Comments on: Hacked! Part 3 – Teaser http://littlesvr.ca/grumble/2009/01/12/hacked-part-3-teaser/ The things that piss me off. Wed, 09 May 2012 01:08:06 +0000 hourly 1 http://wordpress.org/?v=3.3.2 By: Mark http://littlesvr.ca/grumble/2009/01/12/hacked-part-3-teaser/comment-page-1/#comment-1890 Mark Sat, 07 Feb 2009 10:09:58 +0000 http://littlesvr.ca/grumble/?p=63#comment-1890 I love the PHP script. I was genuinely interested in combing through it until my Antivirus popped up and flagged it as a Back Door Trojan. Ha! I love the PHP script. I was genuinely interested in combing through it until my Antivirus popped up and flagged it as a Back Door Trojan. Ha!

]]> By: Waldo Jaquith http://littlesvr.ca/grumble/2009/01/12/hacked-part-3-teaser/comment-page-1/#comment-1749 Waldo Jaquith Tue, 20 Jan 2009 22:21:05 +0000 http://littlesvr.ca/grumble/?p=63#comment-1749 Same thing on my site last night. In my case, they're getting in through an old WordPress caching plugin. If you've got /wp-content/cache.php, erase it. I forget which caching plugin that was (I installed it years ago, disabled it, then forgot about it), but apparently there was a hole in it. My cache.php was 104k, which was a real tip-off. They're POSTing data to it in order to execute commands on the server. If some script kiddie has stuck that on <em>your</em> server, I recommend highly renaming it and then opening it in a browser yourself. It's impressive, even if you don't know Russian. Gijs, you don't see it because, in all likelihood, the code is written to show those spam links only when the site is being loaded by an IP within Google's IP range. Check out the Google cache of your site and you'll see. Same thing on my site last night. In my case, they’re getting in through an old WordPress caching plugin. If you’ve got /wp-content/cache.php, erase it. I forget which caching plugin that was (I installed it years ago, disabled it, then forgot about it), but apparently there was a hole in it. My cache.php was 104k, which was a real tip-off. They’re POSTing data to it in order to execute commands on the server. If some script kiddie has stuck that on your server, I recommend highly renaming it and then opening it in a browser yourself. It’s impressive, even if you don’t know Russian.

Gijs, you don’t see it because, in all likelihood, the code is written to show those spam links only when the site is being loaded by an IP within Google’s IP range. Check out the Google cache of your site and you’ll see.

]]> By: t0mmyw http://littlesvr.ca/grumble/2009/01/12/hacked-part-3-teaser/comment-page-1/#comment-1725 t0mmyw Wed, 14 Jan 2009 14:48:44 +0000 http://littlesvr.ca/grumble/?p=63#comment-1725 Sucks what happened, but thanks for posting your story. An interesting read. Sucks what happened, but thanks for posting your story. An interesting read.

]]> By: Gijs http://littlesvr.ca/grumble/2009/01/12/hacked-part-3-teaser/comment-page-1/#comment-1720 Gijs Tue, 13 Jan 2009 12:12:11 +0000 http://littlesvr.ca/grumble/?p=63#comment-1720 So, the first time I read these stories (or rather, when I read the first two parts), I thought "wow, that must suck". Earlier today, however, I was emailed by someone with an FYI that the footers on my blog contained spam links. WTH. I had akismet and comment moderation, so that wasn't it. I'm running subversion-based wordpress, which makes updating easy, but also keeps around old modifications made by people we don't like particularly much. So while I know that my install somehow was modified <a href="http://www.gijsk.com/temp/patch-hacked.txt" rel="nofollow">thus</a>, I don't know how or when. Or rather, I know the index.php mod happened 3 days ago, but I also know that it doesn't work because my server does not allow remote includes. And when I say "my server" I mean "my friend's server on which my site happens to be hosted, along with a whole bunch of other websites", so it is almost as easily possible that things were hacked somewhere else first. On the other hand, all the files were still owned by me, so it doesn't seem anyone had root at any point... Unfortunately I don't have root or even sudo rights, so I am not able to poke about as much as you are. At this point, I can see the spam still in the WP-Cache'd versions of my pages, and when I clear the cache they keep coming back - but when I view the site I don't see anything, which is peculiar. I was also not able to find any modifications which would have put the content there (grepping through for "base64" and "compress" and "that thing which spammers like to advertise" yielded no other useful results) Ideas? :-) So, the first time I read these stories (or rather, when I read the first two parts), I thought “wow, that must suck”.

Earlier today, however, I was emailed by someone with an FYI that the footers on my blog contained spam links. WTH. I had akismet and comment moderation, so that wasn’t it. I’m running subversion-based wordpress, which makes updating easy, but also keeps around old modifications made by people we don’t like particularly much. So while I know that my install somehow was modified thus, I don’t know how or when. Or rather, I know the index.php mod happened 3 days ago, but I also know that it doesn’t work because my server does not allow remote includes. And when I say “my server” I mean “my friend’s server on which my site happens to be hosted, along with a whole bunch of other websites”, so it is almost as easily possible that things were hacked somewhere else first. On the other hand, all the files were still owned by me, so it doesn’t seem anyone had root at any point… Unfortunately I don’t have root or even sudo rights, so I am not able to poke about as much as you are.

At this point, I can see the spam still in the WP-Cache’d versions of my pages, and when I clear the cache they keep coming back – but when I view the site I don’t see anything, which is peculiar. I was also not able to find any modifications which would have put the content there (grepping through for “base64″ and “compress” and “that thing which spammers like to advertise” yielded no other useful results)

Ideas? :-)

]]>