Sites hacked


#1

Several of my sites have been hacked, with an injection of base 64-encoded php that redirects incoming search traffic.

Don’t know how this got in, maybe an out-of-date wordpress installation, or maybe the recent hack? Anyway.

I’m going about restoring things, but I had a few questions, and would appreciate any feedback, as I’m not an expert on some of this stuff.

  1. My plan is to delete everything from dreamhost’s servers, and rebuild from backups that I’m sure are clean of any malware – so far I’ve only found suspicious code in php files. Should I be looking anywhere else?

  2. I am trying to access my log files, but the permissions seem to have been changed to 755, and I can’t open them… how can I open & backup these files?

  3. I created a new ftp/shell user earlier today for all sites, but when I try and log into via ssh, I keep getting booted. Could this be related, or am I doing something wrong? Have checked and doublechecked username and pw – can log in via ftp but not the shell. (Using coda on OS X.)

Needless to say, this sucks I have 4 businesses websites that are effectively down, and I’m trying to get this sorted ASAP…

Any help would be greatly appreciated…

Thanks!


#2

Hi mate, i had a similar problem. All you will get is referred to a wiki help page.

But after trialing numerous “cleaner” scripts to remove the encoding. I finally got one to work. It takes about 15 mins for each website (depending on size, mind were relatively small) and dont worry it looks like nothings happening but you know its finished when it lists all the files its searched and fixed. You upload it to your .com folder then put it into the browers bar with the filename at the end and hit enter. I’ve uploaded it:
http://www.mediafire.com/?57g26da1ez83nv2

Im not trying to spam you, i had the same problem just a few posts down.

Although, that cleans out the code, ive still not found out how to tighten up my security. Let me know how you get on!


#3

thanks for the link, could have saved me some time, but wasn’t too bad in the end.

I immediately took the sites down, and made new wordpress installations for each site.

I cleaned my wp theme folder and my uploads folder to remove the code (eval base64 bullsh*t )using a find and replace, and then dropped these folders back into the clean wordpress.

To verify this, I ran the script you sent me (was also checking out the various blog posts about this) and looks like everything is OK.

Still can’t access my logs directory, though, and can’t modify permissions on it either.


#4

Did you figure out how the attacker got in? Usually it’s an insecure theme or plugin, if that’s the case you may have left the door open.

You can’t access logs if your using ftp, you have to use SSH or SFTP.


#5

a sophisticated hacker will also create an account, use the database connection info to modify the database, give the new user admin privs, and get an authenticated cookie. so even if the hole is plugged, there may still be ways to get in.


#6

I’m seeing a lot of these hacks on Dreamhost sites right now, and I’d like someone to look into this being a system wide issue. I used Google Webmaster Tools to look at the sites linking to mine after the hack, and ALL were Dreamhost sites, most look like blogs. My DB is trashed, I have to backup from November as the auto-restore function in the Panels crap. Super frustrated here, this needs to be fixed.


#7

In almost all cases these hacks are occurring from outdated app software (such as wordpress), or insecurities introduced via 3rd party theme or plugins. Site security is the responsibility of the customer, not dreamhost. Dreamhost does not know what you have installed or where you installed it, or what you added to it. See also: http://wiki.dreamhost.com/Troubleshooting_Hacked_Sites


#8
  • edit

#9

I helped a friend who faced a similar problem with his site, some of his files (mostly PHP) had been infected.

In particular there was a file called common.php that needed removing. The .htaccess file was infected too - it contained some redirect instructions that were only seen by Google and a few other search engines.

We suspect that the breach happened through Wordpress, but something else came to light: there’s a vulnerability in PHP, which affects version 5.3.9 and 5.2.17. See: http://lenss.nl/2012/02/php-critical-bug-cve-2012-0830/

We can stop using PHP 5.2 for our sites (you can change this via the panel), however this gave us version 5.3.5, most likely this version is affected too. If so, all PHP sites on DH are vulnerable.


#10

That specific bug only affects PHP 5.3.9 — it was introduced in that version by a faulty implementation of the new “max_input_vars” configuration variable. PHP versions prior to 5.3.9, including 5.2.17, are not affected.


#11

The post I linked to above claimed otherwise, and says that it affects version 5.2.17 too. But OK, if you say that the versions we have are not affected, I have no reason to doubt that.


