My Site's Been Hacked...!

37 replies
OK,

So a couple of weeks ago I applied to the NeverBlue CPA network.

They have a manual approval process. Didn't think much about it.

Until they called me late last night to tell me my application had been declined.

I asked why...

"Because your site has been hacked, Sir"

WTF?

Sure enough, my personal blog (firstnamelastname.com) has been defaced by a charming chap by the name of Sn!peR BaghdaD

The cheeky son-of-a-gun was at least thoughtful enough to leave his email address, in case I want to know "What A Hell We Doing HeR..."

Now, I'm fairly sure he wouldn't have brute forced my password...it's too complex for that...

...so I can only assume there's a security hole in WordPress 2.7

It's a straight out of the box install, with no plugins.

Just a heads up, if you're also running WP2.7...perhaps there are some security patches available...or maybe you should consider upgrading to 2.8

Luckily, my blog had no content of any real value...I hastily threw some content up there to help with my CPA applications...so I can wipe it clean without too much effort.

But, how about you? If you don't already, be sure to take regular backups of your blogs.

You never know when they might become a hacker target!

Steve
#hacked #site
  • Profile picture of the author Kirahster
    Wow that is horrible. I think I read another thread a month or so ago where the same thing happened and I am pretty sure it was someone from Iraq.

    I can think of a lot of ways whereby this guys time and energy could be a lot better spent!
    Signature
    {{ DiscussionBoard.errors[981536].message }}
  • That's a drag. That happened to me once and I was completely shocked to find it out. I told my webmaster and he felt shocked, too. Some people just have too much time on their hands!

    Astounding Writing Coach
    Signature
    Astounding Writing Coach
    Why do personal development, self-help, natural wellness and hypnosis small business owners regularly hire me for my engaging, intuitive, creative content writing skills? Because that's what I passionately do best.
    {{ DiscussionBoard.errors[981592].message }}
  • Profile picture of the author Mike Hersh
    I hope you'll find out what was the hack to save us all....

    I'm using Wordpress 2.7 to.

    Mike G
    {{ DiscussionBoard.errors[981657].message }}
    • Profile picture of the author WareTime
      Originally Posted by Mike Hersh View Post

      I hope you'll find out what was the hack to save us all....

      I'm using Wordpress 2.7 to.

      Mike G

      Why are you / is anyone / running WP 2.7 in July of 2009. 2.8.2 is out and a click away.

      Oh, all your favorite plugins break in 2.8. Welcome to the wonderful world of open source cms'.

      I'm so happy I'm free of the WP monkey off my back. My sites are ranking better too, even though everyone raves how Google loves WP sites.
      Signature

      {{ DiscussionBoard.errors[1001627].message }}
  • Profile picture of the author peter gibson
    Man that is messed up. I'm upgrading tonight after reading this. Thanks for the heads up.
    {{ DiscussionBoard.errors[981668].message }}
  • Profile picture of the author Steven Fullman
    Originally Posted by Franco Mocke View Post

    Why would a hacker want to hack into a wordpress blog?
    I don't know.

    Shall I email him and find out for you?

    Signature

    Not promoting right now

    {{ DiscussionBoard.errors[981681].message }}
    • Profile picture of the author rosetrees
      I had a similar problem a few weeks ago. Just a message from the hacker. Turned out that it was only the index.php files that had been replaced. I did a fresh install of WP on a new subdomain, installed my theme, ftped the index.php files to my hacked site and it was good as new. The content was untouched
      {{ DiscussionBoard.errors[981696].message }}
      • Profile picture of the author kevin campbelle
        There are a number of ways that a wordpress blog can be hacked. James (aka TheRichJerksNet) has a product called Wordpress Secured which is good, and he and others also has given general information in a few threads about some of the things you can do to protect your blog.

