1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

WP Blog Being Hack -.-"

Discussion in 'BlackHat Lounge' started by jiajilah, Dec 22, 2010.

  1. jiajilah

    jiajilah Junior Member

    Joined:
    Jun 6, 2008
    Messages:
    138
    Likes Received:
    122
    All my pages included login page footer attached with these fxxking links...
    Upgrade to latest version, changed theme, deactivated plusgins, but still there!
    Any idea how to remove these?

    Code:
    <style>#ysux {position:absolute;overflow:auto;height:0;width:0;}</style><font id="ysux"><li><a href="http://hashizaka.com/w/tag/7æ—¥/?rhf=zmu_christmas_photo_gifts.html">Christmas Photo Gifts</a></li>
    <li><a href="http://www.ridgelist.com/classifieds/?pdv=oqe_christmas_pagan_holiday.html">Christmas Pagan Holiday</a></li>
    <li><a href="http://beta.hbgin.com/?iwc=oga_plants_christmas_cactus.html">Plants Christmas Cactus</a></li>
    <li><a href="http://bobbyandmarsha.projectbam.com/?mzq=qvp_this_christmas_cd.html">This Christmas Cd</a></li>
    If you are someone who use this kind of blackhat method, you sucks...
     
  2. jiajilah

    jiajilah Junior Member

    Joined:
    Jun 6, 2008
    Messages:
    138
    Likes Received:
    122
    wp config got whacked...
     
  3. angelas111

    angelas111 Jr. VIP Jr. VIP Premium Member

    Joined:
    Jan 4, 2009
    Messages:
    1,569
    Likes Received:
    1,016
    Location:
    ohio
    you need to access your files via ftp. check your index.php file for funny looking code and remove it. also check in your wp-content, wp-admin folders for "added" index.php files too. this happened to me recently.
     
  4. popcrdom29

    popcrdom29 Jr. VIP Jr. VIP Premium Member

    Joined:
    May 20, 2008
    Messages:
    807
    Likes Received:
    518
    Sorry this happened to you but you should contact your hosting company immediately. If they are a reputable company then they will help you. But sorry to say that you will most likely have to start all over unless you had everything backed up.

    Also, I don't know how they were able to hack your site but you should change your passwords for everything else you have access to. Maybe there was a keylogger or something malicious on your computer and this person stole your passwords.
     
  5. jiajilah

    jiajilah Junior Member

    Joined:
    Jun 6, 2008
    Messages:
    138
    Likes Received:
    122
    They inject base64_decode codes to wp config file and creating the footer with links at the blog.
    Removed that and problem solved.

    For those usign wp and have tens of wp, be sure you read this.

    http://codex.wordpress.org/Hardening_WordPress
     
  6. The Scarlet Pimp

    The Scarlet Pimp Jr. VIP Jr. VIP Premium Member

    Joined:
    Apr 2, 2008
    Messages:
    788
    Likes Received:
    3,120
    Occupation:
    Chair moistener.
    Location:
    Cyberspace
    add this to your htaccess file...

    ### Block Hacker Attacks
    RewriteCond %{QUERY_STRING} base64_encode.*\(.*\) [OR]
    RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
    RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
    RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2})
    RewriteRule ^(.*)$ index.php [F,L]
     
    • Thanks Thanks x 3
  7. jiajilah

    jiajilah Junior Member

    Joined:
    Jun 6, 2008
    Messages:
    138
    Likes Received:
    122
    What does it do buddy?
    Does it conflict with wp permalink structure?
    Does it block all base64_encode? (I have a plugin use base64_encode)
    Thanks for helping.
     
  8. The Scarlet Pimp

    The Scarlet Pimp Jr. VIP Jr. VIP Premium Member

    Joined:
    Apr 2, 2008
    Messages:
    788
    Likes Received:
    3,120
    Occupation:
    Chair moistener.
    Location:
    Cyberspace

    1. it stops injection attacks from various sources (base_64, javascript, globals, etc.) and redirects the hacker to your main index page.

    2. the code shouldn't interfere with existing base_64 scripts. just to be safe, check it on your server to make sure there's no conflict. if there is, then disable it.

    note: you may want to consider translating the base_64 in your plugins.

    3. it has nothing to do with permalinks structure.
     
  9. jiajilah

    jiajilah Junior Member

    Joined:
    Jun 6, 2008
    Messages:
    138
    Likes Received:
    122
    okay, big thanks!
     
  10. satih

    satih Newbie

    Joined:
    Sep 9, 2009
    Messages:
    14
    Likes Received:
    1
    export the minimum from your wp db, reinstall fresh wp and restore your db, you probably have shell in one or more files.. check logs for access to your blog to find who accessed what files.