Current time: 04-23-2014, 03:48 AM Hello There, Guest! (LoginRegister)

Post Reply 
ALL php files hacked = cracked account?
03-26-2012, 10:02 PM
Post: #11
RE: ALL php files hacked = cracked account?
The same thing happened to my sites, around the same time as mentioned here. I have backups of most of the files altered, but what specific vulnerability occurred with Word Press that I can fix?
Find all posts by this user
Quote this message in a reply
03-30-2012, 09:30 PM
Post: #12
RE: ALL php files hacked = cracked account?
I don't know if this is any help, but my Drupal sites (and my son's Wordpress on the same host) were hacked recently.

(03-26-2012 10:02 PM)The_Dominion Wrote:  The same thing happened to my sites, around the same time as mentioned here. I have backups of most of the files altered, but what specific vulnerability occurred with Word Press that I can fix?

I think it was my failure to update an insecure version of Drupal at the time I was first notified. Maybe this could be the same for Wordpress??
Find all posts by this user
Quote this message in a reply
03-30-2012, 10:48 PM
Post: #13
RE: ALL php files hacked = cracked account?
(03-26-2012 10:02 PM)The_Dominion Wrote:  ...what specific vulnerability occurred with Word Press that I can fix?

There is no specific "one size fits all" vulnerability. Whether it be the application core, a module, or a theme that was used as a point of entry the crux of the matter from case to case is that one or more parts of the system employed was open to exploitation and you'll need to use the resources available to you to fix it.

Maximum Cash Discount on any plan with MAXCASH

How To Install PHP.INI / ionCube on DreamHost
Visit this user's website Find all posts by this user
Quote this message in a reply
03-31-2012, 05:39 AM
Post: #14
RE: ALL php files hacked = cracked account?
(03-30-2012 10:48 PM)sXi Wrote:  There is no specific "one size fits all" vulnerability. Whether it be the application core, a module, or a theme that was used as a point of entry the crux of the matter from case to case is that one or more parts of the system employed was open to exploitation and you'll need to use the resources available to you to fix it.

I use neither Wordpress nor Drupal. I use Zikula. In my case I found three different problems: an old directory of files I had archived when I had upgraded the site, a piece of an old phpBB thing I had played with, and just a sloppy permission on a directory for media uploading. I made it worse by having multiple domains with the same user, which made it harder to find the problem(s) and clean up.

Threads here and the search and replace functions in BBedit helped me find and fix the issues. Good luck.
Visit this user's website Find all posts by this user
Quote this message in a reply
03-31-2012, 07:20 AM
Post: #15
RE: ALL php files hacked = cracked account?
(03-26-2012 10:02 PM)The_Dominion Wrote:  The same thing happened to my sites, around the same time as mentioned here. I have backups of most of the files altered, but what specific vulnerability occurred with Word Press that I can fix?

sXi is correct, however, the elephant in the room for wordpress is ununstalled themes. As has been documented, last july the author of a plugin called timthumb's own site was hacked by his own plugin. He was able to 'fix' the vunerability, but the original unupdated timthumb was part of the 100 themes installed as an easy install option by DH. One thing to understand is uninstalled php has the same power to corrupt your site as installed php, it makes no difference, so having 100 uninstalled themes, probably increased everyone's vunerability times 100.

Once a hack is found, much like a burglar, a hacker installs a file manager into the php program then has a field day modifying files in your account with traps and back doors. If you have many domains and one user, the hack can invade the other files because they by default were connected to each other.

We wordpress users kind of think we are 'on it' when we update wordpress and out installed themes and plugins, how many of us knew that we needed to update our uninstalled themes and plugins? I certainly didn't.

The problem with timthumb was increased in my opinion by noisy bloggers who blogged about dreamhost's timthumb vunerability last november, this may have been the final straw, since the beginning of february, lots of scripts searching for 'timthumb' are trolling through every dreamhost account. In mid-march dreamhost installed a mod-security fix to eliminate the ability of these scripts from hacking accounts, but we consistantly see other scripts trolling for exactly what package (wordpress, drupal, php, etc.) you have installed, then trying to find their vunerabilities.

This process against hackers and trolls is winnable with education on our part. For us wordpress dweebs, cleaning up our wp installs by deleting unused themes and plugins and making sure what themes and plugins we are using are well supported goes a long way to making life for a troll unexciting.

For more info see the wiki hardening wordpress

-Bill

-Bill Kelly
See Harden Wordpress for wordpress and dreamhost hardening tips
Find all posts by this user
Quote this message in a reply
04-01-2012, 11:24 PM (This post was last modified: 04-01-2012 11:26 PM by bobbb.)
Post: #16
RE: ALL php files hacked = cracked account?
I had the same thing happen to me but I am on GoDaddy shared hosting which I guess is the same as the situation where you own or control you own server. Of course I got a canned reply from GD to which I complained. They never admit anything.

Here is what I found. Yes a base64_decode( is involved but not in all PHP scripts. I found only certain names that are standard like index.php, footer.php, and template.php. I host about 11 other domains on my account. From my "root" directory down all the above files were hit. As I told GD I use no third party applications and no user parameters in PHP that need to be cleaned. I have no client interfaces anywhere for uploads or logins or anything of that nature. It is all static.

It was easy for me to fix but they will be back I'm sure.

Told GD this "If your server (it is not mine) gets compromised such that a hacker can access all virtual accounts hosted on the shared host then it falls into your area of responsibility. I cannot control the other shared accounts. It is up to you to harden it such that it cannot occur."

All the files had the same timestamps or very close. From this I discount FTP entry. That would take too long.

They read these PHP files and as soon as they hit the PHP ending mark "?>" they wrote their code. Have a copy. They check for certain bots like Google, Yahoo, Bing etc and don't execute their code. The code is made to looks like analytics type code and their native language is not English.
The only way I can see that they can do this is to "own" the root of the whole server. How? I don't know. Try to tell that to GoDaddy.

From my history backup files I see that it occurred March 25 at 12:51 (MST I believe) and again March 31 at 02:41 MST. On the second intrusion the decode info changed. Checked my logs for those time periods and see nothing.

Now they send your user to this base64_decode( URL where they try to inject malware. This staging area must supply different places to go for the malware because sometimes it does not work because that site may be fixed or disappeared. The few that I saw or checked had all been created recently. Must be throw aways. Same type contacts

I also noticed on the scripts that were modified that the permissions were also changed to group rw.

I do nothing in PHP except standard include "xxxxx.php" for same code.

I had it easy compared to some of the posts I see here
Find all posts by this user
Quote this message in a reply
Post Reply 


Forum Jump: