Hannahro11
asked on
Several Wordpress Blogs Hacked with Outbound Comments HTML Links
Hello,
We need someone to help us fix a Wordpress hack Job where all of the Wordpress sites on our own server have appeared to be hacked by the same breech. This hack is pretty insidious in that it installs hidden outbound links in the stylesheet. Once we hit "approve" to comments it bleeds the blog dry of all page rank (SEO terminology). We do not know how this hole occurred, and we want to fix it on our server. I have attached an example of the hack as it appears in the area compromised. This has occurred on all the blogs in this jail on our server.
The attached file, 'hacked text at bottom of posts.txt', is a sample of what's appended to the post when you view the source - not viewable on the webpage via a browser.
The scond text (php-hack) I've manually replaced all of the php files in the blog and the theme - there had been a block of encrypted stuff at the top of many php scripts, the main php scripts for the theme and the main wp style sheet - attached is a sample of that, too; php-hack.txt
Again, let us know if you can help. php-hack.txt
blog-hack-1.txt
We need someone to help us fix a Wordpress hack Job where all of the Wordpress sites on our own server have appeared to be hacked by the same breech. This hack is pretty insidious in that it installs hidden outbound links in the stylesheet. Once we hit "approve" to comments it bleeds the blog dry of all page rank (SEO terminology). We do not know how this hole occurred, and we want to fix it on our server. I have attached an example of the hack as it appears in the area compromised. This has occurred on all the blogs in this jail on our server.
The attached file, 'hacked text at bottom of posts.txt', is a sample of what's appended to the post when you view the source - not viewable on the webpage via a browser.
The scond text (php-hack) I've manually replaced all of the php files in the blog and the theme - there had been a block of encrypted stuff at the top of many php scripts, the main php scripts for the theme and the main wp style sheet - attached is a sample of that, too; php-hack.txt
Again, let us know if you can help. php-hack.txt
blog-hack-1.txt
Last Comment
ASKER
It is our own server.
ASKER
You are right, this means that the Shell may have been compromised without Cpanel. Or each blog was compromised individually. Strange. What to do. (smile)
My expertise in this sort of ends with WordPress. I've seen these types of hacks before which is why I commented.
You should probably hit Request Attention above and ask the Moderators to resend alerts.
You should probably hit Request Attention above and ask the Moderators to resend alerts.
I took a look at the encoded php file you sent and this what the unencoded version looks like.
/*eoltijfbzgjhmixzqarebwip
Do you still have a copy of that file b88.php? If so can you attach I here? I believe that maybe how they intended on gaining access after the fact, just want to confirm.
/*eoltijfbzgjhmixzqarebwip
Do you still have a copy of that file b88.php? If so can you attach I here? I believe that maybe how they intended on gaining access after the fact, just want to confirm.
ASKER
I am checking with the sever admin and will get right back. Thank you very much for the right question, by the way.
What did they have to say?
ASKER
Hi Russell, he is still looking at it. Sorry long night. (smile)
Is there more encrypted files? Also what version of wordpress is being used? Any specific plugging being used?
ASKER
Yes, I finally got the encrypted files. Attached.
a bit more background...
I had painstakingly removed the encoded stuff from all the php files, so I grabbed a header from a file on a different blog in my network.
the b88.php file exists on this other blog, not on the blog that I attached files for previously.
not sure what to make of that...
but here is the b88.php file
In the same folder there was a mysterious c120.php file and sure enough, when I look at it, it's encoded as well...
so both files are zipped up and attached.
I'll see if I can find one of the old infected files from the original blog (our most pofitable site), I might have kept a copy somewhere.. Also. we are new to Experts-exchange and are sort of interested in who you are (Russell Venable) as we have issues come up all the time.
encoded-header-1.txt encoded-header-1.txt encoded-header-1.txt c120.txt
b88.txt
a bit more background...
I had painstakingly removed the encoded stuff from all the php files, so I grabbed a header from a file on a different blog in my network.
the b88.php file exists on this other blog, not on the blog that I attached files for previously.
not sure what to make of that...
but here is the b88.php file
In the same folder there was a mysterious c120.php file and sure enough, when I look at it, it's encoded as well...
so both files are zipped up and attached.
I'll see if I can find one of the old infected files from the original blog (our most pofitable site), I might have kept a copy somewhere.. Also. we are new to Experts-exchange and are sort of interested in who you are (Russell Venable) as we have issues come up all the time.
encoded-header-1.txt encoded-header-1.txt encoded-header-1.txt c120.txt
b88.txt
Welcome to EE! My Profile pretty much sums it up. I am not sure exactly what you want to know. I will take a look at the files and see what I can come up with.
ASKER CERTIFIED SOLUTION
THIS SOLUTION IS ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
SOLUTION
THIS SOLUTION IS ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
ASKER
Hello Russell,
Pretty blown away by this. I will take this to my administrators now and see what they both say. I will get back to you as soon as I have their response. Thanks a lot my friend. Be right back.
Pretty blown away by this. I will take this to my administrators now and see what they both say. I will get back to you as soon as I have their response. Thanks a lot my friend. Be right back.
ASKER
Hi Russell.
I think we are uncomfortable talking about this here. Can you email me at <removed> so we can move forward with your line of reasoning?
Thank you.
My name is also Russell
I think we are uncomfortable talking about this here. Can you email me at <removed> so we can move forward with your line of reasoning?
Thank you.
My name is also Russell
SOLUTION
THIS SOLUTION IS ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
I plan on it :)
SOLUTION
THIS SOLUTION IS ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
Security
Security is the protection of information systems from theft or damage to the hardware, the software, and the information on them, as well as from disruption or misdirection of the services they provide. The main goal of security is protecting assets, and an asset is anything of value and worthy of protection. Information Security is a discipline of protecting information assets from threats through safeguards to achieve the objectives of confidentiality, integrity, and availability or CIA for short. On the other hand, disclosure, alteration, and disruption (DAD) compromise the security objectives.
32K
Questions
--
Followers
--
Top Experts
Get a personalized solution from industry experts
TRUSTED BY
Typically what bad guys do is compromise the server via an FTP or shell account and then setup a script that seeks out WordPress (because it is so common) and alters the files there to redirect or display different content.
Is this your own server or is it hosted?