Results 1 to 25 of 29
Thread: New wordpress hack?
-
09-27-2012, 09:59 AM #1Aspiring Evangelist
- Join Date
- Oct 2002
- Location
- Tel-Aviv, Israel
- Posts
- 436
New wordpress hack?
Hi,
I have a fresh install of wordpress 3.4.2 with only one template - the default twentyeleven - that was hacked 2 times in the last week. They definatly hacked via the web, there were no ftp or ssh connection to the server. I search the access log and couldn't find anything suspicious.
Is there a new wordpress hack running around?
Thanks
GuyUadm.com - Unix Administration, Security and Support.
http://www.uadm.com
"Unix is user friendly; it's just picky about who its friends are."
-
09-27-2012, 10:10 AM #2Temporarily Suspended
- Join Date
- Mar 2012
- Location
- Tampa, FL =)
- Posts
- 1,954
Try streaming the logs offsite to ensure they can't wipe them to catch them? Was this the only site effected on the server? It's just weird that a new site would randomly be targeted by a 0day twice. Would think that if there was a new exploit major sites would have been hit by now.
-
09-27-2012, 10:15 AM #3Disabled
- Join Date
- Aug 2012
- Posts
- 3,105
First thing I will suggest you to change your database and FTP passwords as soon as possible. Also, please check each and every files/folders of your website and make sure that there is no suspicious contents. If you have managed services then consult your hosting provider about this issue. Please keep your local system up to date and regulars scan it using latest anti-virus software.
Enhance PHP security via mod_security, Firewall like CSF,
-
09-27-2012, 10:15 AM #4Aspiring Evangelist
- Join Date
- Oct 2002
- Location
- Tel-Aviv, Israel
- Posts
- 436
A few sites have been defaced. This is a cpanel server so no cross site access is possible and the server wasn't rooted. I only mentioned this one site because since its only is basic install it's easier to debug.
Uadm.com - Unix Administration, Security and Support.
http://www.uadm.com
"Unix is user friendly; it's just picky about who its friends are."
-
09-27-2012, 10:18 AM #5Aspiring Evangelist
- Join Date
- Oct 2002
- Location
- Tel-Aviv, Israel
- Posts
- 436
Uadm.com - Unix Administration, Security and Support.
http://www.uadm.com
"Unix is user friendly; it's just picky about who its friends are."
-
09-27-2012, 10:23 AM #6Disabled
- Join Date
- Apr 2011
- Location
- Fairfax, California
- Posts
- 1,226
This same thing happened to me. My michelstaake.me blog was hacked (I just deleted WordPress and switched to get simple CMS)...
I was not running a lot of plugins and only had one, very popular, theme installed.
-
09-27-2012, 10:25 AM #7Temporarily Suspended
- Join Date
- Mar 2012
- Location
- Tampa, FL =)
- Posts
- 1,954
-
09-27-2012, 10:26 AM #8Temporarily Suspended
- Join Date
- Mar 2012
- Location
- Tampa, FL =)
- Posts
- 1,954
-
09-27-2012, 10:30 AM #9Aspiring Evangelist
- Join Date
- Oct 2002
- Location
- Tel-Aviv, Israel
- Posts
- 436
Uadm.com - Unix Administration, Security and Support.
http://www.uadm.com
"Unix is user friendly; it's just picky about who its friends are."
-
09-27-2012, 10:40 AM #10Disabled
- Join Date
- Aug 2012
- Posts
- 3,105
May be a clean wordpress installation will help and also strictly follow suggestions, I have mentioned earlier. I would also suggest you to check your database and make sure that there is no suspicious values inserted.
-
09-27-2012, 01:12 PM #11Web Hosting Master
- Join Date
- May 2001
- Location
- Dayton, Ohio
- Posts
- 4,977
We've noticed a lot of brute force attempts as of late on WP installs, so make sure to change all of your administrator passwords. You might also install a plugin to block brute force attempts and enforce stronger passwords.
-
09-27-2012, 08:38 PM #12Web Hosting Master
- Join Date
- Aug 2006
- Posts
- 1,171
Check the url with google cache
http://stackoverflow.com/questions/1...-3-4-2-hackingWebSitePanel/ MspControl / SolidCP / Smartermail / Installation / Configuration / Troubleshooting / Migrations
Windows Server Management / Security / Hardening
I speak English and Spanish
-
09-28-2012, 10:21 AM #13Junior Guru
- Join Date
- Apr 2003
- Posts
- 209
I will recommend running cxs, malder and clamav through all accounts. Probably someone has a C99shell and was able to get access to your site from another account.
