Urgent Wordpress hack help!

SilverPenguin · 15 Sep 2010 at 23:39

Hi all, my site was hacked this evening and I'm trying to re-upload all Wordpress software. However, as soon as I upload the wp-admin and wp-includes folders, the modified date for all the php files in those folders reverts back to the time they were hacked and not the time I uploaded the files.

Also, once new files are uploaded, when I go back to my admin login page it takes me there but via a redirect, with the URL having an extension to it that shouldn't be there.

I'm not that good with this stuff, hacks in the past have just required re-installing all files and plugins but this time round there seems to be a bigger problem.

Any help appreciated asap!

mr.sly · 15 Sep 2010 at 23:54

Was it hacked or was it a virus?

If it was a virus do a search on Google for it and someone will have a detailed guide how to remove it and get your site back online.

Or speak to your host and ask if they can restore your server to a time before the hack/virus.

SilverPenguin · 16 Sep 2010 at 00:00

I'm not sure, all my php files were modified at the same time this evening and visitors started getting malware warnings.

Usually I just re-install but this time I'm getting the above problem.

SilverPenguin · 16 Sep 2010 at 00:36

I've just re-installed the site. If anyone feels brave could they take a look and see if they can spot the problem?

anything I don't mind · 16 Sep 2010 at 00:46

yea ill take a look. is it windows box ?

SilverPenguin · 16 Sep 2010 at 00:49

Um, it's hosted with webfusion, not sure off top of my head.

I've just checked the source code for the blog home page and the nasty extra code that was there is gone, but I'm concerned a lot of my php files still revert to time of hack.

Any help would be appreciated big time!!

SilverPenguin · 16 Sep 2010 at 01:36

I've noticed this code is still in the bottom of my blog code when you view source:

<script src="http://stats.wordpress.com/e-201037.js" type="text/javascript"></script>
<script type="text/javascript">
st_go({blog:'5341917',v:'ext',post:'0'});
var load_cmc = function(){linktracker_init(5341917,0,2);};
if ( typeof addLoadEvent != 'undefined' ) addLoadEvent(load_cmc);
else load_cmc();
</script>

I have no idea how to remove this though. As stated above half my files revert back to hack time and date when uploaded from fresh.

Really at a loss here so hope you can help...

SilverPenguin · 16 Sep 2010 at 12:27

Well, no idea what was going on but checking this morning and all my files have now reverted back to the correct modified time i.e. when I re-uploaded them, and not the time of the hack.

No idea what happened there but seems everything is back to normal now!?

Qu3 · 16 Sep 2010 at 12:34

Ensure you've changed all your passwords ftp, wp, etc and don't use the same password for each..

SilverPenguin · 16 Sep 2010 at 13:19

Passwords all changed now too.

lemonade · 16 Sep 2010 at 14:23

How did you get hacked? brute force?

Got me thinking whats the most 'secure' CMS?

iNPUt · 16 Sep 2010 at 14:26

Check if your running any vulnerable plugins / versions:

http://www.exploit-db.com/search/?a...type=0&filter_port=&filter_osvdb=&filter_cve=

These are public, but the person that did this might have a private entry point..

You can't trust that server anymore, hope you have all the files backed up, time for a fresh start.

Ah sql javascript inject, looks like you are using "Wordpress Events Manager Extended Plugin"

http://www.exploit-db.com/exploits/14923/

http://wordpress.org/extend/plugins/events-manager-extended/ - there is not a new version

[+] ExploiT [1] : If you are allowed to leave a comment:
[+] ExploiT [2] : If you are allowed to book an event:

Disable those features.

SilverPenguin · 16 Sep 2010 at 14:41

Thanks iNPUt for the help. I don't have Wordpress Events Manager plugin installed on my blog though so I can't disable any features associated to it?

iNPUt · 16 Sep 2010 at 14:48

Which page was the javascript on?

SilverPenguin · 16 Sep 2010 at 15:04

The code I posted above was from the blogs home page. Someone on another forum suggested that code is part of the tracking code for the wordpress stats plugin and should be there though so I'm a bit confused to be honest!

Izi · 16 Sep 2010 at 18:01

that above JS code doesn't look malicious. Its on the wordpres domain for starters:

http://stats.wordpress.com

when you say hacked, is the only symptom that the file modified dates have changed?

SilverPenguin · 16 Sep 2010 at 18:06

Izi said:
that above JS code doesn't look malicious. Its on the wordpres domain for starters:

http://stats.wordpress.com

when you say hacked, is the only symptom that the file modified dates have changed?

Cool!

Well, usually when my blog is hacked (if that is the right word?) I first find out either from someone emailing to say they got a virus warning from the site, or notice because my dashboard is all messed up.

This time, the dashboard was fine, but the featured content gallery on my front page stopped working and again I got emails and tweets from people saying a virus warning was coming up again.

The source code was also full of extra code at the top of the page and all the .php files had the same modified date stamp.

As of right now though, there are fresh copies of all files uploaded, the featured content gallery is working again, there appears to be no extra code in the source and finally nobody has reported any problems today.