• Resolved chowell18

    (@chowell18)


    Just a note to everyone on the forums that my fresh WP 2.7 upgrade was hacked over the weekend. Prior to the site going down, there was a very heavy amount of spam comments… not sure if that was the culprit or not.

    The mischief left the site showing a PHP setting type page w/ user options to upload files to the FTP, etc. Not exactly safe…

    Had to restore** from a previous version to recover the site – re-uploading the files did not work. **Server-level restore (from backup).

    Lesson to everyone – BACKUP your blog or you could lost everything!

    If anyone else has experienced this, I would certainly like to know how to avoid it. For the time being, I have implemented stronger commenting restrictions, changed logins, etc.

Viewing 11 replies - 31 through 41 (of 41 total)
  • Sorry whooami,

    I wasn’t trying to add to your work load ??

    Happy Holidays!

    you too!!

    Thread Starter chowell18

    (@chowell18)

    Thanks for all the help in identifying the “real” problem. I have basically gone through each folder to check if the 2.7 files were there. If other files were present, they got deleted. We’ll see what happens from here.

    I do know one thing… it will surely be nice to get back in Google’s good graces w/ all those shady links off the site now.

    Thanks everyone who commented/contributed.
    (Btw… If you can edit the title, please do so. I honestly do not want to give WP a bad name or rep.)

    If other files were present, they got deleted

    good move.

    chowell18, I experienced a similar hack few months ago when I was running a very old version of WP. Those spam links are probably stored in your database. You will have to go to PHPAdmin, goto right database/table, open each article, remove spam links and then save the article. If you have a clean database backup to restore from then that will make your job easier. But, probably 2.3.3 database will not work with 2.7. So, your options are:

    (1) Stay at WP 2.7 and clean up each article by going to PHPAdmin as described above.
    (2) Go back to WP 2.3.3, restore from clean database backup, upgrade to WP 2.7 once again.

    the spam links were in the footer. they were NOT inside content. Thus, not in the database.

    Thread Starter chowell18

    (@chowell18)

    One thing I did find was a PHP function call in several theme footers.

    The call was for “_wp_footer”, which looks all fine and normal except for the leading underscore which is not normally there.

    I removed these occurences, but I was not able to find where the actual “function” resides. In other words, the footer was requesting something to happen from _wp_footer, but where was it getting its instructions?

    Anyone have a starting point and/or place to look? Or even a way to find it? Note: searching for that string only brought up results in the theme files.

    I’d really like to get this thing entirely wiped off my site, so I appreciate any advice/tips.

    Moderator Ipstenu (Mika Epstein)

    (@ipstenu)

    ?????? Advisor and Activist

    You could re-upload all the 2.7 core files (do a delete and upload) just to be safe.

    Moderator Samuel Wood (Otto)

    (@otto42)

    www.remarpro.com Admin

    One thing I did find was a PHP function call in several theme footers.

    Look for “base64” and “eval” in any files at all. You may find it in a couple of WP files, that’s fine. But what you really want to look for is anywhere where it might be there along with a heaping ton of gibberish looking code. Random letters. This is the usual way of hiding code.

    Thread Starter chowell18

    (@chowell18)

    Saw the “base” and “eval” and a bunch of the gibberish in the “Freedomwall” theme footer.php that I had uploaded at one time (it is no longer online).

    The junk code was within a <php> tag and nothing else was in the file, so would it be a correct assumption to say that is part of the source at least?

    Moderator Samuel Wood (Otto)

    (@otto42)

    www.remarpro.com Admin

    Possibly, yes. I’d remove the theme entirely.

    Themes that attempt to hide code from you are bad. Never use them. Some “premium” theme authors attempt to do this sort of thing to enforce their silly rules (which I consider to be linkspam), but sometimes bad sites insert malicious code into these themes in this way. That code could be a backdoor.

    If you cannot see the code, then it is not trustworthy and should be deleted. Any theme that has code like this should be considered a virus and shot on sight, and then badmouthed in forums to warn users away from it. If you find one of these in the official WordPress theme directory, then report it and it will be removed.

    There’s a plugin that checks themes for this sort of things and reports issues like this: https://builtbackwards.com/projects/tac/ Might be worth using.

Viewing 11 replies - 31 through 41 (of 41 total)
  • The topic ‘WP 2.7 Can Be Hacked… FYI’ is closed to new replies.