-
09-28-2012, 11:00 AM #14Temporarily Suspended
- Join Date
- Mar 2012
- Location
- Tampa, FL =)
- Posts
- 1,954
-
09-28-2012, 11:43 AM #15Web Host Reviewer
- Join Date
- Feb 2006
- Location
- Kepler 62f
- Posts
- 16,703
I've diagnosed at least one odd 3.4.2 exploit in the past month. There was no obviously detectable error outside of WordPress itself. The one I did see is thwarted by nuking your "plugin-editor.php" and "theme-editor.php" files. I'm of the opinion that live editors are dangerous and unnecessary anyway. There's a number of files that should be removed, renamed, or firewalled in general anyway, and these are two of them.
|| Need a good host?
|| See my Suggested Hosts List || Editorial: EIG/Site5/Arvixe/Hostgator Alternatives
||
-
09-28-2012, 11:49 AM #16Temporarily Suspended
- Join Date
- Mar 2012
- Location
- Tampa, FL =)
- Posts
- 1,954
Last edited by TravisT-[SSS]; 09-28-2012 at 11:56 AM.
-
09-28-2012, 12:27 PM #17Problem Solver
- Join Date
- Mar 2003
- Location
- California USA
- Posts
- 13,681
Are you implementing any kind of patching for this issue:
http://forums.cpanel.net/f185/how-pr...rs-202242.html
suphp and permissions are not enough to prevent it.
Try running:
find /home/*/public_html -type lLast edited by Steven; 09-28-2012 at 12:32 PM.
Steven Ciaburri | Industry's Best Server Management - Rack911.com
Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance
-
09-28-2012, 12:34 PM #18Aspiring Evangelist
- Join Date
- Oct 2002
- Location
- Tel-Aviv, Israel
- Posts
- 436
Uadm.com - Unix Administration, Security and Support.
http://www.uadm.com
"Unix is user friendly; it's just picky about who its friends are."
-
09-28-2012, 12:39 PM #19Junior Guru
- Join Date
- Apr 2003
- Posts
- 209
Indeed, thatīs the reason I suggested a c99shell traversing your directories.
http://www.raidten.com/followsymlink...vulnerability/
Modsecurity and phpsuexec are not enough to fix this vulnerability. mod_ruid2 should help
-
09-28-2012, 12:45 PM #20Problem Solver
- Join Date
- Mar 2003
- Location
- California USA
- Posts
- 13,681
Steven Ciaburri | Industry's Best Server Management - Rack911.com
Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance
-
09-28-2012, 12:47 PM #21Problem Solver
- Join Date
- Mar 2003
- Location
- California USA
- Posts
- 13,681
Steven Ciaburri | Industry's Best Server Management - Rack911.com
Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance
-
09-28-2012, 12:54 PM #22Aspiring Evangelist
- Join Date
- Oct 2002
- Location
- Tel-Aviv, Israel
- Posts
- 436
Thanks, this link is very informative.
So I read about mod_ruid a little. Are there any concerns when setting it on cpanel? I read that most users doesn't use suphp with it, which should be used - mod_ruid with dso or suphp? To be honest, I like to still keep knowing which script is running at a current time on the server, I don't think it's possible with ruid, and the symlink patch seems to fix the major problem.Last edited by rcs; 09-28-2012 at 01:03 PM.
Uadm.com - Unix Administration, Security and Support.
http://www.uadm.com
"Unix is user friendly; it's just picky about who its friends are."
-
09-28-2012, 02:11 PM #23Junior Guru
- Join Date
- Apr 2003
- Posts
- 209
Mod_ruid works the same way phpsuexec but for html files, so html files are handled only by its owner only. You will see more processes owned by each user and less processes owned by user nobody
-
09-28-2012, 05:00 PM #24Aspiring Evangelist
- Join Date
- Oct 2002
- Location
- Tel-Aviv, Israel
- Posts
- 436
Apperently there is a wp 3.4.2 hack going around, a week old:
http://1337day.org/exploits/19447
But it's a cross site request vuln not a direct hack.Uadm.com - Unix Administration, Security and Support.
http://www.uadm.com
"Unix is user friendly; it's just picky about who its friends are."
-
09-28-2012, 08:37 PM #25Web Hosting Master
- Join Date
- Nov 2004
- Location
- Australia
- Posts
- 1,737
Could well be a symlink hack. This allows a hacker to read the contents of your Wordpress config file and see the database user and password.
Change the DB password and change the permissions on the .php files to 600 to prevent future incidents.
You also want to look at Steven's patch mentioned above.Last edited by brianoz; 09-28-2012 at 08:46 PM.
Similar Threads
-
Wordpress Hack, Need Input
By Christian Little in forum Hosting Security and TechnologyReplies: 6Last Post: 01-26-2012, 06:20 PM -
Does installing wordpress on root of vps enables wordpress on child hosting accounts
By Kabindra Bakey in forum VPS HostingReplies: 5Last Post: 07-06-2011, 11:10 AM -
Wordpress hack and phpRemoteView
By rankris in forum Hosting Security and TechnologyReplies: 10Last Post: 06-16-2011, 09:47 AM -
Need: Logo, HTML to Wordpress, Wordpress+Kayako+WHMCS+vBulletin Integration
By Karl_CLOOK in forum Design RequestsReplies: 9Last Post: 11-19-2010, 11:54 AM -
Br0keN-Pr0xy hack - FIX (the popular index defacement hack)
By layer0 in forum Hosting Security and Technology TutorialsReplies: 5Last Post: 09-09-2006, 01:23 PM