Sites hacked

Hurr-Durr said:
Well the hacker does have a point. Palestine needs to be freed from the occupation.
Click to expand...

A "save the rainforest" parasite would be pretty entertaining.



So fuck wordpress, I'll uninstall all instances of it. I'm sure on some old ones I don't use there's "admin" as the username.

Now, assuming that's how they got in, I'll avoid doing that again, but now a bit concerned about my custom php/db stuff.

The site that was hacked had some custom php scripts I'd made, one was a mailing list that threw their info into mysql, and an order form that also put the info into a db table and generated an email to my phone. I wasn't really thinking someone could get access to my shit from injecting stuff into the form. Maybe I got lazy and forgot mysql_real_escape_string or something.
 


shindig said:
A "save the rainforest" parasite would be pretty entertaining.



So fuck wordpress, I'll uninstall all instances of it. I'm sure on some old ones I don't use there's "admin" as the username.

Now, assuming that's how they got in, I'll avoid doing that again, but now a bit concerned about my custom php/db stuff.

The site that was hacked had some custom php scripts I'd made, one was a mailing list that threw their info into mysql, and an order form that also put the info into a db table and generated an email to my phone. I wasn't really thinking someone could get access to my shit from injecting stuff into the form. Maybe I got lazy and forgot mysql_real_escape_string or something.
Click to expand...

cross site scripting bro. anything and everything is vulnerable. It's probably not going to be that hard to find it. I sure the hell wouldn't want to scrap everything. You need to look at the patterns. Search and Replace should be your friend. If you wrote your own php scripts you should be able to find the problem. That is if you want to spend some time digging. I don't know how much shit you have on this server, but I think you might spend less time finding and fixing the problem than redoing everything.
 
shindig said:
A "save the rainforest" parasite would be pretty entertaining.



So fuck wordpress, I'll uninstall all instances of it. I'm sure on some old ones I don't use there's "admin" as the username.

Now, assuming that's how they got in, I'll avoid doing that again, but now a bit concerned about my custom php/db stuff.

The site that was hacked had some custom php scripts I'd made, one was a mailing list that threw their info into mysql, and an order form that also put the info into a db table and generated an email to my phone. I wasn't really thinking someone could get access to my shit from injecting stuff into the form. Maybe I got lazy and forgot mysql_real_escape_string or something.
Click to expand...

As long as you didn't use the same database username, password, and/or same mysql database as your Wordpress's settings - there is no really way they can touch the other database or even know about it - unless they had cPanel access. You didn't use the exact same database or mysql settings as your Wordpress did you, they are on separate databases right?!?!​
 
I got caught out on a few sites before xmas. Id left an old copy of revolution slider installed (attached to an inactive theme).

1. Php mailer script installed. Wrecked the email reputation.
2. Fashion directory installed selling fake shit
3. Bunch of others just had malware and back doors added.

Pain in the ass. Learned a lot from it.
 
CCarter said:
Just because a plugin is disabled within your Wordpress backend, doesn't mean it cannot be ran by someone. People think "disabling" it within Wordpress means disabling it's ability to run - that's incorrect. Unless you have removed execution using chmod, I can manually go to http://www.YourSite.com/wp-content/plugins/old-ass-disabled-plugin/file1234.php and run it manually or post directly to it. You have to make sure even your disabled plugins are up to date, or just completely delete them from within your plugin folder.

If a file is on your server, in the public_html directory, and has the chmod command to be executed, it can be executed - period.​
Click to expand...

TBF - You'd have to be a bit of a mong to use the default directory structure of any common framework, and an even bigger idiot if you hadn't set permissions on files & directories within your web server. To not do so would be akin to Sellotaping your car keys to the window every time you go shopping or park your car anywhere.

Regardless OP - don't confuse an attack on your DB / CMS as intrusion on your server, and equally don't think 'securing your WP site' is in any way securing your server. Start from the ground up - the actual server, then any framework after. You may just be better off nuking the lot - take it offline for a short while, restore a decent backup to a new instance minus the trouble - it's an easy & straight-forward process as you're probably aware.
 
I've seen this one before with a WP site on shared (or low-end VPS, don't remember) hosting. The attack vector turned out to be a twitter plugin.

