My WordPress script was vulnerable?

There are a number of versions of WordPress, both earlier and current. It would be difficult to guess what’s happening without knowing what version you’re running, as well as how your web hosting space is set up. If you can provide details, it would help someone to help you.

And who is this host ?

I’m using SSLcatacomb Networks from
mymarkdown.com for hosting. I was using WP 1.5 when this happened. I have just upgraded to 2.0.

Okay, I replied with my hosting information. I totally deleted all WordPress files. I have no users registered. I used a different password after installing WordPress 2.0. Now, I’ve been hacked. Check it out:

bbiverson.com

Now I’m thinking that you guys will say it was some sort of vulnerability with the host I’m using and they’ll say it was a vulnerability with the WordPress script. So, I’m wondering what would be the smart thing for me to do at this point?

I had the same problem this past weekend. I would like to know where the vulnerability is, too. No problems with WP yet, just to my html pages which were deleted and replaced with a new index.html file.

Yeah, my WP stuff seems to be intact and I was considering upgrading from 2.0 to 2.01, but what’s to stop this hacker from destroying my frontpage again? I had never had a problem with WP before and then my host provider said someone had gained access to a WP script to send out tons of spam email to people. So, they deleted the offending file and suggested I look into the matter further, which I did.

I upgraded WP from 1.5 to 2.0 and thought the problem was solved. Now, my site has been hacked again, either through the host provider or WP. Now, my host provider hasn’t changed the setup since I’ve been with them and Lord knows how many upgrades WP has been through (as we’ve all read the long list of problems with this last upgrade), so I’m inclined to believe the problem lies somewhere with WP.

What do they say when you don’t like the program on TV? “Change the channel!” Well, that’s easier said than done with all the stuff I’ve put on my WP. I’ve been putting my faith in this program for a long time and have appreciated all the support help I’ve received.

I just hope that someone has a fix for this current one, because I don’t want to invest more years of my times making posts that will eventually end up being hacked away.

Yes, there are backup plugins, but the problem with plugins is that they can’t keep up with the version changes that WP is going through.

So, what to do?

Your Web host is probably the only one who can help you. Bt examining your logs, your host should be able to track down the problem, unless the hackers covered their tracks very well. But even if they did, your host can tell if your logs were reset.

While WP has no know vulnerabilities, there could be something in a plugin that allowed a script kiddie to deface your site but I’m guessing it was something else on your server. If you have Front Page extensions, there is a vulnerability. Not sure how it all works but there is information on site defacement via FP extensions if you do a search.

It’s against the law to deface a site but the script kiddies do it because they can. If you do some research, you can even find scripts with instruction on how to deface a site. I have one (a php defacement script) that was used in an attempt to deface my WP blog. It wasn’t successful but they tried several times.

Anyway, I’d contact my host and hope they have the skills required to track down the problem. If it is a WP problem, then I’m sure the developers would like to know. Your host will need to supply the evidence that it is a WP problem, not just say it is – that will not help anyone and it will not give the developers what they need in order to fix any possible problem.

Good luck!

My html was not written using FrontPage, but rather just an editor that didn’t add any additional tags.

Good deal Jim. But your SERVER may have frontpage EXTENSIONS installed. not you. or your desktop. but the server.

It is frequently alleged that they can be a security risk.

I have requested more detailed information from my server and will update this thread as it becomes available. BTW, I do not have FP Extensions installed. I used to use FP as a sort of manual weblog, years ago, but that was with a different server and I verified with my current one, through CPanel, that FP extensions are disabled.

jimatwork, the use of FP extensions is not the only way a script kiddie can deface a site. Do the research, there are many server-side applications that they can and do use. PHP, cgi. etc… The fact that your html page was replaced, says they got in somehow or were able to replace that file with a script. Let us hope they didn’t actually get into your server, since they could do serious damage if they did.

Contact your host and have them analyze the log files for your site if you don’t know how to do it yourself or don’t know what to look for. That is the best advice anyone can give you.

This is the reply I got from my host:

Hello,

Did you delete the database?

Database could have been modification so that they can get back in at any time.

Did you delete ALL files within your web space? Files can be modify and hidden in directories so that they can get back in at any time.

Did you keep all files within your web space up-to-date on a daily basis?
Old vulnerable scripts like https://www.bbiverson.com/gallery/ ? Since your domain is now on hacker scoreboards updating daily probably isn’t good enough. You should check for updates to your scripts several times per day.

All log files can be accessed using cpanel. Please hire a webmaster if you need help in keeping your scripts within your web space secure and up-to-date.

Best regards,
Web Hosting Services

They’re asking me to delete my database? That’s the same as deleting WordPress!

I looked under CPanel and there are three references to logs: Raw Access Logs, Raw Log Manager, and Error Log. None of them have anything timestamped farther back than 24 hours ago. Here is a link to my Raw Access Log:

Raw Access Log

Is that the log my host is referencing, because I don’t see any other in CPanel? If the infraction occurred prior to 24 hours ago, how can I determine what caused it and how to avoid it in the future?

I think your host is talking bollocks and while a tiny bit of their info could be seen as possibly correct given that it’s their hosting environment, it’s scripts in that environment that are being used and that they have control over that environment then asking you to sort it all out shows that they haven’t a clue between them.

Move hosts today. Seriously – move to a better host.

———

Without knowing specifically what databases you have, check the users for each app. Delete all but you. Change all your passwords to long complex strings auch as 8Jik:mNiP(d/GDF53]

CHMOD every file to 644
Every directory to 755

That will go someway to help.

But the best advice is to move and do it now. There are many threads about good hosts but https://www.asmallorange.com and https://laughingsquid.com get no complaints in these forums.

If the infraction occurred prior to 24 hours ago, how can I determine what caused it and how to avoid it in the future?

I don’t think anyone here can help you, at least not without seeing what’s in your directories. I doubt your database was compromised. If you can’t change hosts (which I would highly recommend) then go in and delete the html file that’s showing right now and look for anything else suspicious and remove it. Back everything up first. Check your logs daily and wait and see what happens. Oh, I would remove the gallery program since there’s no photos in it anyway.

You could also backup your database, then remove the wp tables in MySQL, remove everything related to WP and any other program you have installed yourself, including images, from your directories, then do a clean install. You can dump your database content back in after the new install and reload any images you might want. If you need help doing that, email me at glo (at) wild-mind.net and I’ll tell you how. If you have changed the look of your blog, save the theme you changed to your hard drive, if you don’t already have it on your computer (hopefully you do).

Good luck!

Okay, I found this warning by doing a search for Linux_Drox https://secunia.com/advisories/17410/ – so, your database may have been compromised. Before inserting any database backups into a clean install, the content should be examined.