SQL attack on wpress 2.9.2

@dugbug

This has happened several times the same site. Even after I delete all files from the server and upload a fresh install.

sucuri.net found the back door! Its a post to the simplepressforum plugin. Do any of you have this plugin?

Ill get back with more info in a bit.

and by post I don’t mean a forum post, but an HTTP POST. You will never see it.

Hi Folks,
Dugbug thanks for that news I will pass that on to our folks as well. I work for Network Solutions and there is some good info on the forums here and this is a helpful discussion. Our support team has been helping customers who have contacted us . Since WordPress gives you freedom to modify and add plugins its very difficult for any hosting company to have controls and restrictions on every WordPress instance hosted. This is the same with any hosting provider.

In the meantime, you should definitely be doing this

1) Change your Word Press administrative password immediately;

2) Review the list of WordPress users who have access to your account and delete any users you do not recognize;

3) Update your WordPress account to the most recent version

4) Run your security and malware system scans on all computers that are used to access your WordPress account.

Thanks,

Shashi

I’ve used burkestar’s fix to get my site (https://www.runningisfunny.com) at least looking normal again, but although I can finally get to the WP log-in page, I still can’t get it to accept a password – despite resetting it in phpMyAdmin and getting a “lost password” e-mailed to me.

I don’t even want to think about future hacks until I can at least get to my WordPress dashboard to let my readers know what’s up. Any suggestions?

Thanks Shashi

Always good advice. I also use network solutions and the network solutions safe site monitor, so I don’t have to worry right ??
(joking)

I knew without finding the attack vector we would be cleaning, hardening, and reinstalling forever without knowing why.

If it reappears after disabling the forum plugin Ill post here again to say my apologies and cry into a beer

Hi Dugbug

Keep us posted

Shashi

Just an update… another networksolution user WITHOUT simplepress forum just got the identical hack. THe sucuri guy is helping more than one of us and is seeing that the only common vector in this seems to be network solutions.

So hold off. DISABLE the simplepress forum as a precaution, but understand this is a bit stranger than first thought.

@sashilib,

Can you contact dd [at] sucuri.net so you and him can talk what you both know? I only can provide tools that are offered through nsHosting (like log files), but maybe you can give him the actual HTTP Post contents. It would go much faster.

will do . thanks lets connect my contact info here https://about.networksolutions.com

It looks like it is possible that the upgrade to WP 2.9.2 turned on XML-RPC support and it was exploited by script bots on other sites.

Found this in the logs:
208.74.66.xx – – [07/Apr/2010:23:51:21 -0400] “POST /xmlrpc.php HTTP/1.1” 200 497 “-” “SOAP::Lite/Perl/0.710.08”
It looks like 208.74.66.xx is a host belonging to Centauri Communications in San Franciso. https://www.centauricom.com/

My suggestion would be to double check in settings writing that XML-RPC is turned off and maybe as an extra precaution disable/move/delete xmlrpc.php.

On a positive note, once informed Network Solutions quickly patched up the 2.9.2 config and restored the database to a backup from a couple days ago.

My suggestion would be to double check in settings writing that XML-RPC is turned off and maybe as an extra precaution disable/move/delete xmlrpc.php.

Thanks for that tip woodja. I was wondering about that file recently after reviewing my logs, which indicated an attempt to access that file.

If the attack that you’re sites were affected by was a vector, then that would have been from the server side, would it not?

Just to add a bit more information to the mix, because my site got hacked, too. Same thing — some HTML inserted into the siteurl field in the wp_options table, and I can’t get to my login page. I hadn’t upgraded to 2.9.2 yet, and the site’s not using SimplePress forum.

So it’s not just 2.9.2 that is affected, if that helps at all.

My site njnnetwork.com got hacked yesterday morning. After a series of non-productive tasks all day, Network Solutions admitted they have been hacked on many WordPress sites.

As of 6 AM Friday morning they are still working on it and don’t have a prediction of when the sites will be working again.

I cannot restore previous days backups. It’s hard to tell what I should do. I did turn off public access to the site since it was trying to infect anyone who hit the main page.

Please ensure all sites public_html (or your www) directory have 750 permissions, not the insecure 755.

Change the password for your mySql user and update wp-config. You can recreate the same user with an updated password.