1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

My blogs are being hacked; can't work out how to fix it

Discussion in 'Blogging' started by Abstroose, Mar 4, 2012.

  1. Abstroose

    Abstroose Elite Member

    Joined:
    Nov 20, 2008
    Messages:
    2,097
    Likes Received:
    3,475
    Occupation:
    Thai Boxer
    Location:
    UK
    Home Page:
    I have about 30 wordpress blogs on a server, all being redirected to some russian site. I figured it was the .htaccess file and found the malicious code. I corrected all .htaccess files, for them to be hacked again later on. I realised that the permissions to my wp-config.php files were all set to 666 (publicly editable), so I corrected these.

    I've just woke up this morning to find all .htaccess files corrupt again. Anyone have any ideas?
     
  2. xinoanet

    xinoanet Regular Member

    Joined:
    Aug 8, 2009
    Messages:
    216
    Likes Received:
    30
    Location:
    Kitchener, Ontario
    What are the permissions to the .htaccess?
     
  3. Abstroose

    Abstroose Elite Member

    Joined:
    Nov 20, 2008
    Messages:
    2,097
    Likes Received:
    3,475
    Occupation:
    Thai Boxer
    Location:
    UK
    Home Page:
    .htacess is 444, wp-config.php is 644.
     
  4. regmant

    regmant Regular Member

    Joined:
    Jan 28, 2011
    Messages:
    337
    Likes Received:
    122
    Occupation:
    Web Developer
    Location:
    UK
    try reinstalling WP as they may have hacked some core files allowing them access despite you changing the permissions on htaccess.
     
    • Thanks Thanks x 1
  5. software248

    software248 Regular Member

    Joined:
    Feb 15, 2010
    Messages:
    286
    Likes Received:
    43
    Which hosting company are you using?

    Thanks
     
  6. davids355

    davids355 Jr. VIP Jr. VIP Premium Member

    Joined:
    Apr 25, 2011
    Messages:
    8,783
    Likes Received:
    6,317
    Home Page:
    Did you change FTP credentials maybe they had access to that and thus could reset perms.

    Other than that, change WP login etc. If still problems then maybe check file system for rogue scripts?
     
    • Thanks Thanks x 1
  7. cocaco

    cocaco Jr. VIP Jr. VIP Premium Member

    Joined:
    Oct 6, 2009
    Messages:
    316
    Likes Received:
    443
    change your password and fix your websites from a different computer maybe you got malware on your computer.

    if you host your sites on shared hosting ask your hoster to check it and if you use a dedicated server check if the hacker installed a shell or something like that on your server.
     
    • Thanks Thanks x 1
  8. kvmcable

    kvmcable Supreme Member

    Joined:
    Dec 28, 2010
    Messages:
    1,355
    Likes Received:
    2,815
    Occupation:
    24 year business owner - old school dude
    Location:
    KFC - BW3
    Look at file timestamp of when they edited it and then look at ftp and apache logs for that same timestamp. That will tell you how they're doing it. Mostly likely because they're changing the .htacess file they're getting in through ftp. If you find they're logging in with ftp then change the ftp passwords and scan your computer. Either you have a trojan or you used a real simple ftp password that was easy to brute force. I get emails daily from my server protection software of hackers brute forcing ftp. If your hosting service doesn't have good protection in place the hackers can use a dictionary attack and walk right into ftp. Make sure you never use a dictionary word for ftp password another good strategy.

    Good luck
     
  9. Clemenza

    Clemenza Registered Member

    Joined:
    Jan 13, 2012
    Messages:
    87
    Likes Received:
    12
    Location:
    VEGAS
    check your functions.php

    and


    wp-config.php


    there may be mailcious code at the top of each
     
  10. Abstroose

    Abstroose Elite Member

    Joined:
    Nov 20, 2008
    Messages:
    2,097
    Likes Received:
    3,475
    Occupation:
    Thai Boxer
    Location:
    UK
    Home Page:
    They're on shared hosting with Site5.

    Thanks for the suggestions so far. I'm quite sure it's automated because some of the blogs are empty, and they're all getting done at once. There'd be no benefit whatsoever setting up a redirect for some of the blogs.
     
  11. SCORPIAN

    SCORPIAN Newbie

    Joined:
    Feb 29, 2012
    Messages:
    15
    Likes Received:
    0
    Change yr pw regularly
     
  12. davids355

    davids355 Jr. VIP Jr. VIP Premium Member

    Joined:
    Apr 25, 2011
    Messages:
    8,783
    Likes Received:
    6,317
    Home Page:
    Did you get this sorted?
     
  13. ibmethatswhoib

    ibmethatswhoib Jr. VIP Jr. VIP Premium Member

    Joined:
    Feb 17, 2011
    Messages:
    1,560
    Likes Received:
    1,156
    Occupation:
    Staying Informed
    Location:
    Bay Area, Ca
    Home Page:
    Same thing happen to me. http://www.blackhatworld.com/blackhat-seo/black-hat-seo/406849-being-hacked-f-kj-k-jk.html

    What I did was make sure my databases are backed up, backup your uploads/pictures. Then I just deleted everything cuz mine were all inffected with that code all over my php files. Then just re install and connect with your database.

    *Make sure you change your database username or password! I think that's how they automated it to infect my sites. Also change your ftp and login if you really want to be sure it's all good.
     
  14. darkfury

    darkfury Regular Member

    Joined:
    Oct 23, 2008
    Messages:
    264
    Likes Received:
    141
    Location:
    Scotland
    Did you check your apache log files to ensure it was via the htaccess and config they exploited your site?
     
  15. LakeForest

    LakeForest Supreme Member

    Joined:
    Nov 11, 2009
    Messages:
    1,269
    Likes Received:
    1,802
    Location:
    Location Location
    Do what was mentioned above, blacklist IPs that connected right before you notice things going fishy.

    Make sure your host is reputable

    and...

    DISABLE ANONYMOUS FTP
     
  16. darkfury

    darkfury Regular Member

    Joined:
    Oct 23, 2008
    Messages:
    264
    Likes Received:
    141
    Location:
    Scotland
    I'd be more inclined to identify the source before arsing around.
     
  17. sirgold

    sirgold Supreme Member

    Joined:
    Jun 25, 2010
    Messages:
    1,260
    Likes Received:
    645
    Occupation:
    Busy proving the Pareto principle right
    Location:
    A hot one
    If you haven't gotten this sorted download (if you haven't a local mirror already) the php files onto your computer and search for any occurrence of the strings "base64_decode" and "eval(base64_decode". Chances are a part of the vector attack is there.

    It might be an issue with your specific hosting, so that there's little you can do. You mentioned it's shared so maybe a reverse lookup to see if the other domains suffer the same .htaccess malicious rewriting and they redirect to the offending sites might help you rule out this possibility.

    Last thing that comes to mind is to make a dump of your SQL tables to see if something fishy (maybe the string .htaccess out of contest) is present. A good way to check if the issue is with your SQL code is to install a brand new WP instance on a test domain after importing the sql you previously exported from one of the other affected sites.

    HTH
     
  18. trustedfire9

    trustedfire9 Jr. VIP Jr. VIP Premium Member

    Joined:
    Jun 15, 2010
    Messages:
    2,102
    Likes Received:
    1,779
    install scan plugin for WP :
    Code:
    [URL="http://anonym.to/?http://wpantivirus.com/"]http://wpantivirus.com/[/URL]
    i have acunetix web scanner consultant edition and other scan tools ...., if you want pm
    me with one site url and i will make full scan .
     
  19. markhenry121

    markhenry121 Elite Member

    Joined:
    Oct 14, 2011
    Messages:
    2,149
    Likes Received:
    239
    Install Wordpress again and also change the password for your site.
     
  20. IKbentim

    IKbentim Power Member

    Joined:
    Mar 14, 2009
    Messages:
    603
    Likes Received:
    655
    Chmod everything 600