Current time: 04-23-2014, 12:34 PM Hello There, Guest! (LoginRegister)

Post Reply 
Sites hacked
03-02-2012, 07:09 AM
Post: #161
RE: Sites hacked
Hi all,

My DH WP install was hacked as well.

One of my WP installs was affected by malware from .rr.nu. See link below for details of the hack:

http://blog.sucuri.net/2012/02/malware-c...rr-nu.html

Here is the code (from pastebin):

http://pastebin.com/wKkNk7n6

How can I clean information_schema? Do themes affect this DB?

Working through the 16 pages of this thread now ...
Find all posts by this user
Quote this message in a reply
03-02-2012, 08:08 AM
Post: #162
RE: Sites hacked
This is a nightmare for me. the info is helpful, but I might as well be reading chinese on most of this. anyone out there know someone reasonable and trustworthy to help me work through this crap?
Find all posts by this user
Quote this message in a reply
03-02-2012, 08:54 AM
Post: #163
RE: Sites hacked
After spending the last two days cleaning sites, I've switched hosts, moving to a VPS on cloud storage. The support is infinitely better, the system more secure. As soon as the DNS changes propagate, I'm outie.
Find all posts by this user
Quote this message in a reply
03-02-2012, 10:08 AM
Post: #164
RE: Sites hacked
Hi folks,
I've been called on to fix quiet a number of DreamHost hacked WordPress blogs and like to toss in a few real world observations.

1. Of the sites I've worked on and cleared of malware all were due to outdated WordPress blogs, templates, or plugins.

2. While it's somewhat apparent Dreamhost is being targeted, at least in my experience the errors have been at the "user" level, and not been due to an exploit within Dreamhost's servers (that is, just as likely to have happened had they been hosted elsewhere).

That said, if you maintain the latest version of WordPress, keep your plugins and theme updated it's likely you won't be hacked in future (or, very less likely I should say).

A few pointers:

1. Check for the old Timthumb vulnerabilty first.
Add the "Timthumb Vulnerability Scanner"
If you come up clean then go ahead and delete it.

2. Delete all inactive themes and plugins (NOW!).
Don't get me going on this one...

3. Create a new administrative username (not "admin), then change your existing "admin" username to Contributor so something else.

4. Change your FTP password.

5. Run a malware scan on your PC.

6. Use http://unmaskparasites.com
to double check your site for malware.
His non-commercial blog has some decent recommendations as well.

7. Install security plugins like "BulletProof Security"
I did a video on how to install BPS here:
http://youtu.be/kGpCE_eiLNg

Then install "User Locker" or other "current' excess login blocking plugin as well.

Best of luck folks,
Jim Walker
The Hack Repair Guy
Visit this user's website Find all posts by this user
Quote this message in a reply
03-02-2012, 11:07 AM
Post: #165
RE: Sites hacked
Quote:That said, if you maintain the latest version of WordPress, keep your plugins and theme updated it's likely you won't be hacked in future (or, very less likely I should say).

I had non-wordpress accounts penetrated. I have my WP installs as one-click and automatic updates. I run almost no plugins for WP.


Quote:If the wiki is accurate, then this has already been disabled by default four years ago: http://wiki.dreamhost.com/Allow_url_fopen

You can run a phpinfo yourself and see it's on for local. That page says it was disabled UNTIL 2008...which means it's now enabled by default. It's best imho to disable. Better to use curl anyways. allow_url_include is disabled though.

I'm happy that with 5.3 that DH allows me to custom php.ini as I prefer to disable certain functions like exec,system,filesystem,passthru,show_source,shell_exec,escapeshellarg,escapeshel​lcmd,popen, and proc_open. 5.3 is also running the suhosin patch which is helpful. I've totally beefed up my security all day yesterday. I should be good for a while. But I'm still working to fix 2-3 sites which are offline due to compatibility problems and needed updates.

Support Forums | MyBB Central
Visit this user's website Find all posts by this user
Quote this message in a reply
03-02-2012, 12:51 PM
Post: #166
RE: Sites hacked
(02-22-2012 08:24 AM)sXi Wrote:  Blocking access from BurstNET servers would be a good start:

deny from 46.17.
deny from 64.191.
deny from 66.96.
deny from 66.197.
deny from 77.88.
deny from 81.199.
deny from 82.61.
deny from 92.72.
deny from 94.229.
deny from 96.9.
deny from 137.82.
deny from 157.55.
deny from 173.212.
deny from 180.76.
deny from 184.82.
deny from 208.115.

Could you please dicribe in more detail the process that I would go through to bock the above sites, I'm quite new to this and don't follow you

thank you
Find all posts by this user
Quote this message in a reply
03-02-2012, 12:57 PM
Post: #167
RE: Sites hacked
(03-02-2012 12:51 PM)johnyct9760 Wrote:  Could you please dicribe in more detail the process that I would go through to bock the above sites, I'm quite new to this and don't follow you

thank you

Johny,

I've written a description of exactly this in repairitblog.org look under the heading 'hardening dreamhost' and you'll find a .htaccess overview and a description of good .htaccess commands and a discussion of banning individual users and ranges of user.

let me know if you have any questions, you can comment on the repairit blog or PM me here if you want

Bill
Find all posts by this user
Quote this message in a reply
03-02-2012, 01:17 PM (This post was last modified: 03-02-2012 01:18 PM by tonton_mtl.)
Post: #168
RE: Sites hacked
Hi!

I pretty sure that Dreamhost has a problem with databases server since 3 hours… I’m on “didgeridoo:youssef” MySQL Server.

1. My websites can’t access their databases :
Critical Error
Error message: Cannot connect to the database.
From class: MySQL

2. I can’t connect to any phpmyadmin either :
phpMyAdmin -
#2013 – Lost connection to MySQL server at ‘reading initial communication packet’, system error: 111


3. Can’t create new database from Dreamhost Panel, i’ve the followinf error :
“INTERNAL ERROR CREATING DB: connect_admin failed for didgeridoo:youssef. Please let support know!”

So, i'm not sure if we have been hacked because most of the website down are wordpress (last version - no 1click install).

I found anybody with the same problem searching on Twitter ou Google... Do you think I can't test anything else to be sure ?

PS: I opened a DH support ticket few hours ago and still no answer + I commented this morning issue with "port-au-prince" server with my problem on DH Status Blog. Oscar answered : "The admin team however is working on your mysql server" so it's maybe a clue...
Find all posts by this user
Quote this message in a reply
03-02-2012, 03:34 PM
Post: #169
RE: Sites hacked
Add me to the list of people who got hit with 'eval(base64_decode...' hack.
About 6 out of 10 WP sites got hit in different accounts, different users.

All of my WP installs and plugins were up to date. Only items that were not up to date were some of the extra themes DH included with the one-click installs.

I want to thank the early posters in this thread. (It would be nice if folks stayed on subject and didn't bicker about who's 'fault' this is. I'm not ready to point fingers, I just needed to get things fixed.)

I followed the steps outlined in this post and things seem to be clean now:
http://discussion.dreamhost.com/thread-1...#pid150261

I was also using these site scanners:
http://sitecheck.sucuri.net/scanner/
http://unmaskparasites.com/

Both of which reported the virus, and now both are reporting clean results after following the steps above.
Find all posts by this user
Quote this message in a reply
03-02-2012, 04:04 PM
Post: #170
RE: Sites hacked
(03-02-2012 05:00 AM)LakeRat Wrote:  It's oddly worded, but the wiki says it was enabled 4 years ago.

True. I read it too quickly.
Find all posts by this user
Quote this message in a reply
Post Reply 


Forum Jump: