We got hacked

wordpress

#1

Anyone here get hacked by Spykidz? What I’ve found on the web is that he/she/they run a script that exploits a hole in AWSTATS. Do we run that on dreamhost? The thing defaced all my index pages. I’m running postnuke on my site, so that’s a lot of defacing. Still waiting back from support.
Any advice on plugging the hole would be great. Thanks.


#2

What version of Awstats are you running? There was a big exploit going around a few months ago. Had you updated to the most current release?


If you want useful replies, ask smart questions.


#3

I’m not running AWstats. I think they might have exploited my phpbb. I was just looking at the forums there and I think I had the version before they fixed the highlight bug. We’ll find out tonight. He’s hit 3 nights in a row. I clean up, he hacks.
Oh well, thanks for the help. If pulling phpbb temporarily doesn’t stop him, I may be crawling back for more advice.


#4

I got hit by the same thing last night at 22:44.
All index.* files wiped out (haven’t seen evidence of further damage…)

I do not use awstats.

If anybody has any insights to this, please post.

Thanks


#5

This worry me a little bit. I think this is a very old problem and usually when the hosting company upgrade awstat to a newer version then this should not happen.
I happened to have the same problem at 1and1.com this morning and just moved my websites to dreamhosts.com (hoping that dreamhost doesn’t have this problem). I think we need to notify dreamhost admin to correct this problem on their server asap!


#6

I was told by Dreamhost that the issue was they exploited my site using XMLRPC that i have in my files… Sure, I have this on a couple of installations of Invision Powerboard, and my Wordpress install, but not on a seperate site that does not run XMLRPC calls anywhere…

I think they are not sure yet where they are getting in… Every one of my sites has been hacked and I have fixed one… and it was hacked again overnight. I think they are hammering the dreamhost servers because of a common exploit.

My suggestion to Dreamhost… if XMLRPC IS the issue… why not do a global replacement of the updated file that fixes this… don’t wait for US to all do it… force the update on security to be safe…

If it is something else… do a global patch. I don’t think relying on each customer to solve it independently is the right way to go… which is the reply I got. I was told to go get the new XMLRPC.php file and replace it… then they would restore my sites… but like I said, some sites dont have that…


#7

Just wondering, would multiple domains hosted under one user account be the cause of the hacking of sites without that particular file? Maybe replacing it really would fix the problem.

~Chell


#8

I found a copy of the script used to get my phpbb (if that was the actual exploit). I assume its similar to any of the php exploits he might be doing on you guys. Here is the link.
http://www.phpbb.com/phpBB/viewtopic.php?t=304256&highlight=spykids
I actually have tons of intel on spykids - all just googled - if greater minds than I have any idea what to do with it. I have an email address he allegedly uses too. Really easy to find since he put it on one of the pages on my site he “hacked” not sure why though.


#9

Thanks for posting.

I searched my domains and found xmlrpc.php in an installation of PostNuke. A quick search on the PostNuke site yielded the following (useful for PostNuke users):

http://news.postnuke.com/modules.php?op=modload&name=News&file=article&sid=2699
and…
http://news.postnuke.com/index.php?name=News&file=article&sid=2713

“It is recommended that all admins deactivate and remove the ‘xmlrpc’ module within administration-modules and additionaly remove /xmlrpc.php and and the /modules/xmlrpc folder completly from the filesystem.”


#10

I found this… that quite a ways back this was a known issue… but apparently not well known.
http://www.securityfocus.com/bid/14088/solution

Do you run the version of wordpress suggested here? I am guessing that is where they got in on my site. My invision powerboard did not have an XMLRPC call available that I know of… and I see inactive domains on my account that the index.php file was hacked, yet they can’t get to those sites… Looks like the exploited the entire box.


#11

Just in case anyone wants to know what that Perl script does.

It finds a list of all files beginning with “index.” and overwrites them with the attackers name.

Then it searches the Apache configuration file for all the hostnames Apache is serving.

Then it submits each hostname to a web site that is apparently facilitating a way for the attackers to keep score.

The Perl script posted in that thread may not be the same that was used on DreamHost servers, as the defacement text is different than what the “scoreboard” site is mirroring. But they do appear to deface hundreds of sites in a single day.

:cool: Perl / MySQL / HTML+CSS


#12

Following Current Versions…

WP 1.5.2
Awstats 6.4
Phpbb 2.17

Upgrade to those and also check your account for expoit files, change your user passwords and mysql passwords.


Wordpress Gallery2 Integration Community


#13

For anyone using egroupware, they have a temporary fix for this at egroupware.org


#14

Doh! I thought the latest WP is 1.5.1.3. I just upgraded a few days ago. Grr.

mail [at] mahalie [dot] com


#15

Haven’t managed to get my PostNuke sites up and running yet. On my non-PHP sites I was able to simply replace index pages and it was all fixed.

On my PostNuke sites I removed all instances of xmlrpc (from the root and from the modules sub-directory). I do not have any bulletin boards on the site I’m currently working on (though I have 3 or 4 affected websites and have only been able to look at one so far). Any word from Dreamhost on the problem? I sent them an email a couple of days ago and was told to upgrade to the latest version of PostNuke and that would fix it. It absolutely did NOT. I suspect this is a server issue and I’m hoping they get it resolved. Couldn’t they just overwrite the sites with whatever version was there before the hack? Just curious…

~Laura


#16

Dreamhost told me that it was probably an exploit on Moveable Type. I can’t be sure, I’ve tracked down at least two other places that had security holes I should have upgraded the patches for a while ago.


#17

this happened to me on 8/16 (as the index page shows last edited) and I have just noticed it this morning.

i had both MT and WP on my server when i thought i wanted to do a blog, but never really did anything with it. i should have removed them both.

all my index pages are messed up. i have phpnuke running, and i don’t have a copy of my website. i’m not sure what to do, as the support guys have over 500 unopened tickets to deal with (is everyone on vacation or what?). I deleted the WP folder, but the MT folder has some subfolder it won’t let me delete so MT is not fully deleted yet.

i also had a gallery on my site, which seems to have all the images missing…sigh

any ideas of what i can do? can’t dreamhost do a restore on my site or something? what did the rest of you do to fix this?


#18

See http://wiki.dreamhost.com/index.php/Backups and see if you can restore the files, probably from weekly.1 or so.

:cool: Perl / MySQL / HTML+CSS


#19

thanks for your reply. i’m not sure how to “cd” into anything. do i have to go into DOS mode for that?


#20

I was afraid of that :wink:

  1. Are you using an FTP client?
  2. If “Yes”, are you using regular FTP or secure FTP?
  3. If “No”, contact support, ask to backup the images directory from weekly.1 for you
  4. If “regular FTP”, change your remote folder to “/.snapshot”
  5. If “secure FTP”, change your remote folder to “/home/.something/username/.snapshot”

For both #4 and #5, you will need to TYPE .snapshot - it will not appear in a directory listing so there will be nothing to click on.

:cool: Perl / MySQL / HTML+CSS