Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.




412 posts

Ultimate Geek
+1 received by user: 64


Topic # 83136 11-May-2011 10:56
Send private message

I'm wondering if anyone here as experience with hacked Wordpress sites?  I have 5 wordpress sites on the same hosting account (shared)  and today when I woke up, each one of these sites is downloading malware to whomever visits the sites.

I have downloaded the core wordpress files and copied them over the existing ones, hoping that would fix the problem, but it hasn't.


Can anyone provide advice that might help clean up these infections but still leave the sites functional?  Having to start 5 wordpress sites from scratch (with all their individual customisations) would be such a chore.

I will provide an example site, but just to repeat:  this site has been infected!
http://www.nalastud.co.nz/   Watch the taskbar while it loads and you'll see what I mean.

Any tips please?

View this topic in a long page with up to 500 replies per page Create new topic
 1 | 2 | 3 | 4 | 5
1351 posts

Uber Geek
+1 received by user: 15


  Reply # 467860 11-May-2011 11:01
Send private message

This is why it is extremely important to keep popular CMS up to date, anyway to help with your problem i assume the person has added some script to the pages to force the download of malware - firstly i would suggest taking them offline so not to infect anyone. Then update wordpress to the latest release and try and track where the script was placed.

I imagine the script would have been placed in a file shared between all files on the site such as a head or css file.

Have a look at the source code and see if that helps.



412 posts

Ultimate Geek
+1 received by user: 64


  Reply # 467865 11-May-2011 11:15
Send private message

Really appreciate your quick reply Jbard.  I usually do upgrade Wordpress as soon as I'm given the option, but I guess it only took one exploit for it to spread like wild fire.

I have found the injected code in MANY php files that were edited two days ago.  The injected code looks like this:


php $somecrainsignvar="kfb2rpgv"; echo base64_decode(str_rot13('CUAwpzyjqQ5xLKEyCJ5yqlO...
  
 


(Sorry, I don't know the ettiquette for pasting code here)
I thought by uploading the entire Wordpress package over everything it would have fixed it, but I've seen the clean files become infected again too. :(


 
 
 
 


1876 posts

Uber Geek
+1 received by user: 622

Trusted

  Reply # 467870 11-May-2011 11:20
Send private message

Have you spoken to the hosting provider?
Maybe their php install has been modified to inject code?

Unlikely, but possible.

Since you reuploaded the files, can you see the injected code in them again?

Possible that you have a module/add-on that'd been compromised?

Tim




It looks like I'm using an adblocker. I should consider whitelisting Geekzone in my adblocker or a subscription. The Quick Reply box will appear for me when Geekzone is whitelisted. Hooray for me! If I want to reply to this topic I should click on Compose Reply.




412 posts

Ultimate Geek
+1 received by user: 64


  Reply # 467873 11-May-2011 11:31
Send private message

Yes I have spoken to the host (servage.net) but they are hopeless. Just the usual "make sure you change your password" and "there's nothing we can do, you'll have to reinstall everything from your backups" etc.

Another point I should mention is that it's not JUST wordpress sites that have been hacked. I have another PHP-based forum which now has the iframe injections. And because these are on different domains, I'm inclined to believe that the hacker gained access to my FTP account.

I have changed my FTP password now, and will likely lock separate FTP accounts to individual domains.

Interestingly, one site that I replaced the core Wordpress files for is now infection free, but two sites that I did the exact same thing to still show the malware. I wonder where it'd hiding... driving me nuts.

1876 posts

Uber Geek
+1 received by user: 622

Trusted

  Reply # 467874 11-May-2011 11:33
Send private message

So diff the source files you have fresh vs the ones you think are infected.
Check md5/sha1 sums etc.

You'll find it eventually.

The main concern is how it got there in the first place.




It looks like I'm using an adblocker. I should consider whitelisting Geekzone in my adblocker or a subscription. The Quick Reply box will appear for me when Geekzone is whitelisted. Hooray for me! If I want to reply to this topic I should click on Compose Reply.




412 posts

Ultimate Geek
+1 received by user: 64


  Reply # 467880 11-May-2011 11:44
Send private message

I have been copying (and overwriting) ALL the wordpress files, though. Shouldn't that be enough? I guess it means the hackers have created additional that still remain and someone get their code executed...

1876 posts

Uber Geek
+1 received by user: 622

Trusted

  Reply # 467883 11-May-2011 11:47
Send private message

It depends. If you've got them consistantly hitting you with an exploit, unless you replace every single file at once, you might find a single exploit infects every other file again.

Moving all files out of the webserver directory and ensuring they're fixed, then moving them back might be a better plan.

You also need to find the source of the exploit.  If you don't do this, it'll probably just keep happening. 




It looks like I'm using an adblocker. I should consider whitelisting Geekzone in my adblocker or a subscription. The Quick Reply box will appear for me when Geekzone is whitelisted. Hooray for me! If I want to reply to this topic I should click on Compose Reply.




412 posts

Ultimate Geek
+1 received by user: 64


  Reply # 467886 11-May-2011 11:53
Send private message

Is there any software you know of that will search within multiple files? For example if I downloaded every file off the server onto my computer, and searched them all for a portion of the string?

And yeah, I'm changing all my passwords and deleting as many security hazards as I can find...

1351 posts

Uber Geek
+1 received by user: 15


  Reply # 467887 11-May-2011 11:54
Send private message

GeoffisPure: Is there any software you know of that will search within multiple files? For example if I downloaded every file off the server onto my computer, and searched them all for a portion of the string?

