sounds like trojan activity, but I've done a couple of scans and haven't found anything. By the way, RZ tech says that they do use phpsuexec on all servers.

      Evan
      Good they have SuExec installed .. that means no permissions of 777 are used and the owner of the files "should" belong to your username. Now it is possible though when PhpSuxec is compiled with Apache thatthe config file gets a little messed up. So ask your host if the actual owner of your files are your username of the server. If they show as "nobody" or "root" then there was a mistake made during the recompile of apache with PhpSuxec.

      Also again check your themes, I have o idea what themes you are using but I suggst Flexibilitytheme.com as they do have a very good theme with controls.

      James
      {{ DiscussionBoard.errors[643196].message }}
  • Profile picture of the author ecdavis
    I see my last post didn't post. Perhaps I didn't hit the "submit" button. Anyway, I'm doing what you advise. I expect to hear back from RZ tech sometime today regarding the file ownership question. Regarding wp themes, I do happen to be using the flexibility theme on one of my sites. However, I had to clean the index.php and functions.php of that and all other themes in "Appearances." I've also been checking the databases, and I don't notice any obvious signs tampering, but then I'm not sure that I'd really know how to recognize anything significant.

    Evan
    {{ DiscussionBoard.errors[643853].message }}
  • Profile picture of the author Catalin Ionescu
    @Tink: Yes, that's the option that should be disabled on most blogs.

    @Davis: In the WP database there's a table named wp_usermeta (if you kept the default table prefix of wp_). Inside there are two records you might want to check.

    First look for a record that has user_id = 1 and meta_key = wp_user_level. The column meta_value should be 10.

    Secondly, user_id = 1 but this time meta_key = wp_capabilities. The column meta_value should be a:1:{s:13:"administrator";b:1;}

    - Catalin
    {{ DiscussionBoard.errors[643980].message }}
  • Profile picture of the author ecdavis
    Catalin,

    Thank you for the tips. I will re-examine the databases thusly.

    Evan
    {{ DiscussionBoard.errors[644835].message }}
  • Profile picture of the author ecdavis
    James and anyone else still following this,

    According to RZ tech support, the owner of the files belongs to my user name. Earlier today I did a system restore to a point well before I started having difficulty, and I hope that handles any issues surrounding a compromised computer. At this point, I can't tell whether restoring the system to an earlier time is having any effect.

    Edit: Doing the system restore did not apparently resolve the problem. I did the restore in the morning, and later in the evening, I was able to track the sites that I had cleaned being taken over again.

    Evan
    {{ DiscussionBoard.errors[645756].message }}
    • Profile picture of the author TheRichJerksNet
      Originally Posted by ecdavis View Post

      James and anyone else still following this,

      According to RZ tech support, the owner of the files belongs to my user name. Earlier today I did a system restore to a point well before I started having difficulty, and I hope that handles any issues surrounding a compromised computer. At this point, I can't tell whether restoring the system to an earlier time is having any effect.

      Edit: Doing the system restore did not apparently resolve the problem. I did the restore in the morning, and later in the evening, I was able to track the sites that I had cleaned being taken over again.

      Evan
      Evan,
      Your wp_user_level if you missed editing that then edit the wp_ prefix like you did the others that will give you access to admin.

      Now since you do not have access to admin due to the prefix being wrong but you sites are still hacked and you computer has already been checked that leaves one option left, your host...

      There are files on your host that allow acces to hackers or your host itself is not secured. Unless you have a custom .htaccess file you can delete it and wordpress will auto generate it again, it may contain hacking code.

      It's also good if you have an ftp client that gives dates on file changes. You need to check those dates and if you did not edit this file or that file then it is possible those files was edited by hackers before you did the security. So you need to double check those files.

      You can also give this a test - WordPress Exploit Scanner

      James
      {{ DiscussionBoard.errors[647287].message }}
  • Profile picture of the author ecdavis
    Tomcass, I have considered that and am looking into that possibility.

    James, I rexamined the tables, and all have the prefix changed, though within _usermeta, I did find a two records where the metavalue still had the wp_ prefix, and I changed them to the new prefix. By the I do not have a record called wp_user_level. I've looked, and it is no where to be found in the _usermeta table.

    Evan
    {{ DiscussionBoard.errors[647944].message }}
    • Profile picture of the author TheRichJerksNet
      Originally Posted by ecdavis View Post

      Tomcass, I have considered that and am looking into that possibility.

      James, I rexamined the tables, and all have the prefix changed, though within _usermeta, I did find a two records where the metavalue still had the wp_ prefix, and I changed them to the new prefix. By the I do not have a record called wp_user_level. I've looked, and it is no where to be found in the _usermeta table.

      Evan
      One of those was removed/changed for WordPress 2.7 but I could not recall which one. There are several database changes from 2.6.5 and 2.7 ...

      2.7 - database prefix

      options table = WP PREFIX_user_roles
      usermeta table = WP PREFIX_capabilities
      usermeta table = WP PREFIX_user_level

      Those are the 3 that should be edited in 2.7 database... If you do not have a user_level then that probably is your issue right there..

      I hav done many installs for WordPress Secured clients and I have found some of their old blogs not have that in the database. No idea why but I added the column to the database table when I installed the new security.

      I have emailed you a screenshot of the usermeta table for 2.7 that I have running on my server that does use WordPress Secured.

      James
      {{ DiscussionBoard.errors[647972].message }}
  • Profile picture of the author ecdavis
    James,

    Thank you. I am on my way to check the email. Also, I checked my wp 2.7 sites and none of them have the _user_level metavalue in the _usermeta table. However, I also checked my wp 2.7.1 site and that does have the _user_level record, but that is also one of the sites that has been repeatedly hacked. I'll also mention that in doing a manual search of my computer, I came across a pdf and .exe with the same latvian ip address in my temp folder. I have no idea where these came from and I deleted them and then deleted the contents of the recycle bin. I'll keep an eye out to see if they show up again.

    Evan
    {{ DiscussionBoard.errors[648008].message }}
  • Profile picture of the author ecdavis
    James,

    I just had a look at your screenshot. That is very close to what I have for my wp 2.7.1 blog that has been hacked. That makes me wonder whether the hacker has access to the database. This evening, I'll try out the plugin you recommended to see if it picks up any signs of database intrusion. I'll also see if I can add a _user_level column in the 2.7 sites.

    Edit: How would I add a row to the _usermeta table ?

    Thanks,
    Evan
    {{ DiscussionBoard.errors[648025].message }}
    • Profile picture of the author TheRichJerksNet
      Originally Posted by ecdavis View Post

      James,

      I just had a look at your screenshot. That is very close to what I have for my wp 2.7.1 blog that has been hacked. That makes me wonder whether the hacker has access to the database. This evening, I'll try out the plugin you recommended to see if it picks up any signs of database intrusion. I'll also see if I can add a _user_level column in the 2.7 sites.

      Edit: How would I add a row to the _usermeta table ?

      Thanks,
      Evan
      Open your database (phpmyadmin) and click on the table you are using, then look at the top you will see a "SQL" tab. Click on it and it will bring up your sql query box. Then add the following and click on the submit/go button.

      Note: change the EditMePlease_ to the prefix you are using, also make sure you have a BACKUP before doing this.

