Current time: 04-24-2014, 12:47 PM Hello There, Guest! (LoginRegister)

Post Reply 
Sites hacked
02-23-2012, 10:55 PM
Post: #31
RE: Sites hacked
(02-23-2012 10:34 PM)Achilles Wrote:  Thanx for this Smile Besides running the script, is there anything else I need to do. All my sites (2 different users) have been effected.
Double check all your .htaccess files and make sure there is no foreign code in there. Then change every server user password, wordpress user password as well as your database password (dont forget to update your wp-config file with the new password) also while your in the wp-config file go ahead and get new keys. Go here http://api.wordpress.org/secret-key/1.1/ and copy the new keys it displays. Then paste it over the same code that is in your wp-config file. You will see 8 keys, the last 4 are salts and you dont have to have them because wordpress will automatically generate them for you. So just copy over all 8 with the 4 you are given. This will reset all cookies and everyone will have to log back in. This also keeps the hacker out if he had logged in or cached your cookie for later. Hope you get through this, it isn't fun and this is the price we pay for cheap shared hosting with minimal security.
Find all posts by this user
Quote this message in a reply
02-23-2012, 10:59 PM
Post: #32
RE: Sites hacked
Just to throw this out there, I have PHPBB running on one of my sites (but it has been in maintenance mode for the past few months because I got hit with over a gig of spam posts in a week..) It was latest version at the time (3.05) I upgraded to 3.10 and ten minutes later the domain was infected again..

so I did it all over again..

it looks like I've gotten rid of it, but I'd really like to know where it's originating..
Find all posts by this user
Quote this message in a reply
02-23-2012, 11:04 PM
Post: #33
RE: Sites hacked
(02-23-2012 10:55 PM)Arrowoods Wrote:  Double check all your .htaccess files and make sure there is no foreign code in there. Then change every server user password, wordpress user password as well as your database password (dont forget to update your wp-config file with the new password) also while your in the wp-config file go ahead and get new keys. Go here http://api.wordpress.org/secret-key/1.1/ and copy the new keys it displays. Then paste it over the same code that is in your wp-config file. You will see 8 keys, the last 4 are salts and you dont have to have them because wordpress will automatically generate them for you. So just copy over all 8 with the 4 you are given. This will reset all cookies and everyone will have to log back in. This also keeps the hacker out if he had logged in or cached your cookie for later. Hope you get through this, it isn't fun and this is the price we pay for cheap shared hosting with minimal security.

WOW - thanx man. Is there any site that has this as a step by step, as I am new to wordpress. Thank you so much for your info though - i havn't slept in 2 days dealing with this Sad
Find all posts by this user
Quote this message in a reply
02-23-2012, 11:19 PM
Post: #34
RE: Sites hacked
Open up you wp-config file in an editor and look for the code below.
________________________________________________________
// ** MySQL settings - You can get this info from your web host ** //
/** The name of the database for WordPress */
define('DB_NAME', 'yourdatabase_com');

/** MySQL database username */
define('DB_USER', 'yourdatabaseusername');

/** MySQL database password */
define('DB_PASSWORD', 'your NEWpassword');

/** MySQL hostname */
define('DB_HOST', 'mysql.yourdomainname.com');

/** Database Charset to use in creating database tables. */
define('DB_CHARSET', 'utf8');

/** The Database Collate type. Don't change this if in doubt. */
define('DB_COLLATE', '');