#12

we have had multiple sites as well, it seems that most of our Wordpress sites as well as a few that use our custom CMS have all been infected. We cannot for the life of us find how these files got infected, as all the files were changed this morning at 6:23 am. It has us really baffled and wondering if there is a way to scan the servers for Spyware and Malware as it has to be the issue as from what we can see this cannot be achieved via SQL injection or by manipulating a single database. We have close to 100 websites that we run and edit for our clients, and SQL injection to multiple servers all in the same minute just doesn’t seem possible.


#13

Blocking access from BurstNET servers would be a good start:

deny from 46.17.
deny from 64.191.
deny from 66.96.
deny from 66.197.
deny from 77.88.
deny from 81.199.
deny from 82.61.
deny from 92.72.
deny from 94.229.
deny from 96.9.
deny from 137.82.
deny from 157.55.
deny from 173.212.
deny from 180.76.
deny from 184.82.
deny from 208.115.


#14

Same problem here. I’ve had a dozen sites hacked, about half of them running on Textpattern (some updated to the latest version, but some not) and the other half on MODx (all of them updated). So it does not look like it’s a problem with a particular piece of software, but a server wide issue.

The hack corrupts all php files and creates a .logs directory with a txt file inside listing a bunch of subdomains of rr.nu.

By now I’ve have manually cleaned most of the sites, by deleting all corrupted files and uploading clean versions, and it seems to work (if you do not forget any “bad” file in the server. In this case, it corrupts everything again).

Right now I’m trying the script suggested by zildjian above in a MODx install. I would say it works all right, but the config file with the database connection has been wiped clean. After uploading a new one, everything seems to work (have to take a closer look yet).

The databases do not seem to have been tampered with, but after I finish cleaning I will change all the passwords for database users, just in case.

Should I be doing anything else, or will this be enough?


#15

Same here. I’m posting it just to add more posts here because I’m not sure it’s our software or is a backdoor from dreamhost servers.

I cleaned it all on Monday when I just had one of my sites hacked (I have more sites on the same user) and it was very easy for me to recover a cleaner backup and found no encrypted base64_code at all when searched for it after the recovery.

But today I’ve had all my sites attacked (one user). All my users are at the same server, but just one user sites has been attacked.

With that in mind I executed this to see past logins as specified here http://wiki.dreamhost.com/Troubleshooting_Hacked_Sites :
$ last -i | grep myuser

The curious thing about that is that it returned not just my IPs, but the same server IP. Is this a common thing that the same server does a “log in” itself ? Maybe it was me mistakenly doing an ssh from the server and “login” again from it.

I have the same question. On Monday I cleaned it all and today been attacked again… The question is, how the hell are they hacking our sites? where is the backdoor? this is the main problem to solve and I have no damn clue of how are they doing it. I have my wordpress up to date.


#16

Almost all of my sites on Dreamhost have been attacked. Not just my own personal sites, but also client sites I have set up on separate accounts. This has never really happened before, which is why I’ve been a customer for so long. It’s curious that this coincides with their massive security breach. I contacted them and 7 days later I was told it was my fault and they are not responsible for my files. In any case I trusted them to safe guard my passwords and in that regard they obviously failed.

I’m now in the process of changing hosting since most sites were actually completely destroyed with the PHP inserts. It’s not anything as simple as “software version” or not updating plugins. This has to to with Dreamhost security. It’s only sad that they have not been that supportive of the restorative effort.


#17

I doubt that these problems have anything to do with the security breach Dreamhost reported involving a potential password leak. If it were related to that then why haven’t my sites been affected? I helped a friend, who’s also on Dreamhost, whose sites had been infected, I looked at possible causes including a password leak. I can say with a high degree of certainty that a password leak was not the cause.


#18

What makes you think so? I cannot believe it’s a software-related issue, we are talking here of Wordpress, Textpattern, Modx, custom CMSs… different scripts, different versions, all hacked at the same time? Not likely.


#19

There was no trace of unauthorized access on his server and my sites were not affected at all, none of them. Had this been related to a password leak, there would most likely have been traces of access and my sites would probably not all have escaped intact. Furthermore a site of one of my clients, also hosted on Dreamhost and that uses Drupal was also not affected. Everything points to specific issues with specific sites and their software.


#20

No disrespect intended, but I find it hardly convincing. In my case it was not specific sites with specific software that were affected, but a generic issue with all the sites at once, and widely different kinds of software. But, hey.