      Code:
      INSERT INTO `EditMePlease_usermeta` (`umeta_id`, `user_id`, `meta_key`, `meta_value`) VALUES(1, 1, 'nickname', 'admin');
INSERT INTO `EditMePlease_usermeta` (`umeta_id`, `user_id`, `meta_key`, `meta_value`) VALUES(2, 1, 'rich_editing', 'true');
INSERT INTO `EditMePlease_usermeta` (`umeta_id`, `user_id`, `meta_key`, `meta_value`) VALUES(3, 1, 'comment_shortcuts', 'false');
INSERT INTO `EditMePlease_usermeta` (`umeta_id`, `user_id`, `meta_key`, `meta_value`) VALUES(4, 1, 'admin_color', 'fresh');
INSERT INTO `EditMePlease_usermeta` (`umeta_id`, `user_id`, `meta_key`, `meta_value`) VALUES(5, 1, 'EditMePlease_capabilities', 'a:1:{s:13:"administrator";b:1;}');
INSERT INTO `EditMePlease_usermeta` (`umeta_id`, `user_id`, `meta_key`, `meta_value`) VALUES(6, 1, 'EditMePlease_user_level', '10');
INSERT INTO `EditMePlease_usermeta` (`umeta_id`, `user_id`, `meta_key`, `meta_value`) VALUES(7, 1, 'closedpostboxes_dashboard', 'a:1:{i:0;s:0:"";}');
INSERT INTO `EditMePlease_usermeta` (`umeta_id`, `user_id`, `meta_key`, `meta_value`) VALUES(8, 1, 'metaboxhidden_dashboard', 'a:1:{i:0;s:0:"";}');
INSERT INTO `EditMePlease_usermeta` (`umeta_id`, `user_id`, `meta_key`, `meta_value`) VALUES(9, 1, 'EditMePlease_usersettings', 'mfold=o&editor=tinymce');
INSERT INTO `EditMePlease_usermeta` (`umeta_id`, `user_id`, `meta_key`, `meta_value`) VALUES(10, 1, 'EditMePlease_usersettingstime', '1233636062');
INSERT INTO `EditMePlease_usermeta` (`umeta_id`, `user_id`, `meta_key`, `meta_value`) VALUES(11, 1, 'EditMePlease_metaboxorder_dashboard', 'a:2:{s:4:"side";s:83:"dashboard_quick_press,dashboard_recent_drafts,dashboard_primary,dashboard_secondary";s:6:"normal";s:88:"dashboard_right_now,dashboard_recent_comments,dashboard_incoming_links,dashboard_plugins";}');
INSERT INTO `EditMePlease_usermeta` (`umeta_id`, `user_id`, `meta_key`, `meta_value`) VALUES(12, 1, 'EditMePlease_metaboxorder_post', 'a:3:{s:4:"side";s:29:"submitdiv,tagsdiv,categorydiv";s:6:"normal";s:61:"postexcerpt,trackbacksdiv,postcustom,commentstatusdiv,slugdiv";s:8:"advanced";s:0:"";}');
INSERT INTO `EditMePlease_usermeta` (`umeta_id`, `user_id`, `meta_key`, `meta_value`) VALUES(13, 1, 'EditMePlease_autosave_draft_ids', 'a:29:{i:-1229616190;i:3;i:-1229710919;i:5;i:-1229711649;i:7;i:-1229712654;i:9;i:-1000;i:12;i:-1230665991;i:13;i:-1230668128;i:18;i:-1230668892;i:24;i:-1230669328;i:28;i:-1230670103;i:31;i:-1230670409;i:34;i:-1230670611;i:36;i:-1230702086;i:44;i:-1230842209;i:49;i:-1230842383;i:51;i:-1231030102;i:53;i:-1231030290;i:55;i:-1231030413;i:57;i:-1231030503;i:59;i:-1231136451;i:62;i:-1231136636;i:64;i:-1231201027;i:68;i:-1231814419;i:72;i:-1231814507;i:73;i:-1231981237;i:79;i:-1231981395;i:80;i:-1232586027;i:83;i:-1233106152;i:84;i:-1233635720;i:86;}');
INSERT INTO `EditMePlease_usermeta` (`umeta_id`, `user_id`, `meta_key`, `meta_value`) VALUES(14, 1, 'closedpostboxes_post', 'a:1:{i:0;s:0:"";}');
INSERT INTO `EditMePlease_usermeta` (`umeta_id`, `user_id`, `meta_key`, `meta_value`) VALUES(15, 1, 'metaboxhidden_post', 'a:1:{i:0;s:7:"slugdiv";}');
      WARNING: I have not seen 2.7.1 database as I have not bothered to take the time to install it yet, so I do not know if there are any changes from 2.7 to 2.7.1 as far as the database is concerned.

      James
      {{ DiscussionBoard.errors[648067].message }}
  • Profile picture of the author ecdavis
    Thank you! I'll get on it.

    Edit: I will be getting right on it, but I'm in the process of running security measures on my PC.

    Evan
    {{ DiscussionBoard.errors[648128].message }}
  • Profile picture of the author ecdavis
    To James and anyone else still following this thread,

    I thought I'd add a more detailed update. In order to more thoroughly investigate the possibility of there being a keylogger or other application on my pc "phoning home," as it were, I deleted all temp files. By temp files, I mean all the temp files on C-drive. I am also running Trend Micro's House Call computer scan to search for vulnerabilities and other malware. I have also installed Zone Alarm, though that is off while House Call is running. The reason I've deleted all temp files (I did this in Safe Mode in order to be sure to get everything), started House Call, and installed Zone Alarm, is that I found I was unable to examine the registry using the Regedit command. This was sufficiently unusual to motivate me to take these additional steps. I'll add that the first time I ran House Call--last night--that it scanned for 5 hours and then due to an unidentified internal error was unable to run the House Call client. This morning, I uninstalled House Call and then did a reinstall, and it now running again. I am waiting to see if the same error occurs or if the client will be able to complete successfully. Once House Call has completed, I will activate Zone Alarm for continued surveillance. The resaon for Zone Alarm is that it should block any attempt by any application from connecting to the Internet from my computer and likewise block any application from downloading onto my computer from the Internet. Each time any attempt is made, it posts an alert that gives you the choice of either allowing or denying the connection. The point of this is to catch and block any keylogger or other malicious program in the act of "phoning home."

