SitePoint Sponsor

User Tag List

Results 1 to 18 of 18
  1. #1
    @zoopedup radman's Avatar
    Join Date
    Oct 2002
    Location
    South Africa
    Posts
    263
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    My Wordpress blog keeps getting hacked

    Hi

    I need some help - my Wordpress blog keeps getting hacked.

    Hackers are accessing my index.php file in the website root (not the template files) and inserting this script (malware)

    <script type="text/javascript" src="http://<snip/>:8080/Newsgroup.js"></script><script type="text/javascript" src="http://<snip/>:8080/Newsgroup.js"></script>

    I have upgraded wordpress, upgraded all the plugins, deleted inactive plugins, changed my admin username, installed suPHP on my server & configured my blog to use it and I made some changes to php.ini to restrict scripts from doing things they’re not supposed to...

    But the line of code keeps coming back into my index.php... its really affecting my organic search traffic...

    Any ideas? I'm stumped..
    Last edited by Mittineague; Jul 28, 2010 at 15:18. Reason: removing mal URL

  2. #2
    Programming Team silver trophybronze trophy
    Mittineague's Avatar
    Join Date
    Jul 2005
    Location
    West Springfield, Massachusetts
    Posts
    17,191
    Mentioned
    191 Post(s)
    Tagged
    2 Thread(s)
    When you say "upgraded" do you mean a complete uninstall/reinstall or the one-click auto? If the latter try a complete reinstall.

    And DON't forget to backup your database first, check the entries, then restore to a good backup if it was contaminated.

    Also, check and double check your folder/file permission settings.

    If you haven't talked to your host, it might be a good idea to do so, it could be coming from your "group".

  3. #3
    SitePoint Member
    Join Date
    Jul 2010
    Location
    Germany
    Posts
    5
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    You should also change your FTP password and check your local computer for malware. If you have FTP logs, check if index.php was uploaded by FTP.

  4. #4
    SitePoint Enthusiast
    Join Date
    May 2010
    Location
    Netherlands
    Posts
    31
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by CoderJosh View Post
    You should also change your FTP password and check your local computer for malware. If you have FTP logs, check if index.php was uploaded by FTP.
    Very true. In most cases of 'code injection' a stolen FTP password gathered through spyware/malware is the cause.

  5. #5
    @zoopedup radman's Avatar
    Join Date
    Oct 2002
    Location
    South Africa
    Posts
    263
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I have now changed my FTP password as well - thanks.

    I have a Macbook so the chance of a Malware/Virus issue is unlikely, right?

    Will do a complete reinstall of WP 3.0

    Thanks for the advice

  6. #6
    SitePoint Enthusiast
    Join Date
    Jul 2010
    Location
    Dublin, Ireland
    Posts
    33
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Before you update the index.php, take a note of it's last modified date.

    Perhaps you can use this to track an IP address from the servers access log.

    Never know - the hacker could be stupid enough to use a direct IP you could track from whois.com

    Also, you may want to check your ISP hosting control panel. Change that PW and check to see if there are any scheduled CRON jobs. If they had access to the CP a CRON job could be updating your file CHMODs

    Cheerz,
    Wil.

    PS: Mac's are just as vurnable to viruses and malware as PCs are. It's just that PC's being the dominant &#37; of the market get more attention from the virus writers and media. Check yer Mac just in case.

  7. #7
    SitePoint Enthusiast
    Join Date
    Nov 2009
    Posts
    37
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    You might want to scan your server for malware (eg backdoor) scripts too.
    phpSiteMinder - website backup and file integrity monitoring.
    Been hacked? phpSiteScanner can help you clean your site up.

  8. #8
    @zoopedup radman's Avatar
    Join Date
    Oct 2002
    Location
    South Africa
    Posts
    263
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    So far so good, haven't been compromised again

    Thanks for everyones input

  9. #9
    @zoopedup radman's Avatar
    Join Date
    Oct 2002
    Location
    South Africa
    Posts
    263
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I got hacked again. FML.

    Can anyone recommend a good virus/malware scanner for Mac? Freeware or paid software.

  10. #10
    Community Advisor silver trophy

    Join Date
    Nov 2006
    Location
    UK
    Posts
    2,551
    Mentioned
    40 Post(s)
    Tagged
    1 Thread(s)
    Have you checked the last modification time of the altered file against http and ftp logs? What's the chmod value for the altered file?

