2.9.2 site hacked

  • I visited my WP 2.9.2 site today to get a warning about my site having malware associated with it. Looking at the source, I see a script entry in the HTML body going to https://zettapetta.com/js.php

    Looking at the index.php file, I see that the first line has been hacked with an eval command and a lot of garbage that obviously comprises part of the hack. The timestamps of a lot of WP files has been changed, indicating that they were modified sometime yesterday afternoon.

    Anyone else seen this hack yet; is there a fix? I only found one or two mentions of this online, but all my plugins are up to date and I’m not sure how to ensure this won’t happen again after I do a restore from backup on the site.

    Thanks,
    Matt

Viewing 15 replies - 106 through 120 (of 187 total)

  • Response of Godaddy to my second e-mail:

    Dear Sir/Madam,

    Thank you for contacting Hosting Support.

    While the articles that you have provided have many interesting opinions, the issue is directly related to code security in general. There have been may other WordPress compromises at other providers. At this point in time our security teams have verified that it is not a server level issue.

    If you continue to experience delivery or access problems please let us know and we would be happy to assist you further. Please provide any error messages or screen shots to help us troubleshoot the issue that you are experiencing.

    Please contact us if you have any further issues.

    What!: “At this point in time our security teams have verified that it is not a server level issue.”

    What’s your opinion?

    calvin13

    OK, still awake. Wanting to see how this all unfolds.

    Many people were affected a few days ago. Most people should have fixed it by now and certainly upgraded to the latest version of WP. If not…fools.

    Many would have started from a clean slate. Now it’s happening again.mmm.

    Is there anybody who is on shared hosting, who is new to shared hosting since the 1st outbreak? That would be a clincher for me.

    I never had any issues like this when I wasn’t using shared hosting.

    “At this point in time our security teams have verified that it is not a server level issue.”

    Denial isn’t just a river in Egypt.

    I don’t know what to do…

    change my hosting?

    Sure enough, this same BS happened to my Godaddy site again last night. I restored from backup. I’ve never had WordPress installed etc. Strong passwords, all different.

    I can see the one line in the apache log where a script was executed:
    74.54.—.— – – [11/May/2010:22:02:10 -0700] “GET https://www.——–.—/——.php HTTP/1.1” 200 429 “-” “Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1)”

    I censored out the bits that would identify me or the attacker but I can tell you: it was a .php script that doesn’t exist on my site, so somebody must have uploaded it, ran it, then deleted it. My apache logs have no other access from that IP address. I do not see any exploit being done thru a script on my site. The attacker has to be breaking in some other way. But my passwords are all strong & I only log in thru encrypted SFTP.

    In any case I am taking my business elsewhere.

    Someone recommend me another shared hosting?

    I love my dreamhost talked with them, seems to be find what they said they are going to post something its like they just heard about it today from me.

    I’m on Dreamhost VPS and I have mod_security and security for the users so the a user can only view his files. Without that I used to be able to log into any FTP and backtrack to other users files. But with it turned on for every user now. I can’t even go into my main ftp account and view others files. Does that help isolate hacks?
    “”Enhanced Security” means your user’s home directory has its permissions set to 750 and its group is changed to adm.”

    When possible I set my files permissions as low as I can if it is a static site. Lower than 644 I don’t even let my own user write to files.

    While I don’t generally recommend GoDaddy hosting because of other problems from them, I still do have one site running on their shared servers (unfortunately).

    This site was hacked a little over a month ago running WP 2.9.2. I’m guessing at the moment when this outbreak was starting. Giving my host the benefit of the doubt and thinking that maybe I hadn’t locked down the site well enough, I completely cleaned out all files and restored the database from backup. I then installed fresh with completely new, stronger passwords. From that point, I set the file permissions on all files as strict as I could possibly get them to run WordPress on GoDaddy.

    That seemed to do the trick for about two weeks. Then, the hack occurred once again. On the morning of my birthday, no less.

    GoDaddy’s response: It’s not our fault. Upgrade your WordPress installation.

    That response alone should be enough to teach people to steer clear of GoDaddy.

    Fortunately, I can clean out a hacked site in about an hour. I’m not so sure the average user can handle that.

    I had an idea: the malicious file in my directory was “php.ini”–thank you sucuri! I deleted it and things went back to normal. But it keeps coming back. What I am trying now is to edit the file, delete all the code, and then I made php.ini a non-writable, non-executable file.

    We hear your frustration. Please read our blog post: https://community.godaddy.com/godaddy/whats-up-with-go-daddy-wordpress-php-exploits-and-malware/?isc=smwpfor

    If you’re site’s been affected, please fill out the form listed in the article.

    Alicia

    It seems that the problem is extending to other hosting providers:

    https://www.wpsecuritylock.com/breaking-news-wordpress-hacked-with-holasionweb-on-go-daddy/

    Thanks all for the info here…I created a site that was attacked with this thing just days after it was launched…twice! Cleared it out and re-installed and then it happened again this morning.

    Many thanks to [email protected] for the script, I have run that on my site and everything seems to be clean.

    Am curious about what poprunna said about re: the php.ini file. What is typically found in the php.ini file and how would I know if it was compromised? I’d like to try the same thing, putting it in non-writable/executable mode but first I’m wondering how I would know if there is something wrong with it already… any thoughts?

    GDHosting
    Alicia,
    I must say that is a fairly pathetic response. Sure some sites were running outdated software (not just wordpress) but the large majority are up to date 2.9.2 wordpress sites. Of the 62 sites I have cleaned for folks (not free) and moved to another hosting provider only 7 of them were not up to date.
    Why did I recommend they move or I would not clean them? Because of crap like the page you linked to. You (godaddy) have not taken responsibility for this continuing lack of secure servers and addressed the real problem. Why not be transparent and responsible as Network Solutions was. Within days, they admitted it was not a WordPress problem, but their own.

    I sincerely recommend anyone on godaddy to leave immediately as they are not sincere or honest.

    my .02

    Probably just a coincidence but has anyone signed up for free content at seolinkvine.com? its just that I added one of my blogs and it got hacked. The user name supplied only had author privileges though

Viewing 15 replies - 106 through 120 (of 187 total)
  • The topic ‘2.9.2 site hacked’ is closed to new replies.

Tags