Site Hacked or Security issue

<meta name=”generator” content=”WordPress 2.1.3″ /> <!– leave this for stats –>

dude, upgrade. to start with.

Thanks Whooami for the answer

My hosting company offer automatic upgrade but there is some warning about if you modified theme to not upgrade and I modified my themes.

What could be the better way and painless to upgrade? I know there is a lot os post about it and I read a lot of them but still found it is hard for someone not with expert level.

Any advice will be really appreciate. Thanks to all

If you only update the WP files, nothing will happen to your theme. That is -of course- if you don’t use a modified default theme under the name that you got it from WP. Upgrading is easy, just FTP the files to your server and “install” if needed. I do always try new versions first on a test website, just to be sure.

Thanks Gangleri

Lets see….I modificate my themes in this way: Change headers and add some modiciations like banners, advertising, adsense codes and stuff like this . I dont know if plug in could apply as modification.

If somebody knows if this modifitation affect my upgrade proccess or not please tell me. I dont want to make a mess with the site trying to fix it.

Do i need to modificate my database? I hope not..

Again, all advice will be very welcome

Thanks

We’re dealing with the same issue: links appended to posts in a hidden font (<font style="overflow: hidden; width: 0px; position: absolute; height: 0px">) We were running 2.32 and have just upgraded to 2.33. Does anyone have any clues about how this is being accomplished?

I have a good idea, but cant share it yet, since replicating what’s being captured is turning out to be difficult.

I can tell you that it’s been suggested to me that changing your password is paramount. Especially, if your install was compromised from a previous version. And you might want to think about resetting sessions, clearing all user cookies, changing the three cookie names (look inside wp-settings.php at the bottom) etc..

I have a live blog set up that is a reoccurring victim of these attacks. We have successfully captured the $_POST variables, and know what file is being called, but since we cant prove that the hackers arent using a hijacked cookie, the cookie names are going to be changed next.

Its a game of cat and mouse.

I have an update on the live “honeypot” blog I have been playing with..

We changed the cookie names by editing wp-settings.php, and lo and behold when the attacker came back, and tried the same tactic as the previously successful injection attacks — they failed.

What this means, is that anyone that was hacked using a previous version, needs to make sure to change their administrator acct’s password (this ought to be obvious), and might want to do the same thing with WordPress’ three default cookie names that Ive done on the HP blog..

Again, they are named inside wp-settings.php near the bottom.

if ( !defined('USER_COOKIE') )
    define('USER_COOKIE', 'wordpressuser_'. COOKIEHASH);
if ( !defined('PASS_COOKIE') )
    define('PASS_COOKIE', 'wordpresspass_'. COOKIEHASH);
if ( !defined('TEST_COOKIE') )
    define('TEST_COOKIE', 'wordpress_test_cookie');

You can just append a few letters or #s if you like, to wordpressuser, wordpresspass, and wordpress_test_cookie.

Great detective work whoo! I was wondering if it had to something to do with cookies especially since replying to a recent thread where poppacket was asking about cross-domain single sign in – that thread really got me thinking about it.

Thanks fot your help.

Say Im short in knowledge. I know how to change the name of that cookies in wp-setting.php. Its all that I need? I mean, add a letter to each cookie name?

Do you know if I can upgrade without trouble if I modified my theme adding ads and adsense codes and banners?

Thanks in advance for your time. This is a very important issue to resolve asap

Its all that I need?

Pretty much. And I wouldn’t go doing this unless you’ve had this trouble previously. And realize that unless you do the same after you upgrade, assuming you upgrade correctly, the changes will not be present in your new wp-settings.php

I dont offer this as any guarantee. Ive also sent all the data onto two of the devs for them to look at. I can, however say, that, at least for now, the last attempt at this exploit failed on a blog where this had been an ongoing problem.

Ive gotten grief for giving out supposed panaceas on this forum, so I really need to stress that this is just a preliminary observation — empirical evidence points to this fixing this problem for this ONE blog. Your mileage may vary.

I just finished upgrading a 2.1.x install to 2.3.3 The old install had been exploited with the spam links.

I changed the admin password, renamed the cookies, and set up logging. Time will tell.

okay, this most recently upgraded site appears to have been “food” for the 2.1.3 admin-ajax.php exploit. There was heavy activity in the log I set up, showing exploit attempts, all of which were fruitless.

Unless I see something else, case closed.

Whoo

I have to say in public a BIG THANKS for your help.

Whoo FIX my security issues in a hurry attending the urge os save my site ( my main income source )

I really appreciate all your time and effort. You can found a lot os ANSWERS in Whoo website as I did.

Even a 1k of more o miles separete us. We were capable to work together and in armony to solve this.

Thanks for your simpaty on this WHOO

You have a free fishing trip on Mexico when want to came here. I will close this post as SOLVED

whooami: Could you provide more info about why changing the cookie names works? Changing the names would certainly invalidate their cookies, but changing the passwords should prevent those cookies from being valid anyway. Can’t see why one helps and not the other.

Adding a define('COOKIEHASH', "some_random_string_here"); line to wp-config.php would have the same effect as you’re describing. And the test cookie should not affect anything anyway.