WordPress Sites Hacked

by ecdavis 13 replies
I hope no one else has had this happen, but over the past several days, I've had my wordpress sites hacked. Fortunately, with the help of several Warriors (see: http://www.warriorforum.com/main-int...tml#post600921) I managed to bring my sites back up.

However, I discovered that one of my sites was either hacked again, or that I'd missed some of the malicious code. I wanted to post what I'd just found in case it could be of help to anyone.

First, I discovered this .html file in the root directory of my wordpress site:

_vti_inf.html file

Along with that, I found six additional folders added to the root directory: _private, _vti_bin, _vti_cnf, _vti_log, _vti_pvt, _vti_txt. My tech skill are only ordinary, but it appears that the hacker was using frontpage extensions to redirect my site another target site.

I then checked my .htaccess file and found that it had been tampered with. Here is the code I found added:

# -FrontPage-

IndexIgnore .htaccess */.??* *~ *# */HEADER* */README* */_vti*

AuthName www.yourdomainname.com
AuthUserFile /home/xxxxxxxx/public_html/_vti_pvt/service.pwd
AuthGroupFile /home/xxxxxxxx/public_html/_vti_pvt/service.grp

I also found a second .htaccess file named .htaccess_back.

Apparently, as mentioned above, the intent of the code is to redirect the visitor away from the correct domain to some other domain. In this case, the redirect was to a Russian sex site.

As the intent of the main warrior discussion forum is to talk about making money, and since having our sites hacked seriously impedes that intention, I've posted this just in case it may be of help to anyone.

Evan
#main internet marketing discussion forum #hacked #sites #wordpress
Avatar of Unregistered
  • Profile picture of the author Barbara Eyre
    ummmmm, that code is frequently in .htaccess files and nothing is ever wrong with the sites. In fact, I'm currently in a client's htaccess file doing some redirects and all that code is in there .... and there is nothing wrong with the site. Plus, those files you mentioned, those are default folders that have appeared with every hosting account I've created over the years (regardless the hosting company) ....

    So, I don't think you have found your problem. Unless, every single site I've worked on for the last 3 years have been hacked from the day of the site's creation ...
    {{ DiscussionBoard.errors[607629].message }}
    • Profile picture of the author ecdavis
      Barbara,

      Thank you for your reply. You are right, I may not have found the problem, and my tech skills are minimal. However, in this case, I happen to know exactly what I put and did not put in the root directory, and I know that I did not put a _vti_.html file in the root. I also know that I did not put the following code in my .htaccess:

      AuthName www.yourdomainname.com
      AuthUserFile /home/xxxxxxxx/public_html/_vti_pvt/service.pwd
      AuthGroupFile /home/xxxxxxxx/public_html/_vti_pvt/service.grp

      And I did not put the six additional folders in the root directory. I am aware that the code and directories are often standard. In this case, these additions appear to have been used to redirect my domain to a Russian sex site. The redirection was quite real. In any case, I'm mentioning it here should others be experiencing unwanted site redirection.

      Evan
      {{ DiscussionBoard.errors[607693].message }}
  • Profile picture of the author n7 Studios
    With that level of access, I'd say you need to check your folder security and permissions.

    And as for a really daft question - you have changed your usernames, passwords etc. since the attack?
    {{ DiscussionBoard.errors[607901].message }}
  • Profile picture of the author ecdavis
    There's no such thing as a daft question. Thank you for asking and taking the time to reply. Happily, I have changed user names, passwords, and checked folder permissions.

    Evan
    {{ DiscussionBoard.errors[607912].message }}
  • Profile picture of the author Roey Pimentel
    I heard someone else got "hacked" but it turned out to be a plug-in problem. May not be your issue (I don't know a lot about code) but it was worth a mention. Maybe try uninstalling and then reinstalling your plug-ins one at a time...

    Peace,

    Roey.

    Either way, hope you get the problem fixed.
    -r*
    {{ DiscussionBoard.errors[607986].message }}
    • Profile picture of the author Barbara Eyre
      Sorry, I didn't make myself clear.