    One thing I've learned from this ordeal--which is not yet over, by the way--is the importance of regularly deleting the temp files from your computer. Again, deleting the temp files by going to the Tools menu and choosing Internet Options does not get all of the temp files. You have to look up all the temp files on C-drive and delete them. I know many members of this forum are well aware of this, but I was not, and so I'm saying it here in hopes that this may be of assistance or help prevent anyone else from invasion.

    Evan
    {{ DiscussionBoard.errors[649502].message }}
  • Profile picture of the author TheRichJerksNet
    Hi Evan,
    Yes windows users should always empty out that temp folder.. On my Intel Mac I just trash the folder itself each time I use windows as windows just re-creates it...

    Best security program for windows is Best Anti-Virus Software & Internet Security - Kaspersky Lab

    James
    {{ DiscussionBoard.errors[649624].message }}
  • Profile picture of the author archer29
    I use malwarebytes and the free AVG version and they work pretty well but a few days ago picked up that nasty Winpc defender trojan. If you're getting redirected through your browser it's time for a registry clean up. The free one from Avast is supposed to work well. I always visit the forums before I download free programs to make sure they aren't just fake cleaners that add more viruses and these seem to be trustworthy.

    Also, I've heard good things about superantispyware (also free) as an additional scanner and I also use Spybot Search and Destroy.

    There are just way too many trojans, worms and viruses out there for one scanner to pick up all of them so multiple protection is a good idea. It's too bad we need so much security these days.
    {{ DiscussionBoard.errors[649653].message }}
  • Profile picture of the author ecdavis
    Archer,

    Thank you for the tips. I'll check into those for the browser hijacking problem. Right now, it appears that I either have serious file corruption or a serious piece of malware. I will attempt to do a system repair from the original discs, but if that doesn't resolve the problems, then I'll have to essentially wipe the harddrive and do a complete system reinstall. Not looking forward to that.

    Evan
    {{ DiscussionBoard.errors[650418].message }}
  • Profile picture of the author Floyd Fisher
    Originally Posted by ecdavis View Post

    Hi. A few weeks ago I posted a thread regarding a number of my resellerzoom wordpress sites being hacked. I received much good advice about how to make wordpress sites more resistant. However, I've since had my sites hacked again in the same manner, and I don't know how to secure my domains. Would anyone be able to recommend a professional in the field who might be able to figure out and close the hole in my domains?

    On a side note, I find that when I click on search engine links to sites, I am often redirected to some other site. The sites I am redirected to appear to be random sites of vaguely related subject matter. So, for example, if I click on a site having to do with insomnia, I might find that I am routed to some other sleep related site. Earlier, when checking a few squidoo sites and hubs, I found myself redirected to other sites related to Internet marketing. Anyone have any idea what is going on? This happens only some of the time and not every time I click on a search engine link.

    Thanks,
    Evan
    I suspect the two are related. Here's some real help:

    http://security.symantec.com/sscv6/h...TZPZRNQJQFRDZU

    Use the scanners, tell us what hit you, and we will send you removal instructions.

    -Floyd
    {{ DiscussionBoard.errors[650521].message }}
  • Profile picture of the author ecdavis
    Floyd,

    Thank you. I just ran the Symantec scan, and it revealed the following:

    C:\RECYCLER\S-1-5-21-3415653900-2338166854-4184464200-1006\Dc547.4DH is infected with Backdoor.Graybird
    C:\RECYCLER\S-1-5-21-3415653900-2338166854-4184464200-1006\Dc554.4HU is infected with Trojan Horse
    C:\RECYCLER\S-1-5-21-3415653900-2338166854-4184464200-1006\Dc556.4I1 is infected with Trojan Horse
    C:\RECYCLER\S-1-5-21-3415653900-2338166854-4184464200-1006\Dc566.4JM is infected with Trojan Horse
    C:\RECYCLER\S-1-5-21-3415653900-2338166854-4184464200-1006\Dc568.4JP is infected with Trojan Horse


    Evan
    {{ DiscussionBoard.errors[650693].message }}
  • Profile picture of the author ecdavis
    Zone Alarm picked up sprtlisten.exe trying to make an Internet connection. The message said that "sprtlisten.exe is trying to act like a server." I have tried to look sprtlisten.exe up but really can't find very much. Anyone have any idea what this is or means?

