Current time: 04-23-2014, 03:47 AM Hello There, Guest! (LoginRegister)

Post Reply 
Sites hacked
02-25-2012, 03:41 PM
Post: #61
RE: Sites hacked
(02-25-2012 02:48 PM)robinburks Wrote:  I did, however, find something interesting when going through my site file by file today. I had some weird Wordpress installs in folders called "diet" and "slimming" that I did not put there myself. Considering I'm the only user on the account, I'm assuming the hacker did that, too?

Besides the fact that third-party software might be vulnerable also keep in mind that your own computer might have been compromised by a trojan that logs your keystrokes or otherwise steals your credentials.

http://wewatchyourwebsite.com/wordpress/...ck-plugin/

Quote:I don't think it's too much to request that a host track down and attempt to block hackers and plug security holes, however.

DreamHost already does this for the software and systems for which they are responsible. Feel free to seek assistance from those who offer it that have the expertise you need in doing the same with your web site.

Customer since 2000 Cool openvein.org | Please don't feed the trolls. Angry
Visit this user's website Find all posts by this user
Quote this message in a reply
02-25-2012, 03:45 PM (This post was last modified: 02-25-2012 03:46 PM by robinburks.)
Post: #62
RE: Sites hacked
I've scanned my computer with SpyBot, Malwarebytes, as well as my normal virus scanner (Microsoft Security Essentials). They didn't find anything. If there are suggestions for other tools, let me know. But as this has not happened on other web hosts I work with, I don't think that's the issue.
Find all posts by this user
Quote this message in a reply
02-25-2012, 06:18 PM (This post was last modified: 02-25-2012 06:19 PM by kelly7552.)
Post: #63
RE: Sites hacked
(02-25-2012 03:37 PM)robinburks Wrote:  I'm just using Wordpress on three of my sites (and they have all been updated with minimal updated plugins). But all of my sites .htaccess got hacked, including the non-Wordpress sites. This happened about a month ago, as well and I thought the issue was resolved, but I noticed it again yesterday.

The weird Wordpress folders turned up all over my sites and they seemed to be full installs of Wordpress. I didn't install them, obviously. They appeared on both Wordpress and non-Wordpress sites alike. That is definitely a new one to me. The suspicious php files I expected but complete WP installs? With plugins and themes and everything that normally comes with a Dreamhost WP install.

Robin,

Are they on the same account at dreamhost? If they are, go to panel and check each user associated with each website and make sure EACH user has enhanced security enabled. If it's not enabled then each domain can see the files of the other domain. So one hack and they are all compromised. You have to change password on panel (good idea), ftp, and EACH of the wordpress databases. WP-config has the passwords for each database in your website directory and that was probably compromised. Use the programs at the beginning of this thread to look for compromised php files. Your word press database may be compromised.

Hackers have been looking for uninstalled themes in the last month that use timthumb.php even UNUSED themes. Once the hacker finds a way in (they insert code into the PHP files which act as a file server), then all your files are suspect and all associated domains are suspect unless you used enhanced security.

Generally, they will modify htaccess and delete the access and error logs to cover their tracks.

If you can get a database backed up from a couple of days ago it may not be compomised. You might do better with a full re-install of wordpress from scratch to make sure your not starting out compromised.

The issue is NOT limited to dreamhost, this particular bug was inadvertantly propogated by dreamhost (some of the excess themes downloaded appear to have the timthumb exposure), but plenty of
bugs have affected other shared host site.

-bill
Find all posts by this user
Quote this message in a reply
02-25-2012, 06:28 PM (This post was last modified: 02-25-2012 06:29 PM by robinburks.)
Post: #64
RE: Sites hacked
Since I've deleted all of the weird files and gone through everything with a fine-tooth comb, I have not had any re-occurrences of my .htaccess being hacked in over two hours (which is a record this weekend). I'm keeping an eye on everything, obviously, and have changed all passwords, etc. I had already deleted unused themes (I never keep them on the server - I'm anal about only keeping the files that I actually need up).

I only had one instance of timthumb and it was the most recent version, but I also deleted it - just in case. I can live without it.

