Welcome to WebmasterWorld Guest from 54.145.95.149

Forum Moderators: coopster & jatar k

Message Too Old, No Replies

Wordpress hacked - 4294967295 number shows up

Was using version 2.6.5, index.php was tampered

     
6:20 pm on Jan 18, 2009 (gmt 0)

Full Member

10+ Year Member

joined:Dec 9, 2002
posts: 234
votes: 0


I'm starting this thread because I haven't found almost any information about this Wordpress hack attempt.

I discovered the footer of my blog was showing the number 4294967295. Upon inspection, the regular index.php from Wordpress had been tampered with, and this code was added:

ob_start("security_update"); //do not remove this line - important security update!
function security_update($buffer)
{
$update = '4294967295';
if (stristr($buffer, '</html') !== FALSE)
{
return eregi_replace('</html', $update.'<html', $buffer);
}
else
{
return $buffer.$update;
}
}

Wordpress 2.6.5 is supposedly a secure version. Needless to say, I updated to WP 2.7, changed all the passwords (cPanel, FTP, email, MySQL and WP users), etc.

Upon audit, it seems that the attacker uploaded the code via FTP (scary!) and I could find no other evidence of tampering. I checked the plugins and users inside the Wordpress database, .htaccess files, etc.

I'm still scared and it's hard to believe that the hacker only did this as a warning or first step towards the second part of the hack (no doubt inserting spammy links, redirecting traffic, etc.)

Do you have any pointers as to what to look for and where?

2:01 am on Jan 19, 2009 (gmt 0)

Junior Member

10+ Year Member

joined:Feb 7, 2007
posts:46
votes: 0


Check your server logs files. Server logs differ from host and OS, so check with your host first. These will usually give you clues and information as to when things were changed and how.

For example, many attack can be seen in your log that looks like site.com/index.php?task=';DROP DATABASE users--

If you see that in your log you know its a hack attempt, but you might find a system command that was run or FTP information about what happened.

5:27 am on Jan 19, 2009 (gmt 0)

Junior Member

10+ Year Member

joined:May 12, 2007
posts:91
votes: 0


It sounds like you have done the right thing by updating everything and changing the passcodes. This happened to some Joomla users too, so it is not only a Wordpress thing. (reference: [forum.joomla.org...]

My guess is that this is not a malicious hack but rather someone with WAY too much time on their hands wanting to "prove themselves." Probably this particular number was selected because it is the largest number you can store with 32 bits.

12:25 pm on Jan 19, 2009 (gmt 0)

Senior Member from FR 

WebmasterWorld Senior Member henry0 is a WebmasterWorld Top Contributor of All Time 10+ Year Member

joined:Apr 19, 2003
posts: 4415
votes: 8


Do you use SFTP instead of a plain FTP not secured enough