1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Help - Wordpress Hacked + Link Injections

Discussion in 'Black Hat SEO' started by nvcowboy, Mar 30, 2010.

  1. nvcowboy

    nvcowboy Newbie

    Joined:
    Jan 10, 2009
    Messages:
    26
    Likes Received:
    134
    Occupation:
    Offline/Online Consultant
    Location:
    3rd Rock from the Sun
    I'm not sure where to post this but since it's a Wordpress hacked site thought I'd try BH SEO.

    I have a client who has been on my to-do list so yesterday I got around to him ... just a little job.

    When I logged in to his WP admin I didn't have all the permissions (like the plugin folder went missing) so I emailed him for admin login info. I figured his last developer just kept him away from pressing buttons but NO his site was hacked.

    There is a bunch of link injection after </html> and crap like:

    !-- [d9f3ced3fa52817051ba42875d72b264 --><!-- 6644852521 --><div style="overflow:auto; visibility:hidden; height: 1px; "><ul><li><a href="http://2309h34b34b34b.cc/sl">.</a></li></ul></div><!-- d9f3ced3fa52817051ba42875d72b264] -->


    <!-- [3b243090d63d2c4af370282108d3b64e --><!-- 0403784521 --><a url="javascript:document.getElementById('block63').style.display='block';" title="more"> </a>
    <!-- 3b243090d63d2c4af370282108d3b64e] -->
    <!-- [596d589dadc4dc5b633af9fca10d0701 --><!-- 4520865521 --><div id="block15" style="display:none"><ul><li><a href="http://www.alpha-1.nl/alpha-1-forum/faq.php?search_pill=1&zone=523">order micardis hct online</a></li><li><a

    This goes on for miles with all kinds of links and KW tags. I don't know what to do for this guy and this is not what I contracted for but he's screwed now. Also, no backups (this is just an average Joe who knows nada). Also, he's running WP 2.7.

    Any hackers out there who can advise me? I was going to run the WP exploit-scanner plugin but can't get around this login issue. I don't know if he's got php files that are infecting the site or what.

    Okay BH'ters help me out here. I do this kind of work so I can make money for my PPV accounts but this is ridiculous.:eek:

    Thanks, Cowboy

    P.S. If you want to see source code site is http://anonym.to?http://idowindowsnj.com
     
  2. neuromancerx

    neuromancerx Registered Member

    Joined:
    Feb 6, 2010
    Messages:
    55
    Likes Received:
    13
    Location:
    internets
    1. login to PHPmyAdmin, select your wordpress database
    2. find account you need new password for
    3. click edit
    4. fill the password with MD5 code generated from here md5encryption.com
     
  3. blackhit

    blackhit Super Moderator Staff Member Jr. VIP Premium Member

    Joined:
    Jan 28, 2008
    Messages:
    2,402
    Likes Received:
    4,251
    Location:
    Dark Side Of The Moon
    The easiest way to get back in is resetting the PW in phpMyAdmin like said above.

    The instructions for that are here:

    Code:
    http://codex.wordpress.org/Resetting_Your_Password
    (scroll down the page).

    I used this method a couple of times when I locked myself out...:D
     
  4. robertodelgato

    robertodelgato Regular Member

    Joined:
    Jun 28, 2009
    Messages:
    348
    Likes Received:
    3,177
    Occupation:
    Yeah, right.
    Location:
    Top of the 3-pack
    Whatever you do, immediately get a dump of the mysql database.

    If all else fails (and it probably will, if the site's been as compromised as it probably has) you can reinstall WP, immediately do an import on the sql dump, and you have 80% of what you had before. At least with regard to WP.

    They will be back, because they probably CHMOD'ed directories 7 levels deep (under tinymce, etc.) to 777 so they could get back in when they want.

    Backkup the data, nuke it, put in strong passwords from a PW generator, rebuild from the import.

    There, just saved you 40 hours of headaches! :D
     
  5. makingfastcash22

    makingfastcash22 Senior Member

    Joined:
    Feb 15, 2009
    Messages:
    1,152
    Likes Received:
    178
    Home Page:
    Roberto what is the best way to protect your blogs from having this happen?

    Thanks
     
  6. ArticlesKing

    ArticlesKing Newbie

    Joined:
    Apr 13, 2010
    Messages:
    25
    Likes Received:
    5
    The best way would be to make sure you keep your file permissions set to the most optimum protected levels.

    To the OP, I'd go with what Roberto said, get an SQL dump - delete all your existing files. (I am sure you have backups of all the custom edits on your blog - if not then you're loss!)

    Do a fresh install of Wordpress (Stay away from Auto installers like Fantastico - manual installs are the best way to go) - import your dump in the new DB and you should be good to go.
    --

    Important tip - Always edit your files locally and then have these uploaded to your server. This way if things go wrong - you can just delete stuff and start from where you left it.
     
  7. sensitiv

    sensitiv Newbie

    Joined:
    Feb 10, 2008
    Messages:
    3
    Likes Received:
    0
    I´ve had a similar hack a while ago.

    WP 2.7. is outdated, so there are some security gaps which are used for this kind of stuff.
    So updating would be my first step (after making backups of Code + Database).

    If you are lucky its just an SQL Code injection, but certainly carefully check all files (look at change date of file)

    I did remove those injected tags with phpmyadmin, but haven´t been that many. Site is running fine now.

    But nobody really knows what those guys did, so be careful. If the site is small its probably better to reinstall.
     
  8. makingfastcash22

    makingfastcash22 Senior Member

    Joined:
    Feb 15, 2009
    Messages:
    1,152
    Likes Received:
    178
    Home Page:
    I don't know that the optimum would be, do you think that running the WP security plugin or the WP exploit scanner will show what needs to be fixed?
     
  9. ArticlesKing

    ArticlesKing Newbie

    Joined:
    Apr 13, 2010
    Messages:
    25
    Likes Received:
    5
    Yes - they're better than not having a security in place. Especially when you're prone to attacks.

    Also - not necessary it's only your wordpress files. Make sure you shift to a better web host.
     
  10. Biscut

    Biscut Regular Member

    Joined:
    Feb 9, 2009
    Messages:
    329
    Likes Received:
    259
    There are a few things you can do. The easiest to start with is a few security plugins. I'm using the following on all of my blogs.

    Login Lockdown - After 3 failed login attempts it will lock out your blog for a set period of time. Mine are set for 5 minutes.
    Code:
    http://wordpress.org/extend/plugins/login-lockdown/
    WP Security Scan - Scans your blog for known security and permission vulnerabilities. It will also give you recommendations for file permission settings.
    Code:
    http://wordpress.org/extend/plugins/wp-security-scan/
    WP DB Backup - I have my database backed up every week and sent to me by email. I would rather lose 1 weeks worth of posts then everything.
    Code:
    http://wordpress.org/extend/plugins/wp-db-backup/
    This won't keep everyone out but it will help you protect your blog from most. I'm sure there are a few people here who could hack almost anything if they wanted to and could provide more indepth knowledge than I could. Like I said this is a start.
     
    • Thanks Thanks x 1