homepage Welcome to WebmasterWorld Guest from 54.211.231.221
register, free tools, login, search, subscribe, help, library, announcements, recent posts, open posts,
Pubcon Website
Home / Forums Index / Code, Content, and Presentation / PHP Server Side Scripting
Forum Library, Charter, Moderators: coopster & jatar k

PHP Server Side Scripting Forum

    
Wordpress hacked - 4294967295 number shows up
Was using version 2.6.5, index.php was tampered
stormy




msg:3828977
 6:20 pm on Jan 18, 2009 (gmt 0)

I'm starting this thread because I haven't found almost any information about this Wordpress hack attempt.

I discovered the footer of my blog was showing the number 4294967295. Upon inspection, the regular index.php from Wordpress had been tampered with, and this code was added:

ob_start("security_update"); //do not remove this line - important security update!
function security_update($buffer)
{
$update = '4294967295';
if (stristr($buffer, '</html') !== FALSE)
{
return eregi_replace('</html', $update.'<html', $buffer);
}
else
{
return $buffer.$update;
}
}

Wordpress 2.6.5 is supposedly a secure version. Needless to say, I updated to WP 2.7, changed all the passwords (cPanel, FTP, email, MySQL and WP users), etc.

Upon audit, it seems that the attacker uploaded the code via FTP (scary!) and I could find no other evidence of tampering. I checked the plugins and users inside the Wordpress database, .htaccess files, etc.

I'm still scared and it's hard to believe that the hacker only did this as a warning or first step towards the second part of the hack (no doubt inserting spammy links, redirecting traffic, etc.)

Do you have any pointers as to what to look for and where?

 

xKillswitchx




msg:3829199
 2:01 am on Jan 19, 2009 (gmt 0)

Check your server logs files. Server logs differ from host and OS, so check with your host first. These will usually give you clues and information as to when things were changed and how.

For example, many attack can be seen in your log that looks like site.com/index.php?task=';DROP DATABASE users--

If you see that in your log you know its a hack attempt, but you might find a system command that was run or FTP information about what happened.

techtheatre




msg:3829302
 5:27 am on Jan 19, 2009 (gmt 0)

It sounds like you have done the right thing by updating everything and changing the passcodes. This happened to some Joomla users too, so it is not only a Wordpress thing. (reference: [forum.joomla.org...]

My guess is that this is not a malicious hack but rather someone with WAY too much time on their hands wanting to "prove themselves." Probably this particular number was selected because it is the largest number you can store with 32 bits.

henry0




msg:3829455
 12:25 pm on Jan 19, 2009 (gmt 0)

Do you use SFTP instead of a plain FTP not secured enough

Global Options:
 top home search open messages active posts  
 

Home / Forums Index / Code, Content, and Presentation / PHP Server Side Scripting
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About
© Webmaster World 1996-2014 all rights reserved