Current time: 04-18-2014, 04:16 PM Hello There, Guest! (LoginRegister)

Post Reply 
Sites hacked
02-17-2012, 06:47 PM
Post: #1
Sites hacked
Several of my sites have been hacked, with an injection of base 64-encoded php that redirects incoming search traffic.

Don’t know how this got in, maybe an out-of-date wordpress installation, or maybe the recent hack? Anyway.

I’m going about restoring things, but I had a few questions, and would appreciate any feedback, as I’m not an expert on some of this stuff.

1) My plan is to delete everything from dreamhost’s servers, and rebuild from backups that I’m sure are clean of any malware – so far I’ve only found suspicious code in php files. Should I be looking anywhere else?

2) I am trying to access my log files, but the permissions seem to have been changed to 755, and I can’t open them... how can I open & backup these files?

3) I created a new ftp/shell user earlier today for all sites, but when I try and log into via ssh, I keep getting booted. Could this be related, or am I doing something wrong? Have checked and doublechecked username and pw – can log in via ftp but not the shell. (Using coda on OS X.)

Needless to say, this sucks I have 4 businesses websites that are effectively down, and I’m trying to get this sorted ASAP...

Any help would be greatly appreciated...

Thanks!
Find all posts by this user
Quote this message in a reply
02-18-2012, 03:47 AM (This post was last modified: 02-18-2012 03:50 AM by zildjian.)
Post: #2
RE: Sites hacked
Hi mate, i had a similar problem. All you will get is referred to a wiki help page.

But after trialing numerous "cleaner" scripts to remove the encoding. I finally got one to work. It takes about 15 mins for each website (depending on size, mind were relatively small) and dont worry it looks like nothings happening but you know its finished when it lists all the files its searched and fixed. You upload it to your .com folder then put it into the browers bar with the filename at the end and hit enter. I've uploaded it:
http://www.mediafire.com/?57g26da1ez83nv2

Im not trying to spam you, i had the same problem just a few posts down.

Although, that cleans out the code, ive still not found out how to tighten up my security. Let me know how you get on!
Find all posts by this user
Quote this message in a reply
02-18-2012, 07:43 PM (This post was last modified: 02-18-2012 07:44 PM by stephan_c.)
Post: #3
RE: Sites hacked
thanks for the link, could have saved me some time, but wasn’t too bad in the end.

I immediately took the sites down, and made new wordpress installations for each site.

I cleaned my wp theme folder and my uploads folder to remove the code (eval base64 bullsh*t )using a find and replace, and then dropped these folders back into the clean wordpress.

To verify this, I ran the script you sent me (was also checking out the various blog posts about this) and looks like everything is OK.

Still can’t access my logs directory, though, and can’t modify permissions on it either.
Find all posts by this user
Quote this message in a reply
02-18-2012, 07:48 PM
Post: #4
RE: Sites hacked
Did you figure out how the attacker got in? Usually it's an insecure theme or plugin, if that's the case you may have left the door open.

You can't access logs if your using ftp, you have to use SSH or SFTP.
Find all posts by this user
Quote this message in a reply
02-18-2012, 10:39 PM
Post: #5
RE: Sites hacked
a sophisticated hacker will also create an account, use the database connection info to modify the database, give the new user admin privs, and get an authenticated cookie. so even if the hole is plugged, there may still be ways to get in.
Find all posts by this user
Quote this message in a reply
02-20-2012, 02:55 PM
Post: #6
RE: Sites hacked
I'm seeing a lot of these hacks on Dreamhost sites right now, and I'd like someone to look into this being a system wide issue. I used Google Webmaster Tools to look at the sites linking to mine after the hack, and ALL were Dreamhost sites, most look like blogs. My DB is trashed, I have to backup from November as the auto-restore function in the Panels crap. Super frustrated here, this needs to be fixed.
Find all posts by this user
Quote this message in a reply
02-20-2012, 03:16 PM
Post: #7
RE: Sites hacked
(02-20-2012 02:55 PM)jbnla Wrote:  this needs to be fixed.

In almost all cases these hacks are occurring from outdated app software (such as wordpress), or insecurities introduced via 3rd party theme or plugins. Site security is the responsibility of the customer, not dreamhost. Dreamhost does not know what you have installed or where you installed it, or what you added to it. See also: http://wiki.dreamhost.com/Troubleshooting_Hacked_Sites
Find all posts by this user
Quote this message in a reply
02-21-2012, 02:39 AM (This post was last modified: 02-21-2012 03:32 AM by zildjian.)
Post: #8
RE: Sites hacked
- edit
Find all posts by this user
Quote this message in a reply
02-21-2012, 05:41 AM
Post: #9
RE: Sites hacked
I helped a friend who faced a similar problem with his site, some of his files (mostly PHP) had been infected.

In particular there was a file called common.php that needed removing. The .htaccess file was infected too - it contained some redirect instructions that were only seen by Google and a few other search engines.

We suspect that the breach happened through Wordpress, but something else came to light: there's a vulnerability in PHP, which affects version 5.3.9 and 5.2.17. See: http://lenss.nl/2012/02/php-critical-bug-cve-2012-0830/

We can stop using PHP 5.2 for our sites (you can change this via the panel), however this gave us version 5.3.5, most likely this version is affected too. If so, all PHP sites on DH are vulnerable.

Otto - 7is7.comDreamhost VPS ManagerDreamhost Promo Codes
Visit this user's website Find all posts by this user
Quote this message in a reply
02-21-2012, 11:11 AM
Post: #10
RE: Sites hacked
That specific bug only affects PHP 5.3.9 — it was introduced in that version by a faulty implementation of the new "max_input_vars" configuration variable. PHP versions prior to 5.3.9, including 5.2.17, are not affected.
Find all posts by this user
Quote this message in a reply
Post Reply 


Forum Jump: