Enjoy unlimited access to all forum features for FREE! Optional upgrade available for extra perks.

Hacked

Discussion in 'Wordpress' started by Admin, Jun 7, 2013.

Thread Status:
Not open for further replies.
  1. Admin

    Admin Administrator Staff Member

    Joined:
    Jun 2004
    Posts:
    11,120
    Likes Received:
    464
    I just had 18 Wordpress sites obliterated by an Algerian hacker.

    They all had Wordfence security plugin etc. so maybe it was a Server level hack rather than Wordpress itself but just alerting you, do your backups

    Admin
     
  2. Domain Forum

    Acorn Domains Elite Member

    Joined:
    1999
    Messages:
    Many
    Likes Received:
    Lots
    IWA Meetup
     
  3. GreyWing

    GreyWing Well-Known Member

    Joined:
    Aug 2006
    Posts:
    4,033
    Likes Received:
    56
    Sorry to hear that mate, any idea how yet how it was done? Nothing worse than not being able to find the problem and having to put them back up knowing they are insecure, but ultimately nothing else can be done at this moment.
     
  4. Admin

    Admin Administrator Staff Member

    Joined:
    Jun 2004
    Posts:
    11,120
    Likes Received:
    464
    Yeah it's a pain, digging through Apache logs now.

    Whenever this happens I always delete the entire account and start again

    Admin
     
  5. Admin

    Admin Administrator Staff Member

    Joined:
    Jun 2004
    Posts:
    11,120
    Likes Received:
    464
    Somehow they changed my Wordpress admin password and were able to login.

    Block this IP from your servers:
    41. 200. 135. 29
     
  6. Skinner

    Skinner Well-Known Member

    Joined:
    Jul 2008
    Posts:
    4,616
    Likes Received:
    140
    I've just run a scan over my WP installs on 1 account, and found an infected blog.

    Its linking to imamasim dot com, and they inserted lots of links for gambling into my content. Only 1 blog on the account infected (but will have to clean install them all, and wouldn't you know its the only one not set to auto update to the latest wp. They have changed the admin password here too, and added some other files.

    Looks like a long ass weekend, the breach happened on the 4th June around 17:50.
     
  7. Admin

    Admin Administrator Staff Member

    Joined:
    Jun 2004
    Posts:
    11,120
    Likes Received:
    464
    Try to find the IP and block it from your server.

    Install Wordfence plugin and tick all the firewall settings. You can get an alert any time someone logs into the Admin. You can also block invalid usernames.

    Change "Admin" username to something else.

    Sorry you have the same trouble, I have 80 sites still to check :-(
     
  8. Skinner

    Skinner Well-Known Member

    Joined:
    Jul 2008
    Posts:
    4,616
    Likes Received:
    140
    I have about 30-35 to check but only have shell on 1 more account,so lotta manual checks, I'm hoping I remembered to turn on auto updates, I'll add wordfence into the new installs.

    WP has a login blocker by default now too.

    Good Luck, lets hope we are the only ones.
     
  9. retired_member36

    retired_member36 Retired Member

    Joined:
    Jun 2011
    Posts:
    891
    Likes Received:
    17
    Sorry to hear that admin but thanks for giving us the heads up, on with backing them all up now and checking to make sure nothing has been tampered with.

    Has anyone tried this plugin before?
    http://wordpress.org/plugins/limit-login-attempts/

    That would probs be a very good way of securing the admin login if you were on a static ip.
     
  10. mat

    mat Well-Known Member

    Joined:
    Apr 2007
    Posts:
    3,861
    Likes Received:
    111
    Heart Internet now have some captcha type page that comes up if there have been multiple login attempts to wordpress.
     
  11. Admin

    Admin Administrator Staff Member

    Joined:
    Jun 2004
    Posts:
    11,120
    Likes Received:
    464
    My hackers even have a Facebook page where they advertise the sites they just hacked, 10,000 Likes :rolleyes:

    Admin
     
  12. mat

    mat Well-Known Member

    Joined:
    Apr 2007
    Posts:
    3,861
    Likes Received:
    111
    When it happened to me I stalked down the hacker who did it and talked to him on messenger. Was only a kid living in the middle east. He actualy said sorry to me :p They do it for bragging rights like a game.
     
  13. seemly

    seemly Well-Known Member

    Joined:
    Feb 2011
    Posts:
    1,607
    Likes Received:
    493
    the likes are probably from the 10k facebook accounts they hacked too.
     
  14. Admin

    Admin Administrator Staff Member

    Joined:
    Jun 2004
    Posts:
    11,120
    Likes Received:
    464
    Probably!

    But I do find it incredible that a Public company like Facebook hosts this. They all sorts of bad stuff on their pages, guns, shootings, etc.

    Admin
     
  15. dashu1 United Kingdom

    dashu1 Well-Known Member

    Joined:
    Nov 2008
    Posts:
    1,113
    Likes Received:
    14
    I don't know if this will be of any use what so ever, it would only help if they get in via your login I think, but if you add the following to your htaccess file:

    <Files wp-login.php>
    order deny,allow
    allow from 127.0.0.1
    allow from 127.0.0.2
    deny from all
    </Files>

    then it's impossible for them to get to the login page.

    You can if you have a static IP address put it in the code above, or change it each time you want to log in if you have a dynamic IP address.

    Worth a try I suppose.
     
  16. Admin

    Admin Administrator Staff Member

    Joined:
    Jun 2004
    Posts:
    11,120
    Likes Received:
    464
    Good idea, thanks

    Admin
     
  17. Admin

    Admin Administrator Staff Member

    Joined:
    Jun 2004
    Posts:
    11,120
    Likes Received:
    464
    Will see how this goes.

    Admin
     
  18. GreyWing

    GreyWing Well-Known Member

    Joined:
    Aug 2006
    Posts:
    4,033
    Likes Received:
    56
    Cheers for that, I looked up something similar and a great idea for joomla users is to drop a .htaccess file inside the /administrator/ directory.

    Containing..............

    Order Deny,Allow
    Deny from all
    Allow from **.***.**.**

    // * = Your IP's

    Looks to work great and cuts out a huge amount of the methods used by hackers.
     
  19. Admin

    Admin Administrator Staff Member

    Joined:
    Jun 2004
    Posts:
    11,120
    Likes Received:
    464
    The method used to get WP Admin password is via SQL injection.

    Badly coded plugins are the cause.

    They use the plugin to reveal the authcode for a password reset, once they have the password reset link (including a valid authcode) they change it to whatever suits them.

    If they cannot get to the wp-login.php page then this method won't work.

    YouTube has videos on this is you want to see more.

    Protect your WP sites now, I am seeing sites with attacks from 15 different countries all trying to get Admin access.

    Admin
     
  20. dashu1 United Kingdom

    dashu1 Well-Known Member

    Joined:
    Nov 2008
    Posts:
    1,113
    Likes Received:
    14
    Hi,
    have you got bullet proof security installed?

    It handles a lot of the sql injection stuff and denies access to a lot of files as well.
     
  21. Admin

    Admin Administrator Staff Member

    Joined:
    Jun 2004
    Posts:
    11,120
    Likes Received:
    464
    Been looking at that today, thanks

    Admin
     
Thread Status:
Not open for further replies.