  11. #11
    SitePoint Enthusiast
    Join Date
    Nov 2009
    Posts
    37
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Avast anti virus have a mac version. I use avast on my windows machine, and have previously used their mac version. You can use it free for a month I believe.

    http://www.avast.com/free-antivirus-download

    It may also be that the hackers have left a backdoor script on your server, or it may be a vulnerability in wordpress, or if your on a shared sever, it may not be your site at all that they are using to get in, but are then attacking your site from the compromised site due to insecure file permissions.
    phpSiteMinder - website backup and file integrity monitoring.
    Been hacked? phpSiteScanner can help you clean your site up.

  12. #12
    SitePoint Member
    Join Date
    Aug 2010
    Posts
    2
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    in your config.php file update all of your keys

  13. #13
    SitePoint Member
    Join Date
    Aug 2010
    Posts
    1
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Please everyone, don't recommend FTP. It is evil. Please use SFTP, it is secure and if your host won't set this up, find a new host.

    If you have problems setting it up, I have some tutorials, so PM me. I am new to this forum and don't want to start putting links to my stuff yet

    It is free and contains several videos on setting up your website securely.

  14. #14
    SitePoint Wizard silver trophy Crazybanana's Avatar
    Join Date
    Mar 2003
    Location
    In tha fruit cellar
    Posts
    1,379
    Mentioned
    32 Post(s)
    Tagged
    1 Thread(s)
    how bout your plugins? the plugin directory is the favorite place to hide files and scripts.

    i would get new plugins as well. look through the server in any directory for suspicious files and folders, as these kind of things can embed itself to existing filkes, and disguise itself as images or scripts etc... being on a mac doesnt mean you are secure. there are viruses ,worms and rootkits for mac as well as windows, there are also cross platform viruses and other things to take into consideration.

    I would first clean up and have a look at all files and folders on my server, then replace it with new ones, and not a backup with some embedded malicious code - then i would have a look at my puter and clean it up as well.
    Who's to doom when the judge himself is dragged before the bar


  15. #15
    SitePoint Enthusiast
    Join Date
    Oct 2009
    Posts
    58
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Are you with a reliable host? I strongly suggest you contact them and tell them a bout the problem.

  16. #16
    SitePoint Enthusiast
    Join Date
    May 2010
    Posts
    25
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    You can't rely on datetime stamps as the hackers are using backdoor shell scripts that provide them with the ability to "touch" the files with a certain date and therefore make all the files the same datetime or to set them to a specific datetime.

    You undoubtedly have a backdoor shell script on your site. This gives the hackers remote control of your site without needing any passwords, or leaving any clues in log files other than the access.log which many people don't look at anyway.

    Some strings you can look for in .php files are:

    touch
    chmod
    base64_decode
    passthru
    shell
    exec
    cmd
    command

    Sorry I can't be more specific, but those are the most common strings we find in the hacker's backdoors.

    The typical scenario is that the hackers gain access to a website via stolen FTP password, then place various backdoors on the site to provide them with access even after the FTP password has been changed. They also frequently change file and folder permissions to 777 which are another area very few people check - until after they've been hacked.

  17. #17
    Programming Team silver trophybronze trophy
    Mittineague's Avatar
    Join Date
    Jul 2005
    Location
    West Springfield, Massachusetts
    Posts
    17,191
    Mentioned
    191 Post(s)
    Tagged
    2 Thread(s)
    I've been hacking Donncha's Exploit Scanner plugin recently.

    It comes with an array of the Core file hashes, which it can check against to determine if any have changed. If any have changed it then searches them for some of the common "hack strings" (i.e. WeWatch's list). It also searches the database.

    IMHO an excellent strategy, but it doesn't go far enough for my needs. So my hacks add a CRON, email notification, automatic replacement of the hacked file, inclusion of all blog files in addition to Core files, and checking for extra or missing files.

    Once I'm done testing I plan to send it on to Donncha, whether or not he'll want to use any of it.

    But you could try the plugin as it is now. Every step you take to improve security can only help.

  18. #18
    SitePoint Member linux7802's Avatar
    Join Date
    Dec 2009
    Posts
    15
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I would like to recommend you, refer following URL to secure wordpress sites.

    http://codex.wordpress.org/Hardening_WordPress

    And if still you face problem than ask your hosting provider to virus scan your hosting account content.


Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •