Portal Home > Knowledgebase > Articles Database > All wordpress databases hacked on server
All wordpress databases hacked on server
| Posted by Kain, 02-13-2013, 07:36 AM |
| All wordpress sites on my server have had their databases hacked last night.
The hack was changing the title to:
+ADw-/title+AD4-Hacked By Tunisian Scammers+ADw-DIV style+AD0AIg-DISPLAY: none+ACIAPgA8-xmp+AD4-
changing the charset to utf-7 in the options table
Adding a text widget to the sidebar of sites that have the sidebar activated to replace the site with the text Hacked By Tunisian Scammers via javascript.
I've seen a lot of sites with this hack on Google.
Has anyone ever heard of it and know how to prevent it?
All other databases are fine so I'm guessing it's a wordpress problem.
|
| Posted by BlackxxJapan, 02-13-2013, 07:41 AM |
| Were you updated to the latest version of WordPress? Were your plugins updated?
|
| Posted by Kain, 02-13-2013, 07:44 AM |
| It was multiple sites (around 20) with different versions and plugins.
|
| Posted by LeaTrueman, 02-13-2013, 08:00 AM |
| Hello,
Can you please check the wordpress versions of all those sites? Are they in the latest version 3.5? Also please check all sites .htaccess files and confirm if there any any infected code in it. Also please check index.php of all wordpress sites and confirm if there are any malicious code. Usually these codes will be appended in base64_encoded format.
Also please check if your host is running suPHP and if yes, please confirm the permissions of files/folders. All files should be in 644 and folders in 755.
|
| Posted by GigaPros - Tapas, 02-13-2013, 08:17 AM |
| We have seen this happening to some of our clients. And in all those cases the customers installed either a free theme or a free plugin that had an embedded backdoor. Once the backdoor was removed, we did not see any more defacements with those wordpress sites.
|
| Posted by Kain, 02-13-2013, 08:34 AM |
| hi It was a database hack only, so no problems with files or .htaccess
There were a couple of older versions but 3.5.1 (latest stable release) was hacked also.
We are using suphp and all files and folder permissions seem to be correct.
I'm wondering is there anything at the server security level we should be looking at?
I've pasted the permissions for one hacked sites folder below (without the user name)
drwxr-x--- 7 username nobody 4096 Aug 13 2011 ./
drwx--x--x 25 username username 4096 Jul 22 2012 ../
drwxr-xr-x 2 username username 4096 Aug 13 2011 cgi-bin/
-rw-r--r-- 1 username username 236 Aug 13 2011 .htaccess
-rw-r--r-- 1 username username 397 Aug 13 2011 index.php
-rw-r--r-- 1 username username 16899 Aug 13 2011 license.txt
-rw-r--r-- 1 username username 9202 Aug 13 2011 readme.html
drwxr-xr-x 5 username username 4096 Jul 12 2011 wordpress/
-rw-r--r-- 1 username username 4343 Aug 13 2011 wp-activate.php
drwxr-xr-x 9 username username 4096 Aug 13 2011 wp-admin/
-rw-r--r-- 1 username username 40243 Aug 13 2011 wp-app.php
-rw-r--r-- 1 username username 226 Aug 13 2011 wp-atom.php
-rw-r--r-- 1 username username 274 Aug 13 2011 wp-blog-header.php
-rw-r--r-- 1 username username 3931 Aug 13 2011 wp-comments-post.php
-rw-r--r-- 1 username username 244 Aug 13 2011 wp-commentsrss2.php
-rw-rw-rw- 1 username username 3459 Aug 13 2011 wp-config.php
-rw-r--r-- 1 username username 3177 Aug 13 2011 wp-config-sample.php
drwxr-xr-x 6 username username 4096 Aug 14 2011 wp-content/
-rw-r--r-- 1 username username 1255 Aug 13 2011 wp-cron.php
-rw-r--r-- 1 username username 246 Aug 13 2011 wp-feed.php
drwxr-xr-x 8 username username 4096 Aug 13 2011 wp-includes/
-rw-r--r-- 1 username username 1997 Aug 13 2011 wp-links-opml.php
-rw-r--r-- 1 username username 2525 Aug 13 2011 wp-load.php
-rw-r--r-- 1 username username 27601 Aug 13 2011 wp-login.php
-rw-r--r-- 1 username username 7774 Aug 13 2011 wp-mail.php
-rw-r--r-- 1 username username 494 Aug 13 2011 wp-pass.php
-rw-r--r-- 1 username username 224 Aug 13 2011 wp-rdf.php
-rw-r--r-- 1 username username 334 Aug 13 2011 wp-register.php
-rw-r--r-- 1 username username 226 Aug 13 2011 wp-rss2.php
-rw-r--r-- 1 username username 224 Aug 13 2011 wp-rss.php
-rw-r--r-- 1 username username 9839 Aug 13 2011 wp-settings.php
-rw-r--r-- 1 username username 18646 Aug 13 2011 wp-signup.php
-rw-r--r-- 1 username username 3702 Aug 13 2011 wp-trackback.php
-rw-r--r-- 1 username username 3266 Aug 13 2011 xmlrpc.php
|
| Posted by Kain, 02-13-2013, 08:36 AM |
| thanks Giglapros but one of the sites here was using the default 2011 theme with no plugins so I dont think thats the problem.
|
| Posted by WHR-Abner, 02-13-2013, 09:19 AM |
| Have a look at http://wordpress.org/support/topic/i...isian-spl01t3r
Make sure to implement the steps mentioned in there to prevent future hacks.
|
| Posted by Kain, 02-13-2013, 09:30 AM |
| thanks for that advice but because it was EVERY wordpress site on the server I'm guessing theres something wrong with the security on the server not the individual wordpress installations.
