1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Possible attempt to hack???

Discussion in 'Blogging' started by krluk, Apr 4, 2010.

  1. krluk

    krluk Registered Member

    Joined:
    Mar 25, 2010
    Messages:
    84
    Likes Received:
    18
    Location:
    G@@gle attic
    I have just found this entry in WP stat log
    I have followed the link and endup with :
    Sorry. We cannot find the location you are looking for.
    Also at the very top off the page show this } catch(err) {}
    htxtp://www.xxxx.com/wp-admin/www.xxxx.com/plugins/editors/tinymce/jscripts/tiny_mce/plugins/tinybrowser/tinybrowser.php?type=file&folder=
    This is the ip
    77.66.214.80 from where the atempt was.
    Any one know what this was?
    Thanks
     
  2. greenovni

    greenovni Regular Member

    Joined:
    Feb 8, 2008
    Messages:
    223
    Likes Received:
    153
    77.66.214.80 Same exact deal on my blog. Looks like an attempt to hack through tinyMCE which I dont use.

    Funny that it is the same IP address
     
  3. krluk

    krluk Registered Member

    Joined:
    Mar 25, 2010
    Messages:
    84
    Likes Received:
    18
    Location:
    G@@gle attic
    I hope that im wrong....but you are in big trouble!
    Try to see your page source,look for links that should not be there.
    After i have post that here....nothing happened.And 3 or 4 days ago i have notice something funny about my blog.
    In the source of web page,i have found one link pointing to some dating site,Turkish.:eek: As my site is about different think,this became suspicious.
    After that i have dig in my blog and found that all .php,.css, files was infected.
    Also the virus create entry in database,rss_29138649827634912873649,something like this.The hack can be seen only by search engine.Normal visitors cannot see anything.Or the person who manage the site.
    In the last 2 days i have recovered about 90% of the site.Fresh install,new database,new template....
    Nobody knows how the virus get in the site.Are some queses that might be supercache plugin,or the rss feed,wp team works on that.
    But the problem is that if in that account have more than one blog,all get the virus.Same to me,it was 5 blogs on that account,all got the virus.
    I have saved the hacked versions and i will take a look on them later.

    Update: Not sure,but if you have this entry,your are hacked: jquery.js
    search all files in all folders,also hidden one,search with ftp,ftpzilla,or what you use.
    I have got that entry,and was hidden.Some claims that is created by the virus.
    What people know so far,the malicious code,is in the database,and the codes from .php trigger it.

    For futures info: google for pharma hack for wordpress.But this one is different,nothing about pharma,and does not redirect your visitors,or add any link to your serp.Just create backlink to his site.
    I have no idea how long that code was there....
    Also if you just try to disinfect,even if you delete WP,and make clean install,with same database,reactivate after 20 days.
    I use to have wp 2.9.2,all plugins up to date.....
    If anyone have this,i can give a hand how to restore.But,all files must be deleted,including database.
    Update:Look for this entry,in all folders and subfolders:jquery.js
    Some claim that is create by the virus.
    I have found that,on my blogs,was hidden.Make sure you look for it with ftp,i have useed ftpzilla.In cpanell didnt show.
     
    Last edited: May 2, 2010
  4. krluk

    krluk Registered Member

    Joined:
    Mar 25, 2010
    Messages:
    84
    Likes Received:
    18
    Location:
    G@@gle attic
    more info:

    HTML:
    http://wordpress.org/support/topic/385477
    This is the rss error you get if infected with same type like me:
    Where is the red line,is the redirect url
    HTML:
    http://inspirated.com/2010/03/02/wordpress-ninoplas-virus-and-the-fix
    HTML:
    http://www.wpsecuritylock.com/cechriecom-com-script-wordpress-hacked-on-godaddy-case-study/
    HTML:
    http://boardreader.com/thread/SQL_attack_on_wpress_2_9_2_7e2jX89fp.html
    Moderator please add hide referrer,i don't know how and to tired...,sorry!

    HTML:
    http://blog.taragana.com/index.php/archive/detailed-post-mortem-of-a-website-hack-through-wordpress-how-to-protect-your-wordpress-blog-from-hacking/
     
    Last edited: May 2, 2010
  5. krluk

    krluk Registered Member

    Joined:
    Mar 25, 2010
    Messages:
    84
    Likes Received:
    18
    Location:
    G@@gle attic
    The IP should not be a big concern about this virus.
    In the past,Yandex use to eat me alot of bandwith.I have blocked his class ip,but returned with new one,russian also.He was ignoring robots.txt also.
    I have blocked the entire russian class ip.But the hack occured,even with that restriction on place.My guess is that the hack was done with US ip,and g@@gle footprint.But the virus delete all records when the initial attack take place.When the russian ip visit site,i think it was just testing and checking.
    The WP Team,state the virus first go and perform g@@gle search,for key words,from the result page pickup high PR,then attack the sites.
    The victims are not only WP,also are reports about joomla sites and other platforms.I have also lost one Joomla site,on the same account with the WP.
    At the moment is no real protection from this virus,just hope that we rebuild the site,and he doesnt came back.....and harden WP.
    Some reported that if wpconfig and wpsettings permisions are set to 640,can`t go in webite.But nothings is for sure.