2.9.2 site hacked

Maybe it’s time to do something about it, rather than repeatedly contributing to the FUD.

Relevant link about this:

//www.indesignstudioinfo.com/ls.php
//zettapetta.com/js.php

https://blog.sucuri.net/2010/05/new-attack-today-against-wordpress.html

Link to the purported fix for it:

https://blog.sucuri.net/2010/05/simple-cleanup-solution-for-latest.html

[edit] which, by the way appears to have been already posted in this thread several hours ago (and more than once). It would be interesting to read some more feedback on the results of that method.

this is our conversation

me: why do people do this
friend: A “script” by an untrusted source could do significantly more damage (more hackers tricking you to run their shit).

this is what my friend says:

friend : this is a mess.
Every plugin, every theme, every bit of php code has to be rebuilt / replaced.
This is going to be time consuming.

Do it from your last known good backup. It should take about 10 minutes.

Or, again… you can try this repair first, and let us know how it works.

https://blog.sucuri.net/2010/05/simple-cleanup-solution-for-latest.html

my friend is going into the hosting account

why, i have no idea.

CLAYTONJames: I gave him the link you provided.

just a thought on the side, has anyone been able to locate where these hackers live – or was this generated by a robot??? it must be possible.

helpme11, it’s okay to not post everything that your friend is doing. Feel free to just follow up when your friend has finished fixing your site.

As for who is doing this and how it’s being done, there several links in this thread that go to articles discussing the issue in depth.

I just checked both of my WordPress sites. Luckily they weren’t infected. Perhaps these were targeted attacks on the big web hosts?

I would just like to say that when I install WP I generate fresh keys, I change the prefix from wp_ to something like Efhje4k9Ubc_, I make both my database name and password something as equally nonsense, and I create an account for myself and delete the admin user. I have never ever been hacked. I’m not saying I can’t be but taking these steps will certainly throw off a hacker ??

I have a question for you:

– different servers
– different websites and platform

… what FTP client do you use? I use FileZilla tha save ftp password without encryption… and you?

Hi,

All my sites on Hostmonster are infected yesterday with this virus,
Wordpress, Joomla and even individual written php sites.

I tried this https://blog.sucuri.net/2010/05/simple-cleanup-solution-for-latest.html , but still no fix

Need help.

Thanks,

Bat

To all the above….

The SCRIP THAT YOU PROVIDED Did not work for my site!!

my friend had to take both my websites off line!! ouch!!

nd work with the FTP and then work with creating a new data base in the
hosting name and upgrading

ANd now move the main folder to a new folder within the hosting site.

i also noticed i get this: on my pc at the same time i got hacked.

Warning: Unresponsive Script

A script on this page may be busy, or it may have stopped responding. You can stop the script now or you can continue to see if the script will complete.

Script” chrome://tavgp/content/avg/avgbapi.js:125

(checkbox) Don’t ask me again

Stop script (button) Continue (button)

i feel so bad for people using wordpress who have no clue what to do when it comes to situations like this. (like myself)

I have no clue what to do. and if i dont know, im sure there are many others who are out there who also don’t know.

So stay tuned cause i will find out what exactly my friend did, and post it here.

All the above posts about running a script and it takes 10 minutes – i wish it was true(maybe in some cases, but for me it didnt’ work), and how do you run a script? beats me!!

So don’t worry.

Just a thought again, since wordpress has automatic updates ( which i think are awesome(i love just clicking a button to upgrade and done), why don’t they have automatic fixers – someone should get on this….) Yes!!!

I honestly would of gave up my website (sold it) if I didn’t have a friend who knows how to fix things. So if i feel like this, i’m sure there are many who are thinking about giving up!! Well there is hope!!

My site says; we are down for maintenance but really its been hacked!!

My friend said it will be up by Sunday.

I lost revenue and massive amounts of traffic! todays a sunny day.. so i guess i can go outside for air… so thats a good thing with the site being down.

and i wont post anymore until my site is up and i get a full detailed summary of what to do! (what my friend did) sorry about posting so much.

Heads Up . . . May 8, 2010 NS

We received alerts of a new type of file inclusion on our customers’ websites, whereby a “.nts” file is added to folders of customers’ hosting accounts. Visitors to affected websites will receive a “website cannot be found” message and may be infected with malware. This “.nts” file addition is occurring mostly within the structure of customers’ WordPress installations, however the issue is not with WordPress. We ask that you please remove all files with the extension “.nts” in order to resolve this issue.

At this point the bottom line is the grid is probably being infected regardless of who your hosted with.

The fix posted by dd@sucuri in this thread seems to have worked like a charm for my affected site (I’ll link to the page with the fix here in case impatient people are skipping to the end of this thread).

For the record, all of my wordpress sites have been running 2.9.2 since its release, and only one site was affected by this latest b.s.: the one hosted on a shared linux server at GoDaddy. My friend’s BlueHost sites were fine and all the sites on my own server were fine. So GoDaddy’s statement that this was a problem affecting only people running outdated versions of WP is just ridiculous.