I donk't think the server has been rooted because the exploit only affected wordpress sites, other cms systems are fine.
Any ideas where I should start to look?
|
| Posted by alucasa, 02-13-2013, 10:37 AM |
| Hard to tell since it's 20 sites with different versions all over.
I'd start looking at a site with oldest WP version that has also oldest Plugin versions. Outdated plugins are usually how WP gets hacked.
Or alternatively you can move away from WP.
|
| Posted by jasonhk, 02-13-2013, 06:35 PM |
| If it happened to all WordPress sites on the server then it would be related to the SymLinksIfOwnerMatch issue.
You can find the files by watching the output of this find:
You will find configuration files symlinked to a user, they use this to read the database files and run a mass change on the settings to insert that widget and change settings.
|
| Posted by WPCYCLE, 02-13-2013, 07:38 PM |
| Sorry to hear about your issues, and I will say if your planning on going in on your own, get some coffee.
I've said it before and got mixed reviews, but any WP with even the lastest theme and updated everything is still open to any form of attack if not secured properly.
Also another big risk is putting ALL your WP sites into one account. It "might" be cheaper each month, but very expensive and timely when as issue like this occurs.
A few things that you will need to do along with any other suggestions so far;
1. Ask your host to change your user account name and passwords, and if they can look through previous logs about the issue.
2. See if you have any clean backups. Sometimes such issues could be hidden in backups for months.
3. Look into a reseller account OR make sure each site is locked up tightly. Your account is as strong as your weakest WP site. Even if you secured 19 of your sites, the remain site could still let someone into the other 19. Although you said sever, so you should be able to provision individual accounts for each WP site.
Also look over the security of your server to help prevent this again.
|
| Posted by LampNetworks, 02-13-2013, 09:02 PM |
| Sounds as if its a symlink related compromise.
Disable FollowSymLinks and allow +SymLinksIfOwnerMatch
Find all accounts with htaccess file using FollowSymLinks:
find /home -iname ".htaccess" -exec grep -l "FollowSymLinks" {} \;
Assuming cPanel server, there is a detailed thread how to fix at there forum but I can't find link
Edit:
Found link: http://forums.cpanel.net/f185/how-pr...202242-p4.html
Last edited by LampNetworks; 02-13-2013 at 09:09 PM.
|
| Posted by Infinitnet, 02-13-2013, 09:06 PM |
| If it's all your websites, you should use something like InfiniteWP to make sure to always keep all of them up to date. You should also think about decent mod_security rules, mounting /tmp with noexec, disabling dangerous PHP functions, etc. Just get it hardened and secured properly, so something like that won't happen again in the future. Well, the rest already has been mentioned I think.
|
| Posted by brianoz, 02-14-2013, 07:20 PM |
| If it's all sites, there's a very good chance it's the symlink exploit which allows one site once exploited to be used to get the DB passwords of all other sites.
I've got a page that gives links to the cpanel forum patch mentioned above and also discusses changing permission on wp-config.php files (and other related config files) at http://whmscripts.net/misc/2013/apac...ssue-fixpatch/
Changing permissions on .php files is an instant fix. If changing permissions on the wp-config.php files breaks the site, read up on suphp as the server is pretty much wide open until you switch to either suphp or something similar.
The bad news? You'll need to change DB passwords on every single site as the hacker obviously has them now.
|
| Posted by Kain, 02-15-2013, 02:19 PM |
| Thanks for all the help, I've had a busy time setting permissions and changing passwords.
The only symlinks in .htaccess I could find were in Joomla installs, none if the affected sites had that problem.
(Options +FollowSymLinks seems to be in most joomla .htaccess files.)
My shell commands are a bit dodgy, would this work to change permissions server wide?
find /home -name wp-config.php -exec chmod 600 {} \;
|
| Posted by brianoz, 02-16-2013, 07:50 AM |
| Great work for the permissions and passwords.
It's worth mentioning that the symlinks would be in the account doing the attacking, and have probably been removed long ago. What happens is they compromise one account (the "attacking account") and create symlinks in that account pointing to the wp-config files in other accounts, calling it something like "file.txt". They can then view file.txt in a browser or similar and retrieve the passwords.
Unfortunately, FollowSymLinks is not particulary helpful - SymLinksIfOwnerMatches is what needs to be on, and it needs to be enabled in the "attacking account" to stop the attack. The hackers are successfully disabling the settings for some hosts so it needs to be locked on with the apache patch floating around (see my link below).
If you say "dodgy" you must be an aussie?
Your command would work just fine, although I'd do it as:
find /home -iname '*conf*.php' -print0 | xargs -0 chmod 600
That has several features:
changes a much wider range of config filesa little faster with the xargssafe with filenames with spaces (which your '-exec' would have been also)
I've published links collating the apache patches and an example crontab file you can drop into /etc/cron.daily to regularly enforce safe permissions on new files at whmscripts.net. There's a slightly faster script there that you can run every hour without affecting machine load, it fixes permissions on the ones that a hacker is more likely to guess.
Recently heard that some of the installers try to set safe permissions when doing installs, which is great news. I haven't checked which ones do the right thing yet, nevertheless good news.
|
| Posted by vx|brian, 02-16-2013, 08:28 AM |
| Just an FYI, there might be a script installed on your server that was crawling through all /home folders searching for wp-config.php (or any config file), then later just getting into the database and trashing it like they needed.
Guessing the path is fairly easy /home/user/public_html/wp-config.php. I've also noted the PHP file is world readable, might want to take care of that.
|
Add to Favourites 
Print this Article
Also Read
Top Resellers (Views: 479)
