Wordpress Site Hacked !

[FEX Quotes]

You are the smartest PHP/ SQL and this kind of stuff that I know.

Thanks Mark, but I can introduce you to some people who run circles around me. I typically stay quiet around here when it comes to server, hosting, and programming issues and normally try to keep my discussions limited to insurance related topics, but for some reason I chimed in on this one.

 

[dfw1]

With wordpress use a plugin called Login Lockdown. Set the amount of attempt times to login to 3. Set the lockout time limit to a 1000 minutes or longer if you want. What I have found is if the hacker is trying to gain access through some sort of sql injection or any other hack method, Login lockdown still detects the ip address and they are locked out. All they will see is a white screen.

If a detection and lock down occurs, the plugin sends you an email so you may quickly make sure your site is OK

 

[padthaiforlunch]

On the phone with godaddy yesterday and they informed me my wp blog was infected going back to 2010. Mind you I'd only made about 4 posts in that time. Upon further inquiry they said the infection likely came from a couple themes I downloaded but never used.

 

[Aaron_4SIGHT]

On the phone with godaddy yesterday and they informed me my wp blog was infected going back to 2010.

I have a feeling there are a lot of Wordpress blogs out there that are infected or have wide open back doors without the site owner having any idea. It takes almost zero technical knowledge to install Wordpress, but quite a bit of technical knowledge to make sure your install is properly secured.

Here's a good study on website hacks with several tips on how to protect yourself:

http://www.stopbadware.org/pdfs/compromised-websites-an-owners-perspective.pdf

 

[somarco]

Thanks Aaron.

One of the first things mentioned in the report is the TimThumb plugin. My site had an older version and it has since been upgraded.

TimThumb Zero Day Vulnerability Affects Hundreds of WordPress Themes - WPMU.org

Another link to scan your plugin

Wordpress Timthumb.php Vulnerability Scanner Plugin | Code Garage Blog

 

[mikelnix]

Hacking is simply a matter of time, despite the precautions you take. If someone wants to get in your site, human ingenuity will get the job done. The best defense is to be as proactive as possible. Backup the site at least weekly and update all plugins, software, etc.
- - - - - - - - - - - - - - - - - -

1 - Done daily

2 - Always update, but some of the upgrades have had issues (such as Google sitemap generator) and took a few weeks to iron out.

3 - Yup.

4 - Most folks don't have any idea what that is, or how to correct it. I just happened to be going over some BPS (Bullet Proof Security) suggestions and noticed I had some plugins with 644 and 755 settings. I immediately corrected it, but the damage had already been done some time ago.

Can't say for sure how they got in but having these permission settings didn't help.

5 - Never heard of this Agent Methods company. Are they reputable?

FWIW, the Viagra post was intended for information and was relevant to a news story at the time. I try to incorporate 1 - 2 current events posts every week to generate traffic.

Unfortunately this post drew the wrong kind of curiosity seeker.

What is still bugging me is, the usual security scans did not detect this. It wasn't until the site was used (without my permission or knowledge) to spam the world for certain products and services that anyone took notice. This was a very sophisticated hack on a lot of different levels.

You can't go wrong with AgentMethods. If you want an excellent, customizable website up in a hurry and not have the headaches, then they're the company to go to. I used them when I first started.

 

[ksigmtsu]

Glad you are okay now, but allow me to clear up some misconceptions..

You can't "get in" to a site via .htacess, though having it set too permissive (ie: < 404) is asking for trouble.

There are only 2 ways to get in to a server - FTP/SFTP and the shell. Before the purists come along and try to correct me by pointing out Gopher, Veronica, et al - this is 2012 not 1992

755 does not allow anyone to do whatever they want; that would be reserved for 777

I can tell you with virtual certainty what happened in your case. I doubt anyone accessed and violated your hosting space; you were hit with an SQL injection attack because you installed a poorly written WP plugin.

If someone got into your account, they could have done much more harm than you experienced. In fact, an unauthorized user to your web hosting account could brought the entire machine down taking out thousands of other sites. Don't believe me? Give me shell access to any server and I'll show you what malicious hacking really looks like

His particular infection was thru specifically the timthumb plugin, and the server itself experienced no infection outside the directory. There was no shell access or otherwise to anything else on the server.

I actually keep port 21 locked and use ssh/sftp only, and I'm the only person with unlocked shell/sudo access to the box other than the hosting company. A few other people have jailed shell.

I also run mod_security stuff, have brute force protection on the accounts, firewalls on most ports, etc. I try to block all the places I know can be broken into, but as anyone knows its impossible to make a server totally secure, the best you can do is make it take a long time to break into and keep good backups.

Some of the file perms might have been a bit too permissive in his directory, but the .htaccess issue was an injection from timthumb, which was where the attack came from.

I also went and manually fixed all instances of timthumb on the server at the time, but its possible someone went back and installed a faulty one again, some old (free) themes on the wordpress repo still have the broken timthumb in them.

 

[CHUMPS FROM OXFORD]

Welcome back.
Welcome back. (need 20 characters)