/**#@+
* Authentication Unique Keys and Salts.
*
* Change these to different unique phrases!
* You can generate these using the {@link https://api.wordpress.org/secret-key/1.1/salt/ WordPress.org secret-key service}
* You can change these at any point in time to invalidate all existing cookies. This will force all users to have to log in again.
*
* @since 2.6.0
*/
define('AUTH_KEY', 'J|ZZt0mk5%C|tY`zbO+6;0TU_%.o,^&60|rZwybhMPC*Tf-N%Mu2_ xLJ#z}/t%s');
define('SECURE_AUTH_KEY', 'w^l|sgb14;a+S`*|0NO|=p^,Aa}r$-+e|pd4gD%@|y:&!U]?<@0T6s4aa|(|YGVi');
define('LOGGED_IN_KEY', 'Y[LND^4OFQ}K);=dy8^V-I#>LdG,mx77Juz1QK,W{AJEOf=S(v4Q3R;i7s1FfFak');
define('NONCE_KEY', 'X0A?GN6CY!r|*|xpd+3G79vyeDUl=tySV3V]Ve1d.Tl?:|m[gj^v[!^|]l(pAjaH');
define('AUTH_SALT', ';{Iu)stU+%Z#+Ip-7[I-B9o`]@8ZbG}}*E/4Ck|4r9vqh&zcKE}=Nbr+.EOc-Wim');
define('SECURE_AUTH_SALT', 'BJMCz/o|uAke}*(l2=+_iNsFz?*j4G1qTung&l3t#N_Bg@PXX1 -&tzF)K@K!sSk');
define('LOGGED_IN_SALT', '[!IHu*2>Xp]/ %*o?KE fH!BNjEvvY<@^Im%)TGETVfnMSpew:yZ(h6JC+@F`P76');
define('NONCE_SALT', 'L4>u$+{LG(+9+3?KcB_$Gxrz?y(~WinkR|9pIKUFvnuKQf|SDxz7Tm_ArzAADN@O@ ');



/**#@-*/
_______________________________________________________
I found the link to the new keys with salt added https://api.wordpress.org/secret-key/1.1/salt/ go there to get your keys
Everything in red is what you change. To change your database password you do that through dreamhost control panel. Click manage users, then find the user name in the list and hit edit, then change password. You can email me at arrowoods at gmail if you need any help. I know how frustrating it is when your new and dreamhost is no help.
All of this is pointless unless you have run the cleaner script and then did a reinstall of wordpress from the admin update panel. Even if it is up to date just hit the reinstall button. ALso if you have a bunch of unused plugins trash them. If you have multiple domains for the same user then you have to do this to ever site and get them all cleaned or this crap will come back. This is the reason why I am leaving dreamhost, because I have 4 different hosting providers and dreamhost is the only one who can't seem to keep these guys out.
Find all posts by this user
Quote this message in a reply
02-23-2012, 11:38 PM
Post: #35
RE: Sites hacked
(02-23-2012 11:19 PM)Arrowoods Wrote:  Open up you wp-config file in an editor and look for the code below.
________________________________________________________
// ** MySQL settings - You can get this info from your web host ** //
/** The name of the database for WordPress */
define('DB_NAME', 'yourdatabase_com');

/** MySQL database username */
define('DB_USER', 'yourdatabaseusername');

/** MySQL database password */
define('DB_PASSWORD', 'your NEWpassword');

/** MySQL hostname */
define('DB_HOST', 'mysql.yourdomainname.com');

/** Database Charset to use in creating database tables. */
define('DB_CHARSET', 'utf8');

/** The Database Collate type. Don't change this if in doubt. */
define('DB_COLLATE', '');

/**#@+
* Authentication Unique Keys and Salts.
*
* Change these to different unique phrases!
* You can generate these using the {@link https://api.wordpress.org/secret-key/1.1/salt/ WordPress.org secret-key service}
* You can change these at any point in time to invalidate all existing cookies. This will force all users to have to log in again.
*
* @since 2.6.0
*/
define('AUTH_KEY', 'J|ZZt0mk5%C|tY`zbO+6;0TU_%.o,^&60|rZwybhMPC*Tf-N%Mu2_ xLJ#z}/t%s');
define('SECURE_AUTH_KEY', 'w^l|sgb14;a+S`*|0NO|=p^,Aa}r$-+e|pd4gD%@|y:&!U]?<@0T6s4aa|(|YGVi');
define('LOGGED_IN_KEY', 'Y[LND^4OFQ}K);=dy8^V-I#>LdG,mx77Juz1QK,W{AJEOf=S(v4Q3R;i7s1FfFak');
define('NONCE_KEY', 'X0A?GN6CY!r|*|xpd+3G79vyeDUl=tySV3V]Ve1d.Tl?:|m[gj^v[!^|]l(pAjaH');
define('AUTH_SALT', ';{Iu)stU+%Z#+Ip-7[I-B9o`]@8ZbG}}*E/4Ck|4r9vqh&zcKE}=Nbr+.EOc-Wim');
define('SECURE_AUTH_SALT', 'BJMCz/o|uAke}*(l2=+_iNsFz?*j4G1qTung&l3t#N_Bg@PXX1 -&tzF)K@K!sSk');
define('LOGGED_IN_SALT', '[!IHu*2>Xp]/ %*o?KE fH!BNjEvvY<@^Im%)TGETVfnMSpew:yZ(h6JC+@F`P76');
define('NONCE_SALT', 'L4>u$+{LG(+9+3?KcB_$Gxrz?y(~WinkR|9pIKUFvnuKQf|SDxz7Tm_ArzAADN@O@ ');