        If you do a search for wordpress hack in the main forum you will see a number of threads where it is discussed. To make it easier for you here is the search.

        http://www.warriorforum.com/search.php?searchid=1640381


        Kevin.
        {{ DiscussionBoard.errors[981849].message }}
  • Profile picture of the author Michael Motley
    Thats why i bought an external backup drive this weekend. 1TB drive for only 119. I backed up my entire pc, and then backed up my sites. The sites themselves really dont take up that much room
    {{ DiscussionBoard.errors[981814].message }}
  • Profile picture of the author dsmpublishing
    A friend of mine had her blog taken over around xmas time and her blog was suddenly full of porn and gambling content that it just wouldnt let her delete. Such a shame when it happens to you and i must admit im always backing everything up and carrying out virus checks as im concerned its going to happen to me.

    glad you have it sorted out


    sam
    X
    {{ DiscussionBoard.errors[981863].message }}
  • Profile picture of the author Michael Mayo
    Because he/she/it can so, it's an ego trip and a way for them to get a rush.
    Originally Posted by Franco Mocke View Post

    Why would a hacker want to hack into a wordpress blog?
    Steve, If you haven't already done so, run a virus scan on your system.
    Just a couple months back there was a pain in the arse Trojan key logger
    that once on your system would capture and use your FTP log in info to
    hack your sites.

    I went through it and it isn't fun as every time I fixed the sites involved it
    would wait a couple of days and then strike again and the cycle would
    have continued had we not discovered the the source was via FTP.

    To stop it you need to change your FTP passwords with out it knowing.
    It is a key logger so the only way is to do something like type a bunch of
    random letters in a text doc like this:

    dhsjekdivuendjslekdupqlwmendhsyetrncxc

    then select random areas of the text to copy and past to change your FTP pass words.

    Key loggers can't read copy and paste plus after you have done this then
    write down your new pass words on a piece of paper and delete the text
    file so even if it did follow what you did it won't be able to recreate it.

    Hope that Helps,
    Have a Great Day!
    Michael
    {{ DiscussionBoard.errors[981886].message }}
  • Profile picture of the author Peter Bestel
    Yep, experienced this a few weeks ago too. Seems to target WP sites but not a Wordpress security flaw but as Michael and David (Kiosk2) said, it's a keylogger that gets to your site via your FTP.

    Highly recommend Roboform and Craig Desorcy's Blog Lock Down. (Not aff link)

    Mind you, if your PC is badly infected you may have to resort to a reformat. I hope you don't.

    Peter
    {{ DiscussionBoard.errors[982048].message }}
  • Profile picture of the author lharding
    Got to say, these virus attacks are pretty scary! I no longer use a PC, went over to the Mac and since not had any problems in this area. I guess Macs aren't popular enough for the hackers to justify writing a virus (or maybe it's too hard). I run Windows in a Virtual Machine on the mac if I have to have windows, so worst case, I just delete the Virtual Machine and create a new one from a copy I keep (which I guess is similar to the reformat suggestion, only takes a couple of mins though). If you don't like Mac, I believe Sun have released a FREE virtual machine which can run on Linux, which may do the same thing.

    Just a thought!
    Cheers, Lee.
    Signature
    Lee Harding
    The Architect
    {{ DiscussionBoard.errors[982129].message }}
    • Profile picture of the author rlrlphs
      OH I'm so sad to hear that your site was being hacked by someone else. Yes, there should be a security in WP2.7 in order for you site will not be hacked.
      {{ DiscussionBoard.errors[982193].message }}
      • Profile picture of the author Keithp
        I had the same thing happen to 3 of my sites last month.

        Drove me %$%^ batty! I didn't notice it until I got an email from a vistor telling me Kerpasky AntiVirus blocked his browser from viewing one of my sites.

        Turns out to have been a keylogging virus on my machine grabbed ftp usernames and passwords and the SOB went and added code to each of the index pages.

        I wiped my pc clean, reinstalled os, re-set EVERY password I have and then got my ISP to block the IP of the group that hacked my sites ( BTW they were from Amsterdam).

        I would love to meet the hacker(s) face to face to explain my extreme displeasure!
        Signature
        The "Net Lead Effect"
        LeadPro- THE Lead Generation Software
        YourCreditWin - Consumer Credit Repair Software
        {{ DiscussionBoard.errors[982232].message }}
  • Profile picture of the author josephmorris90
    Originally Posted by Franco Mocke View Post

    Why would a hacker want to hack into a wordpress blog?
    Probably because they found a public exploit and decided to google "Wordpress (whatever version)" or something that mostly every wordpress blog has and just enter the exploit on that wordpress blog and deface it.