    Thanks,
    Evan
    {{ DiscussionBoard.errors[650809].message }}
  • Profile picture of the author TheRichJerksNet
    Evan,
    I am not a windows user really but google seems to have been asked this question a good bit... 2,000 some searches this month..

    sprtlisten.exe what is it - Google Search

    James
    {{ DiscussionBoard.errors[650832].message }}
  • Profile picture of the author ecdavis
    Yes, there are many searches but surprisingly little information on exactly what it is. I do know that when I start up, sprtlisten.exe wants to connect as a server, but I don't really know what that means.

    Evan
    {{ DiscussionBoard.errors[651497].message }}
    • Profile picture of the author TheRichJerksNet
      Originally Posted by ecdavis View Post

      Yes, there are many searches but surprisingly little information on exactly what it is. I do know that when I start up, sprtlisten.exe wants to connect as a server, but I don't really know what that means.

      Evan
      Looks like to me something that you need to get rid of... If it is wanting to connect then it is possibly sending information someplace. One of the many reasons why I am glad I am a Mac user...

      James
      {{ DiscussionBoard.errors[651788].message }}
    • Profile picture of the author Tom B
      Banned
      Originally Posted by ecdavis View Post

      Yes, there are many searches but surprisingly little information on exactly what it is. I do know that when I start up, sprtlisten.exe wants to connect as a server, but I don't really know what that means.

      Evan
      Evan, don't start deleting things unless you know what they are.

      Do a google on sprtlisten.exe and it comes up as a program from Support Soft.
      {{ DiscussionBoard.errors[651856].message }}
  • Profile picture of the author ecdavis
    Thomas,

    I'm not deleting anything, but I don't know what sprtlisten is or what supportsoft is. A question I have is whether or not that particular .exe could be corrupted to serve as means to sent information back to some other server. Right now, it looks as if I'll have the harddrive completely reformatted. Every time I run a virus/malware scan and find and delete stuff, it just gets funkier and funkier. It is as if the malware or whatever it is, is trying to fight back. Little does it know that it is soon to be scattered into component 1s and 0s.

    Evan
    {{ DiscussionBoard.errors[652421].message }}
    • Profile picture of the author ecdavis
      For anyone still following this thread, here is a follow-up:

      First, I just want to thank everyone who took the time to post! You all helped provide me, a realtive non-techy, with the pieces need to resolve this puzzle. In the end, it appears that there was some sort of trojan, virus, or malware on my computer sending information back to some other server, and this now appears to have been the hacker's primary means of access to my sites. (I say primary because even though I think the host server is safe, I'm not yet 100% sure.)

      The process of trying to rid my computer of "infection" turned up a number of worms and trojans and other unidentifiable applications. Attempts to remove these were only partially successful and left the computer only quasi functional. As a preventive measure, I installed the free version of the Zone Alarm firewall in order to see exactly what was trying to connect to the Internet to and from my PC. As mentioned above in earlier posts, the only unidentifiable applications were the sprtlisten.exe and as supportsoft application. If you google these terms, you'll find that although there are many references to them, there is really very little precise information about them.

      So, were sprtlisten.exe and supportsoft the culprits? I can't say absolutely. What I can tell you, though, is that in order to resolve the problem of infection, I reformatted the harddrive and did a complete reinstall of the operating system and original software and drivers that shipped with the computer. I now have a nearly brand new squeaky clean system. Following that, I downloaded Trend Micro and scanned the system, then installed Zone Alarm. After the reinstall and TM and ZA installations, I have determined that sprtlisten.exe and supportsoft applications are no longer on the computer.

      And, my wordpress sites have so far remained clean. Are sprtlisten and supportsoft guilty? Again, I can't say for sure, though its my opinion that this is the case. If it turns out later that the sites are again hacked in the same way, I'll post a follow-up. I am very sure that at this point my computer is safe.

      To summarize, in order to solve the problem of my sites being hacked due to local infection on my PC, I reformatted the harddrive and did a complete reinstall from the installation discs provided from the manufaccturer. I then downloaded and installed Trend Micro (with firewall turned off) and the Zone Alarm firewall (run only one firewall at a time). To safeguard the sites in the future, I will make some changes--or in this case, redo changes--to the wordpress database and make changes to the wp-admin folder.

      Evan
      {{ DiscussionBoard.errors[671908].message }}

Trending Topics