Code injection problem

  • gkhairallah

    (@gkhairallah)


    13 years ago

    Hello experts,

    I have been having a problem with a hacked instance of WP 3.3.1, and for the past 3 days, and with all the help from existing forum articles regarding the topic, I couldn’t seem to find anything that helped my situation. So I hope that someone will be able to help me here, as I’m out of ideas.

    I am running WP 3.3.1, and a few days ago, all my links started redirecting to a russian site. I noticed that my .htaccess was getting replaced on a frequent basis with one which included redirects, and had redirects especially when coming from referring sites, i.e: google, facebook, and a bunch of other sites.
    The hack also seems to chmod .htaccess to 444 when it changes it. Also, it seems that the code injection is targeting any .htaccess file within my home directory, (even outside the wordpress blog), though I know that the injection is coming from the blog itself, as I just moved it to a new host with nothing else in it, and I got the same infection just as soon as I moved my blog over.

    So far I have replaced the core WordPress files with a clean copy, but the problem is still happening, so I’m suspecting that the problem is either in the plugins directory, themes, or in the database itself. I’m reluctant to mess with those without a specific plan, as I have a lot of data in the tables, and modifications in the theme which I don’t want to lose.

    The things that are worth noting in my instance, is that I have Google Friend Connect enabled for my commenting system, so, unfortunately,the users are obscure, and I’m reluctant to go and just delete all of them, just to test whether the problem is caused by a vulnerable account.

    I have already changed the authentication keys in wp-config.php.

    Another thing I noticed is that if I enable the .htaccess file which enables permalinks, then, links within the site go to the correct location, but if I remove the .htaccess file which has the permalinks, suddenly, my links get redirected to some russian site.
    So I know the code injection is still there and active. Unfortunately, I don’t have enough experience in PHP, or wordpress codex to know where exactly to look. I have tried looking in the link-templates.php, and some other files which I thought could be good candidates, but couldn’t see anything obvious.

    Would anyone be willing to give me some pointers regarding this issue? I’m willing to provide any information needed, I just wasn’t sure what exactly you would need to help with this.
    The website in question is: https://peggyunderpressure.com

    Your help is much appreciated!

Viewing 2 replies - 1 through 2 (of 2 total)
  • David Gard

    (@duck_boy)

    Sounds like someone has really done a number on your site!

    First thing I would do is change my password for the database and for access to PHPMyAdmin/CPanel (how ever you administer your hosting account).

    Next up, I’d recreate .htaccess as I wanted it and chmod 744 all of my files. This will not prevent the site from working, but it will prevent people for adding uploads/plugins for the time being, but that is a small price to pay I think.

    Now I’d go in to the database and check two entries in the wp_options table (siteurl and home) – these should obviously be the URL of your site, so if they are not then they need changing.

    If this stops the problems then great, try and chmod your plugins/uploads folders etc so that you can add them again if you desire, and fingers crossed all will be well.

    If not thoug, now it’s time for the annoying part – if you are sure the problem is not with your host or with the WP core files, then it must be with your custom files or plugins.

    First off I’d disable all the plugins and see if that helps. If so, re-enable them one at a time over a few days and see if anything happens. If so, you can know which is causing it.

    If that still didn’t help then I’m afraid you are going to have to scour your custom files looking for malicous code…

    Thread Starter gkhairallah

    (@gkhairallah)

    Hey Duck – boy, thanks for the reply!

    So, in response to your suggestions:
    The first thing I had actually done was to change all my passwords. I changed database, PHPMyAdmin, CPanel, as well and all my wordpress admin accounts.
    As I had mentioned, My commenting system is through Google Friend Connect, and unfortunately, last night, I discovered that GFC is being retired, well… today ! ?? but I was suspicious on whether one of those accounts (who only have a subscriber role), can be the ones compromising the site? not sure how I’d know. I was looking to see if I can just disable all those accounts, but the only option in WP is to delete them, which I didn’t rush to go and do ??

    Regarding the .htaccess. It’s been recreated, in fact, I have a sync job that runs now when it detects the .htaccess changed. (that’s my work around for now, until I resolve the problem). As for changing the site to 744. I noticed that all my files are already 744, my DIRS are 755 though. So you’re telling me to run a chmod 744 -R * on the root of my wordpress dir? is it easy to revert those back later? I would assume to revert back, I’d have to go back to the directories only, and change those to 755 , while leaving all the rest of the files at 744 (as they are right now anyway)

    wp_options table is unchanged at least as far as the siteurl and home fields go. I had checked this as I was migrating my to the new host.

    So, at least so far, it looks like I have already tried everything you suggested (minus the chmod). By the way, did I mention that the injected code is chmoding 444 .htaccess every time it changes it? it’s driving me bananas!

    Now regarding the plugins. I have tried a couple of things, and maybe you can tell me if my attempt is enough to rule those out.
    Just yesterday I moved hosts, and decided to move every manually, so that I can put the component back one at a time. Initially, I just installed a new clean version of WP, and kept the plugins/uploads/themes folder in a temporary directory outside the WP instance. yet the issue still happened. I had tried to change the themes, so that the active one is not the custom one, and the issue still happened. So.. would that rule out the fact that the plugins directory is where the problem lies?

    Now if it comes down to dealing having to dissect the code, is there something in particular I need to be looking for? I, more or less can understand the PHP code, though I’m not familiar with the wordpress codex, at least not to a point where I can tell a real one from a fake one. I’ve also found some weird obfuscated javascript before, and that’s very easy to find. But I suspect injected code is much harder, as it would look like normal code within one of the php files?
    I was hoping that the behavior I described (clicking on a link) would perhaps help you give me pointers as to which files may contain the injection.

    Also, you haven’t mentioned anything in that’s in SQL. you don’t think the injection can be in there at all? (by looking at the behavior, it doesn’t seem like it’s an SQL injection, but just thought I’d bring it up anyway) .

    Again, thank you very much for your willingness to assist.
    p.s: sorry for the long post.

Viewing 2 replies - 1 through 2 (of 2 total)
  • The topic ‘Code injection problem’ is closed to new replies.