homepage Welcome to WebmasterWorld Guest from 54.146.190.193
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Become a Pro Member

Home / Forums Index / Code, Content, and Presentation / WordPress
Forum Library, Charter, Moderators: lorax & rogerd

WordPress Forum

    
New Wordpress Hack?
rogerd

WebmasterWorld Administrator rogerd us a WebmasterWorld Top Contributor of All Time 10+ Year Member



 
Msg#: 4440971 posted 1:22 am on Apr 15, 2012 (gmt 0)

A blog I admin triggered a "Trojan.Malscript.html" warning when I loaded its home page with Norton running. I immediately checked Google Webmaster Tools and a number of web-scanners like AVG and others. They all gave the site a clean bill of health. It was still causing Norton to go off, so I looked at the source code.

I found a link to a javascript file hosted on an Australian "organicfoodmarkets" domain. Digging into the theme files, I found that some had been modified to include a line of code that included "gzinflate(base64_decode" followed by a long string. This was translated into the bogus script load code when the page was displayed.

The odd thing was that the files had apparently been modified over a month earlier, and GWT, along with everyone else, didn't catch it. Another machine running TrendMicro let me load the page without objection.

I think this was most likely a server side hack, i.e., via compromised FTP or Wordpress login, vs. some kind of code vulnerability.

So, it's a good idea to keep your eye on file dates and, of course, exercise normal security precautions for logins and passwords. Had it not been for Norton, this might have persisted a lot longer without my knowing it. Checking your files for the base64 code above would disclose an identical exploit, though if the hacker has FTP access any number of nasty things could be done.

 

lorax

WebmasterWorld Administrator lorax us a WebmasterWorld Top Contributor of All Time 10+ Year Member



 
Msg#: 4440971 posted 2:02 am on Apr 15, 2012 (gmt 0)

Thanks for the info rogerd. I haven't come across this personally but will be looking out for it now.

incrediBILL

WebmasterWorld Administrator incredibill us a WebmasterWorld Top Contributor of All Time 5+ Year Member Top Contributors Of The Month



 
Msg#: 4440971 posted 2:17 am on Apr 15, 2012 (gmt 0)

I think this was most likely a server side hack, i.e., via compromised FTP or Wordpress login, vs. some kind of code vulnerability.


Probably got in via Wordpress would be my guess as it's always responsible for some vulnerability somewhere, or even your hosted control panel as there have been some recent vulnerabilities in those as well.

However, if you're on shared hosting, they could've gotten in on any account and escalated privileges and performed that little trick server wide.

rogerd

WebmasterWorld Administrator rogerd us a WebmasterWorld Top Contributor of All Time 10+ Year Member



 
Msg#: 4440971 posted 5:16 pm on Apr 16, 2012 (gmt 0)

The intrusion seems to be confined to a single domain on that VPS. I had some work done on the site a few days before the files changed, and I'm guessing that there was some vulnerability on the coder's end. Even if he wasn't the source, he may have been hacked himself, had his login compromised, etc.

I deleted the coder's credentials once the work was complete and stable, but the intrusion (whether related or not) happened before that deletion.

Could be a coincidence, of course, and I don't rule out other possible hacks.

syedmuddassar



 
Msg#: 4440971 posted 11:07 am on May 2, 2012 (gmt 0)

i have a website, i was using word press, But now i have no website because my website was hoicked...

lexipixel

WebmasterWorld Senior Member 10+ Year Member



 
Msg#: 4440971 posted 6:37 am on May 3, 2012 (gmt 0)

Some more info about base64_decode hacks here-
[webmasterworld.com...]

The one I found on a shared hosting server had a "double secret" key file hidden with a non obvious file extension -- any time the corrupted file was deleted, the second file would replicate it.

Grep is your friend...

Global Options:
 top home search open messages active posts  
 

Home / Forums Index / Code, Content, and Presentation / WordPress
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved