Domain Manage

WARNING - Major attacks on Wordpress sites

Discussion in 'Wordpress' started by dashu1, Mar 17, 2012.

Thread Status:
Not open for further replies.
  1. dashu1 United Kingdom

    dashu1 Well-Known Member

    Joined:
    Nov 2008
    Posts:
    1,110
    Likes Received:
    14
    Hello,
    just wanted to warn you all that there is a major threat to wordpress sites that have outdated versions of wordpress or plugins installed.

    We've just seen over a dozen sites attacked in 2 days across servers, theme providers, and different versions of wordpress.

    Check your files to see if you have a base64 code inserted into the beginning of php files.

    It seems that you can be attacked even if you have the latest version of wordpress installed, old plugins can let them in.

    Not pleasant, but has been useful to us, rather than trying to fix a whole pile of crappy sites we've just killed them off and left a much smaller group of good sites to work on.

    You have to look for a silver lining eh?
     
  2. Domain Forum

    Acorn Domains Elite Member

    Joined:
    1999
    Messages:
    Many
    Likes Received:
    Lots
     
  3. Systreg

    Systreg Well-Known Member

    Joined:
    Oct 2008
    Posts:
    6,586
    Likes Received:
    96
    What happens in these attacks?
     
  4. boxerdog

    boxerdog Well-Known Member

    Joined:
    Jul 2007
    Posts:
    3,663
    Likes Received:
    33
    I did a search for "phone cases" on bing uk and phone-cases.co.uk looks a bit...........broken :rolleyes:
     
  5. optiweb

    optiweb Active Member

    Joined:
    Feb 2012
    Posts:
    70
    Likes Received:
    2
    They normally just swap the theme index file when they get in so if you have backups its usually not so bad.

    Late last year my USA shared host had the entire server hacked - I had around 80 autoblogs on it which all got hacked - I had to send support all my themes so they could replace the index files and all was sorted.

    To help protect yourself stay away from free themes - a lot of nasty code goes into many of them and only use trusted plug ins. And of course always backup your sites :)
     
  6. dashu1 United Kingdom

    dashu1 Well-Known Member

    Joined:
    Nov 2008
    Posts:
    1,110
    Likes Received:
    14
    No, on these attacks it is not just 1 file being affected.

    What they are doing is adding a base 64 code to the front of EVERY php file they can.

    It is very sophisticated, it checks to see if you are a googlebot, yahoobot, etc, a mac user, ie7 user, etc, and has a number of possible agendas.

    It is being reported as a major organised crime attack to push the fake virus software, also seems to add trojans to the site, etc.

    What we've seen is the sites will open okay in chrome and firefox, not at all in IE.

    Check via your ftp - look for any files with very recent dates - 6th & 15th of march seem common - download these into a quatantined folder and check them, look for eval base 64 at the beginning of the files.

    If it has the code at the beginning you've been hit.
     
  7. tifosi United Kingdom

    tifosi Well-Known Member

    Joined:
    Oct 2004
    Posts:
    3,128
    Likes Received:
    45
    making sure your wp files have the correct permissions is essential. I did a plugin install for a client a while back and was astonished at the permissions that the files had with many having executable or world writable permissions.

    php files once uploaded should never be writable by the server at most they should be 0644 (rw-r--r) if owned by the user and 0640 (rw-r----) if owned by the webserver. The installation method and default umask will control this. config files should be reset to this maximim access level after install.

    Attacks like these search for vulnerabilities such as non-hardened servers & incorrect file permissions.
     
  8. Systreg

    Systreg Well-Known Member

    Joined:
    Oct 2008
    Posts:
    6,586
    Likes Received:
    96
    I only have a few WP sites, and all that techy stuff above is over my head, I don't don't know how to do back ups (not interested in how to either), so if they get hit, they get deleted, simple :)
     
  9. AssetDomains United Kingdom

    AssetDomains Well-Known Member

    Joined:
    Feb 2010
    Posts:
    2,951
    Likes Received:
    52
  10. murph

    murph Well-Known Member

    Joined:
    Dec 2005
    Posts:
    1,075
    Likes Received:
    8
    Hate to say it, but this is why I gave up with CMS scripts altogether. Often you don't need the bloatware anyway. Keep it simple.
     
  11. Aegean

    Aegean Active Member

    Joined:
    Feb 2011
    Posts:
    752
    Likes Received:
    16
    I agree with not always needing a CMS, but there are many professional level CMS systems that have much more sophisticated security than wordpress does. WP is an ultra basic CMS and it's very structure makes it vulnerable. I have about 4 WP sites, which run just fine on the latest version, but I don't use it for client work unless they ask for it.
     