    Once an exploit is discovered and released for all of the people that just want to wreck stuff, it is a waste land and causes a lot of hard work for webmasters to get their websites back up running and up to date.
    {{ DiscussionBoard.errors[982238].message }}
  • Profile picture of the author Steven Fullman
    Just to let you know...

    I've done some digging, and found a 'defacement' forum that this guy's a member of.

    They hold contests, such as "This Week's Best Defacer"...bless 'em.

    Turns out he cracked into mine last Wednesday...Lol...

    Anyway, unfortunately, mine wasn't rated as a 'special defacement'

    But, I don't think this is the work of a virus...

    Keep safe, folks...there are over 20,000 other hacked sites listed on this particular forum...

    Signature

    Not promoting right now

    {{ DiscussionBoard.errors[982276].message }}
    • Profile picture of the author peter gibson
      Originally Posted by Steven Fullman View Post

      Just to let you know...

      I've done some digging, and found a 'defacement' forum that this guy's a member of.

      They hold contests, such as "This Week's Best Defacer"...bless 'em.

      Turns out he cracked into mine last Wednesday...Lol...

      Anyway, unfortunately, mine wasn't rated as a 'special defacement'

      But, I don't think this is the work of a virus...

      Keep safe, folks...there are over 20,000 other hacked sites listed on this particular forum...

      This thing only ever happens when Jack Bauer is on vacation you know.

      I'm just sayin'. :p
      {{ DiscussionBoard.errors[982834].message }}
  • Profile picture of the author josephmorris90
    At least you had a bit of glory Steven :p

    But yeah, as you are pointing out, once that exploit is released into the public, such as a hacking community/forum, the exploit is on a website for everyone to view, there will be tons of people that will think "hey, I can just enter this code and I will be able to get into this dudes site"...sadly.

    It is also hard to stay ahead of the hackers because unless you check the exploit and know what you are doing and can fix it, there will be hundreds of people googling "wordpress 2.7" (or whatever may be in a standard wordpress footer or on the standard wordpress site alone) and start entering that exploit they saw into a bunch of the sites that turn up in google.

    It sucks, the only thing you can really do is keep upgrading to the latest version for everything, or else you are at risk. (Even upgrading can be risky because new exploits may be found and the programmers may have not caught it before they released the newest version)
    {{ DiscussionBoard.errors[982296].message }}
  • Profile picture of the author John Henderson
    Wow. Check out their other targets -- "gsl.dlgjz.gov.cn", "swdc.govt.nz", "healthnwfp.gov.pk", "wj.cdta.gov.cn" -- they look like a couple of Chinese government sites, the website of the South Wairarapa District Council in New Zealand and what looks like a Pakistani government site possibly connected to the health ministry/World Food Programme.

    How sad.
    {{ DiscussionBoard.errors[982352].message }}
  • Profile picture of the author blackhattube
    hi steve,

    Wordpress does have the bugs, I too have suffered iframe attacks in the past. Actually this happens because of virus/trojan residing in your PC which steals your FTP username and password. Follow these steps to protect your site, you will never face the problem again:

    You can restrict access to wp-admin by adding following code in .htaccess
    order deny,allow
    allow from 000.00.00.1 # This is your static IP
    deny from all

    You can also place blank index.html file in wordpress admin and plugins folder, this way attackers cannot see which plugins are you using.
    {{ DiscussionBoard.errors[982506].message }}
    • Profile picture of the author BrandonMc
      All in all it's not that difficult to hack a blog. everyone here should do a simple test and test there own blog. Pull up http:/ /www.yur-blog.com/wp-content/plugins --- If you see a directory listing, then your a target.

      That's just one simple example. no virus or malware required.

      This one is an easy fix - Log into cPanel (or whatever) and goto Index Manager. There you set your blog to 'no index'.. But just as you keep your anti virus program updated, there are plenty of other precautions to security that should be addressed.. The a-fore mentioned TheRichJerksNet product and Blog Lock Down are both recommended. After all, there is only one person to blame if your sites security gets compromised.