/**#@-*/
_______________________________________________________
I found the link to the new keys with salt added https://api.wordpress.org/secret-key/1.1/salt/ go there to get your keys
Everything in red is what you change. To change your database password you do that through dreamhost control panel. Click manage users, then find the user name in the list and hit edit, then change password. You can email me at arrowoods at gmail if you need any help. I know how frustrating it is when your new and dreamhost is no help.
All of this is pointless unless you have run the cleaner script and then did a reinstall of wordpress from the admin update panel. Even if it is up to date just hit the reinstall button. ALso if you have a bunch of unused plugins trash them. If you have multiple domains for the same user then you have to do this to ever site and get them all cleaned or this crap will come back. This is the reason why I am leaving dreamhost, because I have 4 different hosting providers and dreamhost is the only one who can't seem to keep these guys out.

Your amazing - thank you once again. Let me just clear some things by you.

Q1: The .htaccess file reads as follows:


# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>

# END WordPress

Does this look normal to you? Is there anything i should be looking for?

Q2: My wp-config file looks as you have said but without any of the keys, is this normal?

-Ok, so let me put in order of the things i should do:

1) Check .htaccess file
2) Run Script
3) Login to wp admin panel and re-install wordpress
4) get new keys
5) place keys in wp-config file
6) Do this for every site effected
7) change all passwords

does this seem right?
Find all posts by this user
Quote this message in a reply
02-23-2012, 11:55 PM
Post: #36
RE: Sites hacked
(02-23-2012 11:38 PM)Achilles Wrote:  1) Check .htaccess file
2) Run Script
3) Login to wp admin panel and re-install wordpress
4) get new keys
5) place keys in wp-config file
6) Do this for every site effected
7) change all passwords

does this seem right?

Yes your .htaccess file is right. Here is the order I would do it in.

First if your wordpress dashboard looks all crazy and you cant even get to the script you have uploaded scroll down and look through all the mess and click on updates, then scroll through the mess and hit the reinstall wordpress button. This will get you back to be able to see what you are doing. If you can get to the script then dont worry about this step.
Then do this order

1.upload the cleaner script. Then navigate to it through your browser. (http://www.yourdomain.com/cleaner-cli_2.4.php and hit return (enter)
2. It may take awhle just wait for it. When it finishes check your site and make sure everything is working ok.
3. Then check your .htaccess files. This hack didn't affect those but you never know and it is better to be safe
4. Reinstall wordpress from update dashboard
5. Change wordpress passwords (pick good long ones)
6. Go to dreamhost and change your user password.(pick good long ones)
7. Open your wp-config file and update with the new password
8. Click the link in the wpconfig file to get new keys, copy and paste over the ones you have. Hit save
9. UPDATE ALL Plugins and Trash all your unused plugins AND unused themes.
10. Step and repeat for all your sites.
11. Sit back and wait for it to happen again

Hope this helps. Just know you are in the same boat with what looks to be hundreds of people right now. Thanks you russians
Find all posts by this user
Quote this message in a reply
02-24-2012, 12:01 AM (This post was last modified: 02-24-2012 12:03 AM by Achilles.)
Post: #37
RE: Sites hacked
(02-23-2012 11:55 PM)Arrowoods Wrote:  Yes your .htaccess file is right. Here is the order I would do it in.