  12. MASSEY

    MASSEY Active Member

    Joined:
    Jul 2010
    Posts:
    95
    Likes Received:
    4
    I had some hacked that had been on the old wordpress and with plugins in need of update for around 2 months. It is important as soon as you see the update options to do it there and then. Luckily my hacks were not that bad, just a page added to the site with the guys hacker name.
     
    Last edited: Mar 18, 2012
  13. Blossom

    Blossom Well-Known Member

    Joined:
    Oct 2010
    Posts:
    1,395
    Likes Received:
    55
    Would recommend installing the Ultimate Security and Bulletproof Security plugins along with Block Bad Queries.
     
  14. murph

    murph Well-Known Member

    Joined:
    Dec 2005
    Posts:
    1,075
    Likes Received:
    8
    Agreed. I take the stance: stay away from very common public scripts as these are regularly targeted for malware hacking etc. Also, forever having to apply security patches and updates is a constant headache avoided if you roll your own :)
     
  15. stender United Kingdom

    stender Well-Known Member

    Joined:
    Nov 2005
    Posts:
    2,489
    Likes Received:
    30
    I've got loads of mentions of base64_decode in one of my plugins w3-total-cache I assume these aren't malicious?
     
  16. dashu1 United Kingdom

    dashu1 Well-Known Member

    Joined:
    Nov 2008
    Posts:
    1,110
    Likes Received:
    14
    Hard to tell, some plugins do have it in - have you got a load of code at the top of your other php files?

    It's obviously imperative to keep all plugins and wordpress installs up to scratch, which can be a big headache if you have lots of sites - so I guess the answer is that if you're going to have lots of sites - don't have lots of CMS sites.

    With regards to bulletproof security - I did have a very hardened htaccess file on some of these that was practically the code from BPS with a few extra bits thrown in, and they still got hacked.

    I think if you have vulnerable files that no security plugin will help - like having the best car alarm & security on the market but leaving the car unlocked and the keys in the ignition.

    Anyway, I hope no one else has had problems, it's supposedly an organised crime gang thats doing this to upload trojans and the fake antivirus software, you know the kind of stuff.
     
  17. Brassneck United Kingdom

    Brassneck Well-Known Member

    Joined:
    Apr 2005
    Posts:
    3,097
    Likes Received:
    29
    If you do have lots of sites then you might want to check out www.managewp.com. It's pricey but makes managing updates of everything real easy and quick.

    I've got 400 wordpress installations being managed on it.

    Cheers
    Stephen.
     
  18. retired_member33

    retired_member33 Retired Member

    Joined:
    Apr 2010
    Posts:
    1,464
    Likes Received:
    13
    I keep getting errors malware/virus notifications like this:

    # Regular expression match = [decode regex: 1]:

    Where several Header, Footer and other .php files seem to infected

    # (compressed file: plupload.silverlight.dll) MS Windows Binary/Executable [application/x-winexec]:

    Something about something being wrong with a Silverlight file?

    # ClamAV detected virus = [PHP.Shell-51]:

    bit-64 encryption?

    Anyone familiar with this and now how to solve it?
     
  19. JMOT

    JMOT Well-Known Member

    Joined:
    Feb 2007
    Posts:
    1,012
    Likes Received:
    23
    One of my sites just got hacked and its being cleaned up and sorted out for me right now.

    Luckily I'd already signed up for Sucuri heres my link

    Its well worth the money!!
     
  20. dashu1 United Kingdom

    dashu1 Well-Known Member

    Joined:
    Nov 2008
    Posts:
    1,110
    Likes Received:
    14
    Another useful plugin is the exploit scanner.

    In it's control panel it gives you the checksum for your wordpress core files, and on their homepage the checksum for WP-whatever version is the latest

    So you can see if any core wordpress files have been altered. Even changing a letter from a capital to a lower case would give a totally different string, so you can see quickly and easily whether or not your core files have been fiddled with.
     
  21. steww United Kingdom

    steww Active Member

    Joined:
    Aug 2009
    Posts:
    105
    Likes Received:
    1
    Just a note to watch out, I installed a plug named "Ultimate Security Checker" to toughen up a wordpress install, about a week later the site had malware, have just cleaned the site and found (I think) that the security plugin contained malware (or at least became infected), here is the clean up report:

    "Site is now clean and malware-free. The following files were compromised and fixed:

    CLEARED: Cleared malware from file: ./wp-content/plugins/ultimate-security-checker/securitycheck.class.php"

    Hope that helps!

    Cheers
     
Thread Status:
Not open for further replies.

Share This Page