      Those files are already there when your hosting account was created. I've never created them myself either ... and never use them.

      Same with the codes in the htaccess folder. They are automatically created.

      No matter the hosting company or the type of website, or whether I created the website or it was existing .... all my websites and those of my clients have those folders and that code in the htaccess folder. So, I highly doubt it has anything to do with your security issue.

      Plugins might be a good place to start ...
      {{ DiscussionBoard.errors[607998].message }}
      • Profile picture of the author ecdavis
        Originally Posted by Barbara Eyre View Post

        Sorry, I didn't make myself clear.

        Those files are already there when your hosting account was created. I've never created them myself either ... and never use them.

        Same with the codes in the htaccess folder. They are automatically created.

        No matter the hosting company or the type of website, or whether I created the website or it was existing .... all my websites and those of my clients have those folders and that code in the htaccess folder. So, I highly doubt it has anything to do with your security issue.

        Plugins might be a good place to start ...
        Right, but I have my sites on a reseller account, so I was the one who actually created the hosting accounts for my domains. I never activated frontpage extensions. I also installed a simple, custom .htaccess for my domains, as well that did not include the code cited above. You may be right, that the frontpage stuff had nothing to do with the security problems, but now that I have removed it, the redirection has stopped. At least, it appears to have stopped.

        Best,
        Evan
        {{ DiscussionBoard.errors[608020].message }}
      • Profile picture of the author Eric Lorence
        Originally Posted by Barbara Eyre View Post

        Sorry, I didn't make myself clear.

        Those files are already there when your hosting account was created. I've never created them myself either ... and never use them.

        Same with the codes in the htaccess folder. They are automatically created.

        No matter the hosting company or the type of website, or whether I created the website or it was existing .... all my websites and those of my clients have those folders and that code in the htaccess folder. So, I highly doubt it has anything to do with your security issue.

        Plugins might be a good place to start ...
        I have yet to see these .htaccess codes used regularly, and find those folders on sites rarely.

        I don't believe these are common at all, but they could be used with certain hosts.

        The only default I've seen in public root folders are cgi-bin

        I would say your suspicions are warranted, and would have your host support check it out to be on the safe side.
        {{ DiscussionBoard.errors[608827].message }}
  • Profile picture of the author ecdavis
    Thank you, Roey. Actually, a few plugins did bite the dust because of a related hacking.
    I think the problem is solved for the time being. There does appear to be a fair amount of discussion about how to frontpage extensions can be hacked.

    Evan
    {{ DiscussionBoard.errors[607999].message }}
  • Profile picture of the author Kim Standerline
    They can be notoriously vulnerable

    I've had wordpress sites hacked as well in the past

    Kim

    Originally Posted by shehan View Post

    First time i heard a wordpress site is hacked!
    {{ DiscussionBoard.errors[608835].message }}
  • Profile picture of the author TheRichJerksNet
    This is the reason you secure your wordpress blog so you do not have issues later on down the line..

    You can see my WordPress Secured WSO in my signature... My product works and has been very popular..

    James
    {{ DiscussionBoard.errors[608934].message }}
  • Profile picture of the author ecdavis
    Thank you, everybody for your thoughts and comments.

    Jeff, when I set up my packages, I left the frontpage extensions unchecked because I do not use frontpage. When I found my site being redirected to the Russian site, I took a look at the files in root, and the front page extensions jumped out at me. I was actually quite shocked to see them there. A little bit like finding your home invaded.

    James, thanks for the referral to you WSO. I'll take a look at it. I'm currently running two security plugins.

    Eric, thank you for your comments. I have seen the frontpage extensions included with hosting and cgi is always there as a default. However, since I started using reseller accounts, I always scrapped the frontpage extensions.

    Anyway, as I mentioned up top, I hope this information may be useful. I appreciate everyone who's responded.

    Evan
    {{ DiscussionBoard.errors[609013].message }}
Avatar of Unregistered

Trending Topics