      (edit)
      Yeah, and what BlueFart said - beat me to the punch he did
      {{ DiscussionBoard.errors[982761].message }}
    • Profile picture of the author TheRichJerksNet
      Originally Posted by BlueFarttube View Post

      hi steve,

      Wordpress does have the bugs, I too have suffered iframe attacks in the past. Actually this happens because of virus/trojan residing in your PC which steals your FTP username and password. Follow these steps to protect your site, you will never face the problem again:

      You can restrict access to wp-admin by adding following code in .htaccess
      order deny,allow
      allow from 000.00.00.1 # This is your static IP
      deny from all

      You can also place blank index.html file in wordpress admin and plugins folder, this way attackers cannot see which plugins are you using.
      Sorry dude but that is not any security and the fact is any hacker can fake his ip and make the .htaccess think he is you.. Also since many ISP now use DHCP it makes that suggestion useless because many have a changing ip...

      James
      {{ DiscussionBoard.errors[982804].message }}
  • Profile picture of the author TheRichJerksNet
    Originally Posted by Steven Fullman View Post

    OK,

    So a couple of weeks ago I applied to the NeverBlue CPA network.

    They have a manual approval process. Didn't think much about it.

    Until they called me late last night to tell me my application had been declined.

    I asked why...

    "Because your site has been hacked, Sir"

    WTF?

    Sure enough, my personal blog (firstnamelastname.com) has been defaced by a charming chap by the name of Sn!peR BaghdaD

    The cheeky son-of-a-gun was at least thoughtful enough to leave his email address, in case I want to know "What A Hell We Doing HeR..."

    Now, I'm fairly sure he wouldn't have brute forced my password...it's too complex for that...

    ...so I can only assume there's a security hole in WordPress 2.7

    It's a straight out of the box install, with no plugins.

    Just a heads up, if you're also running WP2.7...perhaps there are some security patches available...or maybe you should consider upgrading to 2.8

    Luckily, my blog had no content of any real value...I hastily threw some content up there to help with my CPA applications...so I can wipe it clean without too much effort.

    But, how about you? If you don't already, be sure to take regular backups of your blogs.

    You never know when they might become a hacker target!

    Steve

    Hey Steve,
    Wow, sorry for the trouble dude.. But how many times have I told you to make sure your blog is secured ....

    James
    {{ DiscussionBoard.errors[982790].message }}
    • Profile picture of the author Steven Fullman
      Originally Posted by TheRichJerksNet View Post

      Hey Steve,
      Wow, sorry for the trouble dude.. But how many times have I told you to make sure your blog is secured ....

      James
      One too few, obviously

      Seriously, thanks for your help, James.

      Steve
      Signature

      Not promoting right now

      {{ DiscussionBoard.errors[983177].message }}
  • Profile picture of the author engr.adeel
    you should have to backup all the files. Also wordpress 2.7 is some how best in this regard.
    {{ DiscussionBoard.errors[982809].message }}
  • Profile picture of the author TheRichJerksNet
    Originally Posted by Franco Mocke View Post

    Why would a hacker want to hack into a wordpress blog?
    This is why .....

    The past five years has seen the popularity of blogs grow in their use and as a means of making money. That's the meat that computer hackers look to sink their teeth into. A recent report by the Congressional Research Service stated that the financial impact of computer hackers amounts to $226 billion annually. Another report calculated that hackers could be taking up to six cents of every Internet dollar of revenue.


    Hackers recently discovered that WordPress Blogs featured an easy path for them to cause their trouble. Many WordPress Blog owners have had their blogs hijacked in a variety of ways. They've found ads on their WordPress Blogs that they didn't place there. Others have discovered that when someone clicks a search engine link to be taken to their WordPress Blog they're instead taken to a totally different page full of ads that are often obscene and featuring computer viruses.


    James
    {{ DiscussionBoard.errors[982821].message }}
  • Profile picture of the author AmericanWoman888
    That's a terrible thing to deal with. I lost about 10 sites 6 weeks ago. I had backups for a few of them but not all.

    I hope you are able to recover from it quickly.

    Mine was a keystroke logging software that gathered my passwords - or so they say.

    AW888
    Signature

    ***Test***

    {{ DiscussionBoard.errors[982864].message }}
    • Profile picture of the author WendellC
      I know how you feel. Truly...

      http://www.warriorforum.com/main-int...acked-club.htm

      Is there some kind of Wordpress Security Tester so we can check if our own WP blogs are secure? Would be nice...