Another similar one was due to the admin user having the user id (0 or 1) in the mysql db.
 
Same shit happened to me recently, huge time suck. My fault ultimately as I didn't update things like I should have. Fortunately I spread my sites over 4 hosts.

Now I keep everything updated and more importantly, delete what I don't use. As other have stated, deactivation isn't enough. Delete the files for themes and plugins you don't use. Also be sure to not use the admin user. Lastly, back your shit up - you never know. Backup buddy works well. Most hosts are willing to help, may want to ask your host for assistance in making sure it's locked up.
 
Backup regularly. I backup weekly or every time after a notable amount of work was done. Then when you do get hacked, it pretty much happens to everyone using WP at one point or another, you just move to another server or wipe the current one. It's usually far more time consuming to try and repair it and then you still might not have peace of mind for whatever else may have been left behind.
 
Fatbat said:
Do you use Filezilla? Have you checked your work computer for a virus? Filezilla stores FTP usernames and passwords in plaintext and it's a popular target for viruses. The bots gets the bookmark file from Filezilla and then accesses your sites on your server.
Click to expand...

Adding to this, do you use FTP (which sends plaintext user/pass)? switch to SFTP or at least tunnel through a VPS. Also, if you ever work from cafes on free wifi this is pretty important.
 
probably a coincidence but some of my sites on stablehost got brute force attacks, user enumeration scans and other shit going on yesterday.


Check your access logs bros.
 
I'm getting this feeling everyone is missing the boat on Bluehost? Most shared hosting is not locked down super tight, and often no matter what you do to secure your cms, they're still getting through at the control panel.

I used to have these problems frequently until I switched to dedicated servers.
 
It's just the cheapest bluehost type acct, I've had it for 7+ years so there's a clusterfuck of files not being used. Never realized old abandoned WP installs become a vulnerability.

I just use the upload option when you go to the file manager rather than an FTP program.

I always set up new databases unrelated to the WP ones with a unique admin acct for custom php stuff.
 
SRS? You just leave old abandoned PHP files & DBs lying around online for anyone to have a go at?!!! Not even updating your SQL server?

I'm an atheist (actually anti-theist) but... ON GOD'S GREEN EARTH WHY WOULD YOU DO THAT?!!

To whomever this tag belongs I doff my cap: 'revoke * from shindig'
 
Aside from the WP exploits how the hell do they find them? Like the different domains don't link to each other in any way. Just randomly crawling strings until they get somewhere? In that case the access logs should have a shitload of traffic (haven't checked yet).

Every time I register a domain at BH, I get spammed by indians slinging web design, is BH selling the info to 3rd parties or are newly registered domains listed somewhere? Wonder if this fucker just patrols "the" list trying to find newly installed WP.
 
shindig said:
Aside from the WP exploits how the hell do they find them? Like the different domains don't link to each other in any way. Just randomly crawling strings until they get somewhere? In that case the access logs should have a shitload of traffic (haven't checked yet).
Click to expand...

They're all shared accounts on Bluehost, correct? That would be how.

Someone probably just signed up for a shared account, ended up on the same box as your domains, and you have insecure file / directory permissions so they were able to modify one (or more) of your files, add a shell, and voila -- full access to your domain.
 
Shit's going to stay hacked until you found out how they got in.

First scan: Sucuri SiteCheck - Free Website Malware Scanner

Then, get something to look for exploits or rootkits. It's shared so you probably don't have much access and it shouldn't be that bad.

Look for what you've already found, <?php shit, and use Wordfence - WordPress Security Plugin to ensure your wordpress core files aren't modified too.

And to answer your question yes, I've installed WP's and within minutes they're trying to exploit mail. It's what they're built to do.
 
shindig said:
Every time I register a domain at BH, I get spammed by indians slinging web design, is BH selling the info to 3rd parties or are newly registered domains listed somewhere?
Click to expand...
Not only them. Lots of shitty registrars and hosters are doing this.


.
 
Step 1) use WPengine
Step 2) that's it.

I've never had a single site hacked since I switched to them, and if I did I could just call them and they will take care of it. Well worth the extra cash for Wordpress sites.
 
You must log in or register to reply here.
Top Bottom