My real issue now is the complete lack of support Dreamhost has provided. No one ever responded to my support ticket, which I submitted nearly two days ago. That's completely unacceptable to me. The other hosts I work with have never taken that long to respond. But then again, I've never had any of my sites (Wordpress and other) hacked on any other hosts. Fortunately, I got a lot of useful information from this thread!
Find all posts by this user
Quote this message in a reply
02-25-2012, 06:38 PM
Post: #65
RE: Sites hacked
(02-25-2012 06:28 PM)robinburks Wrote:  Since I've deleted all of the weird files and gone through everything with a fine-tooth comb, I have not had any re-occurrences of my .htaccess being hacked in over two hours (which is a record this weekend). I'm keeping an eye on everything, obviously, and have changed all passwords, etc. I had already deleted unused themes (I never keep them on the server - I'm anal about only keeping the files that I actually need up).

I only had one instance of timthumb and it was the most recent version, but I also deleted it - just in case. I can live without it.

Robin,

I'd highly suggest file monitor plus as a plugin, it will tell you when ANY file is modified, added or deleted. The fact that .htaccess is being hacked means that you're probably still compromised. One thing to do immediately is change the file permission on htaccess to 444 and see what happens (chmod 444 .htaccess) after you install file monitor, the hacker, if they are still operating as a php hack will not be able to modify htaccess easily.

Watch file monitor like a hawk.

-Bill
Find all posts by this user
Quote this message in a reply
02-25-2012, 09:41 PM
Post: #66
RE: Sites hacked
(02-25-2012 02:48 PM)Atropos7 Wrote:  I doubt DreamHost would have done anything without informing you. I cleaned up several backdoors and upgraded some software that fixed a vulenrability and there are still hits in the web server logs trying to exploit them days later, as if they are checked on by bots.

Visiting your site and looking at the HTML source code sent is not going to show everything because the attackers will try to hide things. One thing you must do is check web server logs for unusual hits. For example, web browsers usually request images and stylesheets so if a visitor doesn't request them when visiting an app then something is fishy. Especially if the request is a POST (the backdoors I've seen so far all use POST) or the file is not meant to be downloaded.

Also it may help to setup an incremental backup system to your own computer using rsync. It can show you what files have changed since the last run so you can get a more immediate heads up when an otherwise static file (like PHP source) has been modified - plus if you do it right you can immediately restore the clean version.

If I back up all of my wife's pictures and backup our MySQL databases, purge every-freakin'-thing on the server and reinstall WP from scratch (not using the oneclick install), is that likely to completely eliminate these bastards from our site entirely? Or do I need to do something else?
Find all posts by this user
Quote this message in a reply
02-25-2012, 11:03 PM (This post was last modified: 02-25-2012 11:21 PM by kelly7552.)
Post: #67
RE: Sites hacked
(02-25-2012 09:41 PM)sirjake Wrote:  If I back up all of my wife's pictures and backup our MySQL databases, purge every-freakin'-thing on the server and reinstall WP from scratch (not using the oneclick install), is that likely to completely eliminate these bastards from our site entirely? Or do I need to do something else?

before you install:

Change the password for mysql database
change your ftp password just to be safe
if you used the same ftp password as panel password, change that also

Here's a list after you reinstall:

In panel on wordpress:

1. go to your user and edit it to enable enhanced security

In wordpress as admin:

1. Delete every other theme than the one you use
2. eliminate all unused plugins
3. install login lockdown as a plugin (this will foil people guessing your password)
4. Don't use an user named 'admin' use your first name as an admin
5. Install wp-backup and take regular backups
6. install file monitor plus plugin and have it monitor all your files

ftp the .htaccess file from
/home/myuser/mydomain/.htaccess
You usually have to 'show hidden files' to see it, I've collected these tid bits from all over the web:

You should add the following commands (changing mywebsite to your own website's name):

# Start of .htaccess

# prevents people from seeing ht access

<Files .htaccess>
order allow,deny
deny from all
</Files>

# stop missing error log messages

ErrorDocument 401 default
ErrorDocument 403 default
ErrorDocument 404 default
ErrorDocument 500 default

# protect wpconfig.php

<Files wp-config.php>
order allow,deny
deny from all
</files>

# disable directory browsing
Options All -Indexes

# eliminate hotlinks

RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http://(www\.)?mywebsite.org/.*$ [NC]
RewriteRule \.(gif|jpg|js|css)$ - [F]

# eliminate script injections

Options +FollowSymLinks
RewriteEngine On
RewriteCond %{QUERY_STRING} (<|%3C).*script.*(>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} GLOBALS(=|[|%[0-9A-Z]{0,2}) [OR]
RewriteCond %{QUERY_STRING} _REQUEST(=|[|%[0-9A-Z]{0,2})
RewriteRule ^(.*)$ index.php [F,L]

# have a uniform url (http://www.domain)

# set the canonical url
RewriteEngine On
RewriteCond %{HTTP_HOST} ^mywebsite$ [NC]
RewriteRule ^(.*)$ http://www.mywebsite.org/$1 [R=301,L]

# takes away xmlrpc threat

<IfModule mod_alias.c>
RedirectMatch 403 /(.*)/xmlrpc\.php$
</IfModule>

# from http://wpsnipp.com/index.php/security/bl...n-exploit/

RewriteCond %{REQUEST_URI} !^/(wp-login.php|wp-admin/|wp-content/plugins/|wp-includes/).* [NC]
RewriteCond %{THE_REQUEST} ^[A-Z]{3,9}\ ///.*\ HTTP/ [NC,OR]
RewriteCond %{THE_REQUEST} ^[A-Z]{3,9}\ /.*\?\=?(http|ftp|ssl|https):/.*\ HTTP/ [NC,OR]
RewriteCond %{THE_REQUEST} ^[A-Z]{3,9}\ /.*\?\?.*\ HTTP/ [NC,OR]
RewriteCond %{THE_REQUEST} ^[A-Z]{3,9}\ /.*\.(asp|ini|dll).*\ HTTP/ [NC,OR]
RewriteCond %{THE_REQUEST} ^[A-Z]{3,9}\ /.*\.(htpasswd|htaccess|aahtpasswd).*\ HTTP/ [NC]
RewriteRule .* - [F,NS,L]

#end of .htaccess

next,

change the permissions to owner read only for wp-config, in the directory that has your blog type 'chmod 400 wp-config.php
Also change .htaccess in your website directory to 444
chmod 444 .htaccess

finally,

here's an article about moving database passwords out of the actual website: protect-your-wordpress-wp-config-so-you-dont-get-hacked

-Bill
Find all posts by this user
Quote this message in a reply
02-25-2012, 11:29 PM
Post: #68
RE: Sites hacked
Another step one can do is to disable certain PHP functions. I've noticed the backdoors seem to rely on the base64_decode function of PHP so my phprc file contains
Code:
disable_functions="base64_decode"
Only valid reason to use that function I can think of is for decoding attachments in email messages, so this might affect post-by-email features. It's not foolproof of course - I've seen malicious code that has implemented its own decode functions.

Customer since 2000 Cool openvein.org | Please don't feed the trolls. Angry
Visit this user's website Find all posts by this user
Quote this message in a reply
02-25-2012, 11:34 PM
Post: #69
RE: Sites hacked
(02-25-2012 11:29 PM)Atropos7 Wrote:  Another step one can do is to disable certain PHP functions. I've noticed the backdoors seem to rely on the base64_decode function of PHP so my phprc file contains
Code:
disable_functions="base64_decode"
Only valid reason to use that function I can think of is for decoding attachments in email messages, so this might affect post-by-email features. It's not foolproof of course - I've seen malicious code that has implemented its own decode functions.

Does the phprc file go in /home/user/ or /home/user/website?

-Bill
Find all posts by this user
Quote this message in a reply
02-25-2012, 11:51 PM
Post: #70
RE: Sites hacked
Neither. See DreamHost Wiki - PHP.ini - PHP 5.3

Customer since 2000 Cool openvein.org | Please don't feed the trolls. Angry
Visit this user's website Find all posts by this user
Quote this message in a reply
Post Reply 


Forum Jump: