WARNING - Major attacks on Wordpress sites

[dashu1]

Hello,
just wanted to warn you all that there is a major threat to wordpress sites that have outdated versions of wordpress or plugins installed.

We've just seen over a dozen sites attacked in 2 days across servers, theme providers, and different versions of wordpress.

Check your files to see if you have a base64 code inserted into the beginning of php files.

It seems that you can be attacked even if you have the latest version of wordpress installed, old plugins can let them in.

Not pleasant, but has been useful to us, rather than trying to fix a whole pile of crappy sites we've just killed them off and left a much smaller group of good sites to work on.

You have to look for a silver lining eh?

 

[Systreg]

What happens in these attacks?

 

[boxerdog]

I did a search for "phone cases" on bing uk and phone-cases.co.uk looks a bit...........broken

 

[optiweb]

They normally just swap the theme index file when they get in so if you have backups its usually not so bad.

Late last year my USA shared host had the entire server hacked - I had around 80 autoblogs on it which all got hacked - I had to send support all my themes so they could replace the index files and all was sorted.

To help protect yourself stay away from free themes - a lot of nasty code goes into many of them and only use trusted plug ins. And of course always backup your sites

 

[dashu1]

No, on these attacks it is not just 1 file being affected.

What they are doing is adding a base 64 code to the front of EVERY php file they can.

It is very sophisticated, it checks to see if you are a googlebot, yahoobot, etc, a mac user, ie7 user, etc, and has a number of possible agendas.

It is being reported as a major organised crime attack to push the fake virus software, also seems to add trojans to the site, etc.

What we've seen is the sites will open okay in chrome and firefox, not at all in IE.

Check via your ftp - look for any files with very recent dates - 6th & 15th of march seem common - download these into a quatantined folder and check them, look for eval base 64 at the beginning of the files.

If it has the code at the beginning you've been hit.

 

[tifosi]

making sure your wp files have the correct permissions is essential. I did a plugin install for a client a while back and was astonished at the permissions that the files had with many having executable or world writable permissions.

php files once uploaded should never be writable by the server at most they should be 0644 (rw-r--r) if owned by the user and 0640 (rw-r----) if owned by the webserver. The installation method and default umask will control this. config files should be reset to this maximim access level after install.

Attacks like these search for vulnerabilities such as non-hardened servers & incorrect file permissions.

 

[Systreg]

I only have a few WP sites, and all that techy stuff above is over my head, I don't don't know how to do back ups (not interested in how to either), so if they get hit, they get deleted, simple

 

[AssetDomains]

A bit techy some useful advise http://danhilltech.tumblr.com/post/18085864093/if-you-get-eval-base64-hacked-on-wordpress-dreamhost

 

[murph]

Hate to say it, but this is why I gave up with CMS scripts altogether. Often you don't need the bloatware anyway. Keep it simple.

 

[Aegean]

Hate to say it, but this is why I gave up with CMS scripts altogether. Often you don't need the bloatware anyway. Keep it simple.

I agree with not always needing a CMS, but there are many professional level CMS systems that have much more sophisticated security than wordpress does. WP is an ultra basic CMS and it's very structure makes it vulnerable. I have about 4 WP sites, which run just fine on the latest version, but I don't use it for client work unless they ask for it.

 

[MASSEY]

I had some hacked that had been on the old wordpress and with plugins in need of update for around 2 months. It is important as soon as you see the update options to do it there and then. Luckily my hacks were not that bad, just a page added to the site with the guys hacker name.

 

[Blossom]

Would recommend installing the Ultimate Security and Bulletproof Security plugins along with Block Bad Queries.

 

[murph]

I agree with not always needing a CMS, but there are many professional level CMS systems that have much more sophisticated security than wordpress does. WP is an ultra basic CMS and it's very structure makes it vulnerable. I have about 4 WP sites, which run just fine on the latest version, but I don't use it for client work unless they ask for it.

Agreed. I take the stance: stay away from very common public scripts as these are regularly targeted for malware hacking etc. Also, forever having to apply security patches and updates is a constant headache avoided if you roll your own

 

[stender]

I've got loads of mentions of base64_decode in one of my plugins w3-total-cache I assume these aren't malicious?

 

[dashu1]

I've got loads of mentions of base64_decode in one of my plugins w3-total-cache I assume these aren't malicious?

Hard to tell, some plugins do have it in - have you got a load of code at the top of your other php files?

It's obviously imperative to keep all plugins and wordpress installs up to scratch, which can be a big headache if you have lots of sites - so I guess the answer is that if you're going to have lots of sites - don't have lots of CMS sites.

With regards to bulletproof security - I did have a very hardened htaccess file on some of these that was practically the code from BPS with a few extra bits thrown in, and they still got hacked.

I think if you have vulnerable files that no security plugin will help - like having the best car alarm & security on the market but leaving the car unlocked and the keys in the ignition.

Anyway, I hope no one else has had problems, it's supposedly an organised crime gang thats doing this to upload trojans and the fake antivirus software, you know the kind of stuff.

 

[Brassneck]

If you do have lots of sites then you might want to check out www.managewp.com. It's pricey but makes managing updates of everything real easy and quick.

I've got 400 wordpress installations being managed on it.

Cheers
Stephen.

 

[retired_member33]

I keep getting errors malware/virus notifications like this:

# Regular expression match = [decode regex: 1]:

Where several Header, Footer and other .php files seem to infected

# (compressed file: plupload.silverlight.dll) MS Windows Binary/Executable [application/x-winexec]:

Something about something being wrong with a Silverlight file?

# ClamAV detected virus = [PHP.Shell-51]:

bit-64 encryption?

Anyone familiar with this and now how to solve it?

 

[JMOT]

One of my sites just got hacked and its being cleaned up and sorted out for me right now.

Luckily I'd already signed up for Sucuri heres my link

Its well worth the money!!

 

[dashu1]

Another useful plugin is the exploit scanner.

In it's control panel it gives you the checksum for your wordpress core files, and on their homepage the checksum for WP-whatever version is the latest

So you can see if any core wordpress files have been altered. Even changing a letter from a capital to a lower case would give a totally different string, so you can see quickly and easily whether or not your core files have been fiddled with.

 

[steww]

Just a note to watch out, I installed a plug named "Ultimate Security Checker" to toughen up a wordpress install, about a week later the site had malware, have just cleaned the site and found (I think) that the security plugin contained malware (or at least became infected), here is the clean up report:

"Site is now clean and malware-free. The following files were compromised and fixed:

CLEARED: Cleared malware from file: ./wp-content/plugins/ultimate-security-checker/securitycheck.class.php"

Hope that helps!

Cheers