First if your wordpress dashboard looks all crazy and you cant even get to the script you have uploaded scroll down and look through all the mess and click on updates, then scroll through the mess and hit the reinstall wordpress button. This will get you back to be able to see what you are doing. If you can get to the script then dont worry about this step.
Then do this order

1.upload the cleaner script. Then navigate to it through your browser. (http://www.yourdomain.com/cleaner-cli_2.4.php and hit return (enter)
2. It may take awhle just wait for it. When it finishes check your site and make sure everything is working ok.
3. Then check your .htaccess files. This hack didn't affect those but you never know and it is better to be safe
4. Reinstall wordpress from update dashboard
5. Change wordpress passwords (pick good long ones)
6. Go to dreamhost and change your user password.(pick good long ones)
7. Open your wp-config file and update with the new password
8. Click the link in the wpconfig file to get new keys, copy and paste over the ones you have. Hit save
9. UPDATE ALL Plugins and Trash all your unused plugins AND unused themes.
10. Step and repeat for all your sites.
11. Sit back and wait for it to happen again

Hope this helps. Just know you are in the same boat with what looks to be hundreds of people right now. Thanks you russians


Thank you for this - this does help a lot! Weird thing is that the malware has also infected non-wordpress sites I have but it doesn't seem to be doing any damage - ran the script on those as well.

Up until now, Dreamhost has been very helpful with any issue I had - but from yesterday (day 1 of infestation) they have not even answered my support tickets - nothing. What the fu*k Dreamhost?

Anyway - thank you for everything Smile
Hope this helps. Just know you are in the same boat with what looks to be hundreds of people right now. Thanks you russians
[/quote]

BTW - the first instance of this particular malware started infecting DH sites in Sept 2011, so no hope for a cure anytime soon.
Find all posts by this user
Quote this message in a reply
02-24-2012, 09:51 AM
Post: #38
RE: Sites hacked
http://discussion.dreamhost.com/thread-1...#pid150173

Maximum Cash Discount on any plan with MAXCASH

How To Install PHP.INI / ionCube on DreamHost
Visit this user's website Find all posts by this user
Quote this message in a reply
02-24-2012, 12:21 PM
Post: #39
RE: Sites hacked
My sites also were hacked- at least the main one was- but not being a full-time web builder I didn't know about it until I started getting complaints about redirects from PHP pages from my readers.

The specific complaints arose from phpBB- visitors using Internet Explorer were getting forwarded through Russian websites to malware pages that crashed their browsers or attempted to install viruses.

When I submitted my trouble ticket to DreamHost, I got back the form letter some of you also got, basically blaming the trouble on me, saying security was solely my responsibility, but that I could try, with no guarantees, restoring from DreamHost backups (if they have them).

All my PHP code on my main site has been compromised, and all at more or less the same time on February 17th- the same as most if not all of you. When I requested access logs, I was sent a second copy of the same form letter- NOT HELPFUL.

This thread, plus information I have acquired elsewhere, proves the following:

* Dreamhost has a SEVERE backdoor security issue- as was proved when we all had our passwords grabbed in January, remember that?- which is not being addressed.

* Dreamhost is NOT being up-front with users about this, in direct contrast to their openness on virtually every other issue.

* Dreamhost is handling complaints on this issue, and other issues of hacking, malware sites and domain security reported by non-Dreamhost users, in the worst possible way.

I've been a Dreamhost customer since December 1998. I've loved the service for most of that time, and I've been an enthusiastic proponent. This issue is burning through my loyalty VERY RAPIDLY, and without some assurance that this problem will not recur as soon as the damage is repaired, I'm going to have to move everything elsewhere- and I DON'T WANT TO DO THAT.
Find all posts by this user
Quote this message in a reply
02-24-2012, 12:44 PM (This post was last modified: 02-24-2012 01:11 PM by artgeek.)
Post: #40
RE: Sites hacked
I have been cleaning up hacked sites all morning.

A note:

Wordpress sites created with the Dreamhost One-click were all hacked.

Sites created manually were not hacked.

So, a likely culprit is one of the plug-ins or themes installed with the one-click copy of WP.

(I wish DH would drastically reduce the number of themes and plug-ins they pre-install, or at least allow for a lean installation for this very reason).

---

I'll also add that, like others in this thread, I have been waiting for some panel backup/restores on some slower-moving WP sites that were hacked. Hours later the restores havn't happened, no message from DH either).
Find all posts by this user
Quote this message in a reply
Post Reply 


Forum Jump: