Hacked again.

Details please…

How was it determined to be hacked? (actually I can see that now…)

How strong is your password?

Do you have any other software installed?

Any interesting entries in your apache logs?

Odds are, WordPress is not at fault. What other scripts do you have running? are you on a shared host that does not have open_basedir or safe_mode restrictions on? Have you set unnecessary file permissions like 777 on essential files?

Also who is your host and what have they got to report about the hack? they should be at least willing to help you investigate to find out what they exploited exactly.

Move servers.
https://www.jember.us/showthread.php?s=66a971af692cda1fc3efb9309e390f52&t=61
^^ Those are on the same server as yours, the entire thing is probably under their control and they want to look l33t.

I just got hacked, too. This afternoon. I have 1.5.3.1, am in the process of preparing to upgrade to 1.5.2.

What happened: It looks as tho there was an outage at ipowerweb.com, my hosting service. Everything went down, including their home page. (This also happened during thepower outage in L.A.). Site came up again quickly, within about 10-15 minutse. When my blogs came back up, it looked a bit odd. (rather than header appearing at top, flush, no top margin, it hung down a bit). In about an hour’s time, I had the chance to go to the control panel. Where I got error messages.

Warning: Cannot modify header information – headers already sent by (output started at /home/i2020hin/public_html/wp/wp-includes/wp-db.php:359) in /home/i2020hin/public_html/wp/wp-admin/admin.php on line 10

Same error message, for line 11, 12, 13

It wasn’t until I viewed source that I saw the problem. There is some marquee tag at the top. It begins like this:

<marquee width=1 height=1> and is followed by boatloads of links to spam locations. We’re talking drugs that have letters at begin and end, similar to xerox. Drugs with names of three syllables, beginning with an f sound, but spelled with a p and an h.

The length of the inserted code is about 133,000+ characters.

So that’s what it looks like, and I’m trying to do a fresh install of 1.5.2 in hopes that it goes away. I’ll keep you posted.

Contact their host and give them at least a little grief by having their account terminated although their host doesn’t look that reputable but you can still try.

Also does Jelsoft have any policies about using a vBulletin license to discuss illegal activities? If so contact them and have their vBulletin license revoked as well.

I guess in a loose sense “The Software may not be used for anything that would represent or is associated with an Intellectual Property violation, including, but not limited to, engaging in any activity that infringes or misappropriates the intellectual property rights of others, including copyrights, trademarks, service marks, trade secrets, software piracy, and patents held by individuals, corporations, or other entities.” would apply to hacking and I’m sure Jelsoft wouldn’t appreciate it anyway so they may terminate the license.

Upgrade to 1.5.2 complete. Marquee hack is still taking place. After further investigation, I think it was something that happened to the server. The server vDeck control panel software also has the marquee thing in it. And every single static page has the marquee thing down at the bottom of the page. That, and the hold time for technical support is taking for ever and ever, which means that they must be scrambling like crazy to deal with this (I hope).

p.s. sorry for barging in on this thread with my own situation.

AuntAlias: sounds like something server wide, with a header being inserted through Apache somehow. That sort of thing should be rectified petty much immediately and really shouldn’t happen at a quality host in the first place so I highly recommend looking for another host.

Confirmed by host: it was on that particular server. Not server-farm wide. But my host. Arrgh. Well, I’m off to do what I originally planned to do for the evening. And I still have to wait for them to do whatever to get rid of it. Thanks or your comment, jasone.

I don’t know if anyone is still reading this thread because I haven’t posted again since starting it. It turns out the hackers changed the passwords for my Cpanel and my FTP accounts, so I cannot log in to do anything. It takes my host (Netrillium.net) days to respond to anything, and they don’t have a phone number posted on their website in the spot next to “Phone number:” so I can’t call them. I’m not sure what I’m going to do to fix my site, but I did install a more powerful firewall, and I doubt any hacker will be able to get through. I’m still angry this happened. I might just shut down my site. I don’t have the motivation or time to entirely write another layout for my site, and I haven’t found a pre-made one that I like. Yay. If anyone does read this, write a response, and maybe we can still figure something out.

obvious question:

if you were hacked at the server level and now can not log into your site, my primary question is about the server logs: what was the point of entry?

your host will be able to determine this, or give you access to the logs to figure out the path used.

The real security breech will be found by tracing the footsteps of the exploit.

I’m wondering if it’s your hosts cp, or wordpress, perhaps a plugin, who knows… without seeing where it began, it could really be anything.

Its the hosts cPanel, the point of entrance was a /tmp exploit in cPanel. Read the hackers website and forums, they’re a bunch of script kiddies.

My host reset the passwords for my Cpanel and FTP account, but now I have a new problem. The hacker also changed the password for my WP login, so I used PHPMyAdmin to reset it. Unfortunately, for some reason now my 37report.com/wp-login.php file won’t work. When I try to access it, it redirects me to 37report.com/wp-admin and says the file is not available. Does anyone know why this might be?

Also, I am deleting files that the hacker left behind. In the folder “.trash” there is a file called “.trash_restore” and the file itself says:
“=/home/report/
index.php=/home/report/index.php”
Could I use this file to restore my old index file? Or should I delete it? Is there any way to easily restore everything the way it was?