      Wendell
      Signature

      List your no opt-in product here for free: No Opt In Required

      {{ DiscussionBoard.errors[983084].message }}
      • Profile picture of the author WendellC
        Originally Posted by clickguy View Post

        I know how you feel. Truly...

        http://www.warriorforum.com/main-int...acked-club.htm

        Is there some kind of Wordpress Security Tester so we can check if our own WP blogs are secure? Would be nice...

        Wendell
        I just found this cool bit of WP security advice from Warrior freetraff's site:

        http://www.freetrafficsystem.com/wor...r-blog-owners/

        I'm checking all my WP sites for this security loophole now.

        Nice!

        Wendell
        Signature

        List your no opt-in product here for free: No Opt In Required

        {{ DiscussionBoard.errors[1037079].message }}
        • Profile picture of the author TheRichJerksNet
          Originally Posted by clickguy View Post

          I just found this cool bit of WP security advice from Warrior freetraff's site:

          WordPress Security - Urgent Update for Blog Owners | Free Traffic System

          I'm checking all my WP sites for this security loophole now.

          Nice!

          Wendell
          Did you ever think some of those "testing" sites was created by hackers.. ? The best way is to secure your site and stop depending upon other tools to do it for you....

          If you want to protect what you have then you need to start doing the manual work it takes to secure it. People really amaze me, they are so quick to grab this plugin or that new cool plugin and not once ever thinking that maybe it is not as cool as you think and maybe it might cost you...

          James
          {{ DiscussionBoard.errors[1037132].message }}
          • Profile picture of the author WendellC
            Originally Posted by TheRichJerksNet View Post

            Did you ever think some of those "testing" sites was created by hackers.. ? The best way is to secure your site and stop depending upon other tools to do it for you....

            If you want to protect what you have then you need to start doing the manual work it takes to secure it. People really amaze me, they are so quick to grab this plugin or that new cool plugin and not once ever thinking that maybe it is not as cool as you think and maybe it might cost you...

            James
            James -

            I'm not sure if you looked at the information on the link I posted.

            It's recommending a manual way of going into cPanel and simply preventing people from accessing your WP plugins directory.

            Do you disagree with his particular manual recommendation?

            Wendell
            Signature

            List your no opt-in product here for free: No Opt In Required

            {{ DiscussionBoard.errors[1037205].message }}
            • Profile picture of the author TheRichJerksNet
              Originally Posted by clickguy View Post

              James -

              I'm not sure if you looked at the information on the link I posted.

              It's recommending a manual way of going into cPanel and simply preventing people from accessing your WP plugins directory.

              Do you disagree with his particular manual recommendation?

              Wendell
              That does NOT protect your blog.. Do I agree with the advertised product (our script) on that post ? NO because again it does NOT protect your blog.

              People need to understand that it is NOT your cpanel, it is NOT your directory, it is NOT your theme, it is NOT your plugins that is the problem here.

              The problem is WP itself being open source code and anybody has access to that code. Unless you actually take steps to modify that code than 99% of those self proclaimed security expert tools will do you no good at all.

              I had a very long thread and discussion on this very topic a few months back but some did not find it to be useful for newbies that do not know any better so the thread was removed.

              I do not feel like repeating myself over and over on this subject because frankly I see no use in it because there are too many self proclaimed experts out there that people want to follow.

              You see instead of following the recommended resource above by another WF user, you rather go out and find cheap or free means to secure your business. It was JayExtreme or Steven Fullman that told me months ago "If they do not want to listen then let them be hacked" I can not remember which one told me that but it was very good advice....

              James

              Disclaimer: I am not saying themes or plugins do not have hacking code in them. Fact is some do and that is all the more reason why people should not be so quick to just install this or that.
              {{ DiscussionBoard.errors[1037289].message }}
  • Profile picture of the author ezeey
    Thanks for the heads up, That is redonk, I would have hacked his email and gotten his IP
    {{ DiscussionBoard.errors[1005329].message }}
  • {{ DiscussionBoard.errors[1037181].message }}

Trending Topics