Moderator
Jan Dembowski
(@jdembowski)
Forum Moderator and Brute Squad
And it’s not often that you get an answer in stereo. 😉
Thanks. Most of this I’m already doing. I’m in touch with my host too to see if they can trace it. Likely it’s something to do with the way the permissions are set up.
Unfortunately we’ve got multiple infections across a bunch of sites so it’s going to take time to de-louse this whole mess but luckily I’ve got the whole thhing in source control so it’s a quick revert for the files.
Am I correct in assuming that if they were able to install a rogue plugin they had access to one of the WP account usernames and passwords?
Unfortunately we’ve got multiple infections across a bunch of sites
That sounds like you might have had an ftp leak and that the hackers gained entrance initially via ftp. Try scanning all local machines with up-to-date AV software.
worth a shot but….
A). We’re on OSX here and
B). We keep our passwords locked up really tight (i.e. always encrypted and never typed).
I know that OSX viruses aren’t unheard of but I’m more inclined to lean towards the file permissions thing.
Anyway I’ll post back here if I learn anything more so that people can learn from my ways. 🙂
BTW. Does anyone know if there are security problems with the BackWPup plugin? It’s a common element on all the sites.
raychaser42 wrote:
I know that OSX viruses aren’t unheard of but I’m more inclined to lean towards the file permissions thing.
Many malicious scripts like the Black Hole Exploit are equal opportunity exploiters. Doesn’t matter which OS the victim is using.
Even though there are some very ingenious malicious scripts out there, have you checked the time stamps on your files? Use that information combined with server logs (http and FTP/SFTP access) to help determine how the infection was achieved.
Ok, so to follow up what likely happened was a site we’d forgotten was on our VPS had a wootheme with a timthumb vulnerability.
Through this vulnerability the malicious script was able to gain access to our other accounts and place the evil plugin on a number of our other WordPress sites.
What a pain! Still, could’ve been worse
Thanks to everyone’s help and for the links to those bullet-proofing WordPress articles.
I’ve had this on 2 sites now. After looking at the error logs it looks like some sort of injection attack:
[01-Sep-2012 14:15:38] PHP Warning: PHP Startup: Unable to load dynamic library ‘/usr/local/lib/php/extensions/no-debug-non-zts-20060613/suhosin.so’ – /usr/local/lib/php/extensions/no-debug-non-zts-20060613/suhosin.so: cannot open shared object file: No such file or directory in Unknown on line 0
[01-Sep-2012 18:15:38] WordPress database error You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ‘wposts.post_content LIKE ‘%adminmaintSuperNet%’ OR wposts.post_title LIKE ‘%wp%” at line 5 for query
SELECT DISTINCT wposts.ID
FROM wp_sm_posts wposts, wp_sm_postmeta wpostmeta
WHERE wposts.ID = wpostmeta.post_id
AND wposts.post_status = ‘publish’
AND wposts.post_type = ‘page’ AND (wposts.post_content LIKE ‘%wp%’ wposts.post_content LIKE ‘%adminmaintSuperNet%’ OR wposts.post_title LIKE ‘%wp%’ OR wposts.post_title LIKE ‘%adminmaintSuperNet%’ )
