Clean 2.8.4 Hacked :(

  • I had 2 instances of 2.8.3 running on seperate databases, and both were hacked before I got the chance to upgrade. I upgraded, deleted all WordPress, plugin, and theme files, downloaded fresh zips of all, uploaded those, checked my permalinks structure (nothing out of the ordinary there), searched both databases for the “eval” and “base_” crud that supposedly causes it (nothing came up except for the blog post about it by lorelle @ https://lorelle.wordpress.com/2009/09/04/old-wordpress-versions-under-attack/. Should that be in my databases??), and even had my hosting company look through my .htaccess file to ensure that anything that was there was supposed to be. Still getting the icky redirects and spyware warnings.

    Well, one of the installs of WP was just for design purposes and had virtually no content in it, so I went ahead and deleted all of it’s files AND it’s database. Started with a fresh clean database and a fresh clean 2.8.4 install of WordPress. Redownloaded and installed fresh versions of the plugins I use (FatFreeCart, Cleaner Gallery, and Lightbox 2), as well as the theme (Fixed Blix). The only files from the old install that I reuploaded were a handful of theme template files, which I meticulously went through with my own eyes beforehand (footer.php was NOT one of them).

    This fresh, clean install of 2.8.4 is STILL REDIRECTING randomly!!!!

    I’ve put in a help desk ticket with my host to make sure that my entire account didn’t get affected somehow, but I’m expecting them to tell me to ask here anyway, since it originated wwith 3rd party software. Help?

    ETA: Also wanted to mention that I’ve tested the new install by repeatedly hitting “reload” and clicking around on it via a Mac iBook using Opera, so I highly doubt it’s my machine that’s infected. I’ve checked my browser cache, and it’s clear. I’m no expert, though, so I guess it’s possible?

Viewing 9 replies - 16 through 24 (of 24 total)
  • Thread Starter justbishop

    (@justbishop)

    Yeah, my husband is working on cleaning up my mess as I type (OK, so he’s feeding the baby while some sort of scan runs, lol!)

    Thanks to all for the help thusfar. This is really frustrating!

    Thread Starter justbishop

    (@justbishop)

    Anyone happen to visit and find anything?

    Interesting: Koobface does muck with DNS, but only on Windows boxes.

    When you’re cleaned up, I’d change your DNS to OpenDNS in your home router and your PCs and Macs. It’s very easy. That won’t prevent another Koobface infection, but will help with other DNS malware.

    And, in my not so humble opinion, $5 a month shared hosting is junk; you’re just waiting for a server hack. Do yourself a favor and get better hosting. Even GoDaddy hosting must be better.

    You’ve got a 500 server error now. Did you edit the .htaccess with your Mac? Check to see that you saved it with Unix line endings out of your Mac text editor.

    I’ve not read enough about Koobface to know how much damage it does or what else it might drop on the machine, but I know that just one machine infected on a local network is potentially able to poison the DNS for other machines though – even ‘uninfected’ Macs.
    https://isc.sans.org/diary.html?storyid=5434

    Let us know how you get on.

    They’re different malware critters. If you’re using OpenDNS as opposed to local, and (mostly) don’t run in Windows admin mode and don’t password software install under OS X, you’re pretty safe.

    Thread Starter justbishop

    (@justbishop)

    Yeah, I saw the 500 and posted a ticket to my host’s help desk. They said that it was a weird entry in my .htaccess (I didn’t put it there!), which they fixed, and now everything’s peachy. No redirects all day. IDK what technology gods have smiled upon me today, but wherever they are, I thank them!

    I’ll tell my husband about the OpenDNS thingie. He deals with that sort of thing. I know how to code, FTP, and open a browser, lol!

    Thanks so much for everything guys, and please post back if anyone figures out anything else!

    May not be related to your issue, but the Koobface virus does steal passwords for servers from popular FTP programs:

    FTP server and client software:
    ? Total Commander
    ? cuteFTP
    ? Ipswitch
    ? SmartFTP
    ? Coffeecup Software
    ? FTP commander (Pro, Deluxe)
    ? FlashFXP
    ? FileZilla

    In our case, my mother-in-law was infected by Koobface and the virus got a hold of our website FTP credentials and installed itself on our web servers.

    So if you are/were infected with Koobface make sure to change your passwords for FTP immediately. And if your laptop is still infected, I would uninstall these FTP programs and refrain from logging into your website until the virus is completely removed.

    Thanks,

    Jesse

    Thread Starter justbishop

    (@justbishop)

    Thanks for the info! Not having any issues since my host looked at my .htaccess the second time and found something to fix, so crossing my fingers that it’s all over ??

Viewing 9 replies - 16 through 24 (of 24 total)
  • The topic ‘Clean 2.8.4 Hacked :(’ is closed to new replies.