And yeah, I'm changing all my passwords and deleting as many security hazards as I can find...


Dreamweaver can do that. 

1876 posts

Uber Geek
+1 received by user: 622

Trusted

  Reply # 467889 11-May-2011 11:55
Send private message

GeoffisPure: Is there any software you know of that will search within multiple files? For example if I downloaded every file off the server onto my computer, and searched them all for a portion of the string?

And yeah, I'm changing all my passwords and deleting as many security hazards as I can find...


grep?

I assume you're on windows.  http://gnuwin32.sourceforge.net/packages/grep.htm 




It looks like I'm using an adblocker. I should consider whitelisting Geekzone in my adblocker or a subscription. The Quick Reply box will appear for me when Geekzone is whitelisted. Hooray for me! If I want to reply to this topic I should click on Compose Reply.


1 post

Wannabe Geek


  Reply # 468183 12-May-2011 09:57
Send private message

Got the same problem with Servage. Found this thread when googling the problem.
This is the second time my files got malware in them. About a year a go all my index.php-files where infected, not only wordpress. And they tried to blame it on me...

Moving away to a new host as we speak. Have been with Servage many years now, but now I´m tired of cleaning up my files because their bad security.

16 posts

Geek


  Reply # 468522 12-May-2011 22:42
Send private message

This is a fascinating thread - my Servage account was also hit sometime in the previous 24 hours, with what looks to be an identical exploit. Several PHP scripts had code inserted at the top of the page which starts "$somecrainsignvar=" and then proceeds to execute the redirect using "echo base64_decode(str_rot13(".

We operate our own in-house PHP code (no WordPress CMS) with a few simple scripts (Swift mailer & Radinks Java uploader) and all of our form inputs are scrubbed to remove injected code. All uploads are also quarantined in folders with .htaccess restrictions on all script executions. I too have been told to change passwords and reupload my files (very annoying) and check folder permissions but none of this means much if the hacker gained access through the Control Panel. 

Anyone got any good ideas on where the point of access might have been? 

Cheers, ChrisR. 



412 posts

Ultimate Geek
+1 received by user: 64


  Reply # 468523 12-May-2011 22:48
Send private message

Hi Chris & Befs,
I have just finished restoring all my wordpress sites (and even non-wordpress sites) to their pre-malware conditions... fingers crossed!

This particular hacker/malware infector was quite thorough, and injected their PHP code in many (but not all) PHP files throughout my sites.

I may post a detailed clean-up instruction later, but where I was going wrong was assuming that it was only the core wordpress files that were edited. It wasn't. Once I cleaned up the plugins and theme folders too, my sites are now malware free. Fingers crossed, at least.

It definitey sounds like a problem with servage to me, though I've tried contacting them and they won't have a bar of it. The infections spread across multiple domain names, but within the same account. While it's possible they cracked my FTP password that could access all the sites (and have changed my password accordingly), I think this is unlikely.

BDFL - Memuneh
59066 posts

Uber Geek
+1 received by user: 10341

Administrator
Trusted
Geekzone
Subscriber

  Reply # 468525 12-May-2011 22:50
Send private message

Interesting, just did a quick search on this provider and it seems every few months there is an event like this...






412 posts

Ultimate Geek
+1 received by user: 64


  Reply # 468527 12-May-2011 22:59
Send private message

I have just submitted the following support ticket to Servage. Can somebody please teach me the correct method of displaying quotes/code in forum posts?   Anyway, I'll let you know if any reply:


Good Evening,
Can I please draw your attention to the following forum page:
http://www.geekzone.co.nz/forums.asp?forumid=72&topicid=83136

On this page, you will see me explaining a problem I previously contacted you about  (code injection, which I've now fixed), but what I would like to draw your attention to is the fact that at least two other Servage customers have experienced the same problem in the past two days.

I find it hard to accept that somebody guessed my control panel or FTP passwords (but I've changed them anyway),  and want to urge servage to investigate what appears to be a widespread problem with security.

Thank you.

 1 | 2 | 3 | 4 | 5
View this topic in a long page with up to 500 replies per page Create new topic



Twitter »

Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:





News »

From small to medium and beyond: Navigating the ERP battlefield
Posted 21-Nov-2017 21:12


Business owners: ERP software selection starts (and finishes) with you
Posted 21-Nov-2017 21:11


Why I'm not an early adopter
Posted 21-Nov-2017 10:39


Netatmo launches smart home products in New Zealand
Posted 20-Nov-2017 20:06


Huawei Mate 10: Punchy, long battery life, artificial intelligence
Posted 20-Nov-2017 16:30


Propel launch Disney Star Wars Laser Battle Drones
Posted 19-Nov-2017 21:26


UFB killer app: Speed
Posted 17-Nov-2017 17:01


The case for RSS — MacSparky
Posted 13-Nov-2017 14:35


WordPress and Indieweb: Take control of your online presence — 6:30 GridAKL Nov 30
Posted 11-Nov-2017 13:43


Chorus reveals technology upgrade for schools, students
Posted 10-Nov-2017 10:28


Vodafone says Internet of Things (IoT) crucial for digital transformation
Posted 10-Nov-2017 10:06


Police and Facebook launch AMBER Alerts system in NZ
Posted 9-Nov-2017 10:49


Amazon debuts Fire TV Stick Basic Edition in over 100 new countries
Posted 8-Nov-2017 05:34


Vodafone VoIP transition to start this month
Posted 7-Nov-2017 12:33


Spark enhances IoT network capability
Posted 7-Nov-2017 11:33



Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.