1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

WordPress Blogs Hacked

Discussion in 'Blogging' started by BlackBeret, Nov 21, 2008.

  1. BlackBeret

    BlackBeret Regular Member

    Joined:
    Jul 12, 2008
    Messages:
    257
    Likes Received:
    61
    Location:
    Transexual, Transylvania
    A couple of my blogs got hacked. They entered the following code in a couple of places:

    Code:
    RewriteEngine On
    Options +FollowSymlinks
    RewriteBase /
    
    
    RewriteCond %{HTTP_REFERER} .*google.* [OR] 
    RewriteCond %{HTTP_REFERER} .*ask.* [OR] 
    RewriteCond %{HTTP_REFERER} .*yahoo.* [OR] 
    RewriteCond %{HTTP_REFERER} .*excite.* [OR]
    RewriteCond %{HTTP_REFERER} .*altavista.* [OR] 
    RewriteCond %{HTTP_REFERER} .*msn.* [OR] 
    RewriteCond %{HTTP_REFERER} .*netscape.* [OR] 
    RewriteCond %{HTTP_REFERER} .*aol.* [OR] 
    RewriteCond %{HTTP_REFERER} .*hotbot.* [OR] 
    RewriteCond %{HTTP_REFERER} .*goto.* [OR] 
    RewriteCond %{HTTP_REFERER} .*infoseek.* [OR] 
    RewriteCond %{HTTP_REFERER} .*mamma.* [OR] 
    RewriteCond %{HTTP_REFERER} .*alltheweb.* [OR] 
    RewriteCond %{HTTP_REFERER} .*lycos.* [OR] 
    RewriteCond %{HTTP_REFERER} .*search.* [OR] 
    RewriteCond %{HTTP_REFERER} .*metacrawler.* [OR]
    RewriteCond %{HTTP_REFERER} .*dogpile.* 
    RewriteRule ^(.*)$ http://xxxxxxxxxxxxxx.com/v-web/index2.html [R=301,L]
    
    ErrorDocument 401 http://xxxxxxxxxxxxxx.com/v-web/index2.html
    ErrorDocument 403 http://xxxxxxxxxxxxxxx.com/v-web/index2.html
    ErrorDocument 404 http://xxxxxxxxxxxxxxxx.com/v-web/index2.html
    ErrorDocument 500 http://xxxxxxxxxxxxxxxxx.com/v-web/index2.html
    
    The xxxxxxxxxxxxxxxxxxx is their domain name that I removed.

    Most of the codes were in the wp-content folder and subfolders (plugins,themes).

    I can't figure out what they are trying to do. It looks like they are trying to make a bunch of MFA sites with SE results. Or maybe redirect all the search engine traffic my site might have gotten to their site?

    Any ideas?
     
  2. oldenstylehats

    oldenstylehats Elite Member Premium Member

    Joined:
    Apr 10, 2008
    Messages:
    1,893
    Likes Received:
    1,196
    Is it these guys?
    Code:
    a3r0fl1ghttra1n1ng.c0m
     
  3. BlackBeret

    BlackBeret Regular Member

    Joined:
    Jul 12, 2008
    Messages:
    257
    Likes Received:
    61
    Location:
    Transexual, Transylvania
    Nice job Kreskin.

    And how would you know that?
     
  4. linkmaster03

    linkmaster03 Newbie

    Joined:
    Nov 12, 2008
    Messages:
    9
    Likes Received:
    0
    It looks like it is telling spiders to rank his page instead of yours. Not sure though.
     
  5. BlackBeret

    BlackBeret Regular Member

    Joined:
    Jul 12, 2008
    Messages:
    257
    Likes Received:
    61
    Location:
    Transexual, Transylvania
    I just did a search in google for the following line:
    Code:
    .com/v-web/index2.html
    
    trying to find more information and BlackHatWorld came up number one.

    I thought stuff inside the code tags wasn't searchable by the search engines. Somebody might want to take a look at the board settings if it isn't supposed to be searchable.
     
  6. oldenstylehats

    oldenstylehats Elite Member Premium Member

    Joined:
    Apr 10, 2008
    Messages:
    1,893
    Likes Received:
    1,196
    Haha. It's been a long time since I've seen someone use the name Kreskin in writing, but the Randal avatar sort of explains it.

    Someone I know had an issue with the same thing, that's how I knew. Whoever is doing it started doing it a while ago.
     
  7. rayes

    rayes Newbie

    Joined:
    Mar 24, 2008
    Messages:
    21
    Likes Received:
    0
    How do you find such things in your blogs code? Are you using a software to scan the codes?
     
  8. Krutoy

    Krutoy BANNED BANNED

    Joined:
    Sep 16, 2008
    Messages:
    50
    Likes Received:
    34
    Maybe after he saw wierd things happen in hes blog he start to check the files.
    You can use "Notepad++", its good software to search in many docs.
     
  9. BlackBeret

    BlackBeret Regular Member

    Joined:
    Jul 12, 2008
    Messages:
    257
    Likes Received:
    61
    Location:
    Transexual, Transylvania
    I was looking in the File Manager in my cPanel for something else and I noticed all these extra files. I started opening them to see what they were and you see what I found.

    Another time I found someone had hacked by viewing my stats in cPanel. There were a lot of people landing on a page that I didn't make. Turned out to be a PayPal phishing scam, but I've had a couple of bank phishing scams also. Any time you see a landing page with the name of a bank in it in your stats it's probably a phish. It got so bad my host shut down a couple of my sites. Neither of us could figure out where they got in.
     
  10. bl4ck1ce

    bl4ck1ce Regular Member

    Joined:
    Oct 28, 2008
    Messages:
    234
    Likes Received:
    77
    Occupation:
    Web Design & Marketing
    Location:
    British Columbia, Canada
    My blogs were hacked about a week ago; I found out the night before I had a flight scheduled so wasn't able to do anything about it.. wasn't for SE targeting, they plastered Xanax ads all over my site in the header, footer, sidebar, etc. They also replaced my adsense pub-id with theirs! Since I was about to go on vacation, I had a friend clean up my code for me since we share the server my sites are on.. I got excited when he called to tell me they had put their adsense ID in, but that quickly faded when he told me he forgot to save the hacked version of the site and had lost the hacker's info...

    Good luck getting your blogs fixed and secured, I'm still trying to figure out how they got in. Several core PHP files in the wordpress install and some plugins were changed, but that still doesn't tell me how they did it.
     
  11. soctal

    soctal Regular Member

    Joined:
    Jul 28, 2008
    Messages:
    243
    Likes Received:
    76
    i was on another forum the other day and the mod suggested this site, i dont know if it would help, its a little beyond me. good luck

    Code:
    http://php-ids.org/

     
    • Thanks Thanks x 2
  12. NikhilG

    NikhilG Guest

    damn... my blog got hacked too.. Completely wiped out.. nothing left..
    thank god, i had a backup available...

    *** Nick goes to unzip the backup ***

    *** WTF?? Backup was not complete...!! And, he counts his losses ***

    I lost my theme modifications, images inside posts, and what not.. thank god atleast the database backup was complete or I was ruined....!! :D
     
  13. chucklechuck

    chucklechuck Registered Member

    Joined:
    Dec 2, 2008
    Messages:
    93
    Likes Received:
    52
    Search results now show your post saying that the Info inside
    Code:
     tags is searchable by search engines. made me laugh!
    
    Appreciate the link above as my site constantly seems to be attacked in some form or another
     
  14. cooooookies

    cooooookies Senior Member

    Joined:
    Oct 6, 2008
    Messages:
    1,008
    Likes Received:
    216
    This is very scary, anyone want's to investigate instead of only telling dramatic stories?

    Which WP version and which plugins did you use?

    Just to mention that... you also know... there are some (even popular) plugins which do nasty things.
     
  15. bl4ck1ce

    bl4ck1ce Regular Member

    Joined:
    Oct 28, 2008
    Messages:
    234
    Likes Received:
    77
    Occupation:
    Web Design & Marketing
    Location:
    British Columbia, Canada
    WP 2.0.3 (haven't updated that site in a while!), and a friend who was looking at it for me while I was on vacation said the error was a security hole in the xmlrpc.php file.. I'm still not sure how that allowed the theme files to be edited, but I'm not much of a hacker (nor do I care to be).

    edit: theme is Greenery v2, but I don't think the theme had anything to do with it because another blog on the same server was hacked and was running a totally different theme... and a different wp version as well.. (also out of date)

    I'm going to be taking some steps to secure the site, and will roll those out to all of my other blogs as well.. starting with upgrading them all to WP 2.7...
     
    Last edited: Dec 12, 2008
  16. emgxxg

    emgxxg Registered Member

    Joined:
    Nov 3, 2008
    Messages:
    93
    Likes Received:
    523
    bl4ck1ce, honestly you need to upgrade pronto. Wordpress has made significant changes since then.

    Another thing (this goes for everyone), see if you have the following code in your theme's header.php and remove it, it serves no real purpose.. actually it does.. tells people, it tells people what version of wordpress you are using, and if they care, they'd know the vulnerabilities that your blog is exposed to.
    Code:
    <meta name="generator" content="WordPress <?php bloginfo('version'); ?>" />
    
    btw. just change it in the 'Main Theme' and leave it elsewhere. Sorry about pointing it out, I have seen people just change all of 'em at one go with dreamweaver.

    Cheers!!
     
  17. emgxxg

    emgxxg Registered Member

    Joined:
    Nov 3, 2008
    Messages:
    93
    Likes Received:
    523
    Dint realize you had specified the theme, I downloaded it and checked it. It does include the meta tag in the header.php on line 10 that I recommended for removal, hence it is responsible to a certain extent for the hacking. Just remove that piece of code.

    Also as I mentioned in the last post about also checking the footer.php, that obviously does not apply to the meta tag but rather this code part of the code:

    PHP:
    <?php bloginfo('version'); ?>
    Hope this help!!

    Cheers!!
     
    • Thanks Thanks x 1