|Wordpress hacked - 4294967295 number shows up|
Was using version 2.6.5, index.php was tampered
| 6:20 pm on Jan 18, 2009 (gmt 0)|
I'm starting this thread because I haven't found almost any information about this Wordpress hack attempt.
I discovered the footer of my blog was showing the number 4294967295. Upon inspection, the regular index.php from Wordpress had been tampered with, and this code was added:
ob_start("security_update"); //do not remove this line - important security update!
$update = '4294967295';
if (stristr($buffer, '</html') !== FALSE)
return eregi_replace('</html', $update.'<html', $buffer);
Wordpress 2.6.5 is supposedly a secure version. Needless to say, I updated to WP 2.7, changed all the passwords (cPanel, FTP, email, MySQL and WP users), etc.
Upon audit, it seems that the attacker uploaded the code via FTP (scary!) and I could find no other evidence of tampering. I checked the plugins and users inside the Wordpress database, .htaccess files, etc.
I'm still scared and it's hard to believe that the hacker only did this as a warning or first step towards the second part of the hack (no doubt inserting spammy links, redirecting traffic, etc.)
Do you have any pointers as to what to look for and where?
| 2:01 am on Jan 19, 2009 (gmt 0)|
Check your server logs files. Server logs differ from host and OS, so check with your host first. These will usually give you clues and information as to when things were changed and how.
For example, many attack can be seen in your log that looks like site.com/index.php?task=';DROP DATABASE users--
If you see that in your log you know its a hack attempt, but you might find a system command that was run or FTP information about what happened.
| 5:27 am on Jan 19, 2009 (gmt 0)|
It sounds like you have done the right thing by updating everything and changing the passcodes. This happened to some Joomla users too, so it is not only a Wordpress thing. (reference: [forum.joomla.org...]
My guess is that this is not a malicious hack but rather someone with WAY too much time on their hands wanting to "prove themselves." Probably this particular number was selected because it is the largest number you can store with 32 bits.
| 12:25 pm on Jan 19, 2009 (gmt 0)|
Do you use SFTP instead of a plain FTP not secured enough