Hacked 5 times! :(

  • Hey Guys, me and a few others run a music news website and over the past week we have been attacked. Our wordpress installation has been hijacked with …PHP eval(base64_decode(‘JGNvZGVsb’)); ? being included in all of our PHP files and many <script=”https://xxxxxx/guidit.php”&gt; being added after the </head> on our pages. After some research ive found out its a Gamburl virus. We are running the latest stable version of WordPress (2.9.2)

    We’ve done everything, changed FTP and login passwords, restored the site with clean files, started over with a fresh wordpress install and database and have even changed hosting company completely but no matter what we do the virus/hackers just keep coming back.

    I have the following installed;

    Microsoft Security Essentials
    SUPER Anti Spyware
    MalwareBytes
    Ashampoo Firewall

    MSE has always picked up the virus as soon as I try entering the site and find out its infected, its good at that. It has always quarantined and deleted the trojan. Ive done several scans with SUPER and MalwareBytes too.

    This morning was the 5th time we’ve been hacked, I just dont understand how they are getting in so easily.

    1) Changed FTP and wordpress user passwords
    2) Clean wordpress install with clean theme files
    3) Changed the database prefix from “_wp” to something else
    4) Disabled comment forms as was told SQL injections can be performed this way
    5) Secured the login form with LoginLockDown plugin
    6) Installed ‘Exploit Scanner’, ‘WordPress Firewall’, WP Security, Anti Virus plugins.

    Followed the steps on here

    It just seems our site is being targeted time and time again by hackers that really do not want to see us online, possibly a rival site. What can I do to stop them hacking us? They seem to be doing it like a breeze. I was told to look at other systems and not use WordPress anymore but I’d rather not get rid of WP as myself and most of the writers really like it.

    Any help will be appreciated.

Viewing 15 replies - 1 through 15 (of 20 total)

  • The constant factor then would be the computers that you are using locally to do uploads etc. I’d guess that one of them has been compromised.

    Thread Starter kargo

    (@kargo)

    Thanks for the reply. I do daily scans with Microsoft Security Essentials and it doesnt pick up anything. the only other person who has FTP access does too but again it doesnt pick anything up.

    Just a thought, but do you keep using the same theme? Plugins you download from the site and use again? Try to think which files are NOT clean when you started anew.

    https://smackdown.blogsblogsblogs.com/2008/06/24/how-to-completely-clean-your-hacked-wordpress-installation/

    Can you post up the site url?

    Try checking the footer.php file of the theme you’re using for obfuscated code via ftp (ie, don’t view it through the WP editor).

    Are you using any plugins which are not available from www.remarpro.com?

    Thread Starter kargo

    (@kargo)

    Hey, Ive completely wiped the wordpress just to protect the visitors of the site because we do get a lot of visits.

    Well first, the infection happened with another theme ComfyPro to be precise. so then we did a clean reinstall of wordpress and changed to a custom one and it returned. Whenever we are infected, I don’t just replace the files I think are infected, I completely remove wordpress and the database and start new but after a day or two, they strike again.

    All of the plugins we download are from www.remarpro.com. The plugins we were using on the last clean install which we thought was secure enough were

    – WP Security Scan
    – AntiVirus
    – Login Lockdown
    – Exploit Scanner
    – WP Firewall
    – Custom Field Template
    – WP to Twitter

    We’re starting to think that these hackers may be from a rival site as they dont seem to be giving up.

    Something must be left among your files or in the database. If that’s out of the question, you might have a hacked site on your shared server.

    We’re starting to think that these hackers may be from a rival site as they dont seem to be giving up.

    It shouldn’t be that easy…

    Shakhawat

    (@shakhawat_jaheed)

    I was hacked with those codes too, I suggest you to cleanup you PC from virus first also your partners’. Or re-install windows.

    Possibly you are hacked by c99madshell v. 2.0 madnet edition. Backup your posts/comments from wordpress export option. DO NOT BACKUP YOUR DATABASE, cause sometimes database contain the virus. Read this topic to get more info.

    Change the cpanel/ftp pass.

    @kargo: who is your host? Have you talked to them?

    I guess those of us on share-hosting services are supposed to be responsible for application-layer security now?

    Sheesh

    Moderator Jan Dembowski

    (@jdembowski)

    Forum Moderator and Brute Squad

    I guess those of us on share-hosting services are supposed to be responsible for application-layer security now?

    Yes. It’s not easy, but there are hosting services that do get it right. My preference is for a VPS but that doesn’t mean shared hosting can’t work safely.

    If you can’t find a shared-hosting that knows what they are doing, then seriously consider moving to a managed blog service like WordPress.COM.

    If you can’t find a shared-hosting that knows what they are doing, then seriously consider moving to a managed blog service like WordPress.COM.

    I need complete commercial and creative flexibility and freedom we are selling advertising the old school way. It is a long term project. Full time.

    I will probably need to go to dedicated hosting of some kind the issue there though is cost and diligently managing the burn rate of my investment capital. I am financing this project and I don’t have a money tree in the back yard. The only hope at this point is NS “get’s it together” and provides the kind of security customers-end users deserve. If they can’t secure their shared hosting they shouldn’t even be in the business. Actually this is a wake up call for all of us.
    There are lots of loose ends that need to be addressed here. Irresponsible blogging is also emerging as a threat now. WordPress probably should have full time reps teaching and educating these Hosting Services getting into the WordPress game “how to do it right”. The WordPress product brand suffers and takes a credibility hit from this kind stuff happening.

    Moderator Jan Dembowski

    (@jdembowski)

    Forum Moderator and Brute Squad

    At the risk of totally going off the OP (and maybe this should be in wptavern space) but here goes.

    WordPress probably should have full time reps teaching and educating these Hosting Services getting into the WordPress game “how to do it right”.

    That’s a nice sentiment, but this is a volunteer open source effort. You, me, and the rest of the volunteers really are it.

    Some hosts get it and some don’t. Commercial Darwinism can’t happen soon enough.

    The WordPress product brand suffers and takes a credibility hit from this kind stuff happening.

    I think the “brand” suffers from the lack of understanding of roles and responsibility. www.remarpro.com is just another collection of PHP scripts running on a server. The server portion can be (maybe) addressed by www.remarpro.com but that’s moving into a space that is outside of the applications space.

    That’s best served by plugins (also maybe) or another script to report on the posture of the server you are running on.

    Just my opinion.

    Well as far as Commercial Darwinism I don’t think of everything as “competition”. You can succeed outside of that realm of duality.

    Anyway open source is good stuff as long we don’t “self destruct” from out of control complexity in the process. Anyway the common thread here is people are getting hacked from the inside. On Hosting Servers that reside in the Top Ten largest providers. We can harden and apply top notch security all we want but if the Host doesn’t have it together forget it. Then the issue of FTP-SFTP. End users need to know how to securely use this stuff. Like filezilla for example. And at this point I can imagine some shared-hosting blogger’s might not even know all that much about their own personal computer security. No offense intended but if your not even running a basic firewall antivirus program and your using easy FTP or something ouch!

    I could on and on and on but I won’t.

    I will suggest a different approach to your problem:
    How many people have administration privileges in your site? They are all of them trustworthy? Are they cautious enough to secure their passwords? Are able to keep their computers “clean”? Next time you re-install wordpress do it from a clean-formated pc and keep the administration role only for yourself. If you can, switch to ubuntu/linux for enhanced security.

    Thread Starter kargo

    (@kargo)

    OK, since I was hacked for the 5th time I have kept WordPress removed from my server. I would really appreciate it if you guys could guide me through what to do. Ive tried out some other CMS’s as was told to move away from WordPress, but I just keep coming back.. none of the others do it for me. I really do not want to have to stop using WordPress as it does everything I need and more.

    So, currently I have a clean server. Here is the theme I intend to upload, If anyone could scan it and give me the all clear before I get started I would be much appreciated. https://www.sendspace.com/file/1fopvz

    Thanks

Viewing 15 replies - 1 through 15 (of 20 total)
  • The topic ‘Hacked 5 times! :(’ is closed to new replies.