Web Hosting Talk : Web Hosting Main Forums : Hosting Security and Technology : Wordpress Sites being Hacked?

[pwpeery]

Hey...

I have been having issues with sites on my dedicated server being hacked through Wordpress...

Example - http://www.adamupdegraffmusic.com/

Any ideas, threads, forums on how to stop this from happening through Wordpress...

Please let me know! Thanks!

Wes

[pwpeery]

Also..

They are only changing or adding to the index.php page... No other files have been messed with. Any help please.

Wes

[Steven]

Are you sure its through wordpress and not through a compromised ftp account?

are you running the latest version of wordpress and plugins?

[pwpeery]

Hey,

This is the reports I am receiving.. Could be through FTP though... But they are only changing index.php... Starting to get really annoying.

[madaboutlinux]

If the index page is been replaced, it's mostly the server is hacked and have malicious scripts on it which are replacing the index files of the websites. It's an old and common type of hacking method where the hackers upload the files under /tmp or /var/tmp using a hacked application of an account and then execute files.

Change the Ftp password of your account just in case AND ask the hosting provider to check the logs and whether the server have any malicious scripts running on it.

[david510]

I can see your server has got cpanel installed. You need to check the domlog files of the domain to see what activity was taken place. There can be c99 attack also. If that is the case, they can crack password of a relatively loose password'ed website an place symlinks to the wordpress conf files and read the db name and password. Also they can upload files.

There is no modsecurity installed on your server. Take the following url and you can see its not blocking.

Code:

http://yourserver_IP/bin

You can add custom rules to modsec to prevent these kind of attacks.

[TechBrein]

Quote:

Originally Posted by madaboutlinux

If the index page is been replaced, it's mostly the server is hacked and have malicious scripts on it which are replacing the index files of the websites.

Unfortunately, I don't agree with this. If the index page of *only* a few websites have been injected with virus codes, I would guess the particular account is compromised, and not the server itself, due to a vulnerable application on its website or the PC of the OP was infected with a virus through which the attacker got the login info for this account.

Reset the password, Upgrade all applications to the latest security bugs free version and never use the account password as any other passwords associated with the account. That should prevent any such issues in the future.

[pwpeery]

Hello,

Thanks to all replys... Yea, it does not seem like the entire server is hacked... Only a few accounts which are running Wordpress. I ran a clamscan and did notice quite a few reports which I am removing now.

Thank you all!

Wes

[VIPoint]

Hi,

I suggest you get your server secured right away. If it was hacked once and the security hole was not fixed then there is possibility that it will be hacked again.

I recommend you contact a server management company and get your server secure immediately. Also ask them for why was the server hacked. They might be able to provide you with the exact reason after examining the log files.

[logicsupport]

Quote:

Originally Posted by Steven

Are you sure its through wordpress and not through a compromised ftp account?

are you running the latest version of wordpress and plugins?

Spot on Steven.

@Pwperry:

We have seen many wordpress blogs running older versions when it hardly takes a click to upgrade these. We need to make use of the updates from wordpress development RSS feeds and do it as soon as they release a new one. I mean it is not hard at all

FTP compromise is a different thing altogether. You could check for the modified file timestamp and check it against the ftp logs for a malicious activity. You're sure to find something if that is the case.

I suggest you hire an admin for an hour and get it fixed quickly before it spreads!

[WeWatch]

You can't always go by the file timestamp. Many of the recent backdoors (shells) we've been seeing include a feature that "touches" the file and sets the timestamp to the same thing as something already in that folder, or it sets all the files to something different.

I agree with Steven and logicsupport on the compromised FTP account. You might also have a backdoor (shell) script on your site that the hackers will use to re-infect your site after the FTP passwords have been changed.

The virus that steals the FTP passwords works by either finding the plain text file that many free FTP programs use to store their saved login credentials, or by "sniffing" the outgoing FTP traffic. Since FTP transmits all data, including username and password, in plain text, it's easy for the virus to see and steal the password. It then sends the login information to a server which then infects the website(s).

First, change all FTP passwords as has been recommended already (TechBrein, madaboutlinux), then, if you're using a free FTP program or your clients are, suggest using WS_FTP by Ipswitch. It encrypts the stored password so it can't be used as easily.

Next, switch to SFTP. Unlike FTP, SFTP is encrypted so it can't be sniffed.

Then, be sure you've removed all backdoors. It's not so easy to spot them, just look for files that don't belong there.

Post back if you need further help...