[wp-hackers] Black Hat Chinese Hackers - Looking for your input

Jason Webster jason at intraffic.net
Mon Jun 2 21:34:52 GMT 2008


Shared hosting has the potential to get ugly, fast.

Basically, you are potentially vulnerable to script insecurities on 
other domains hosted there. I think it is very safe to say it had 
nothing to do with WP.

MLR wrote:
> Hi Dave,
>
> The database has been picked over and is clean.
>
> Either this is a brilliant WP Hack or it is not even a WP Hack.
>
> We also think it is Bluehost specific.
>
> Thanks for your input!
>
> Marie-Lynn
>
> On Mon, Jun 2, 2008 at 5:23 PM, MLR <mlrichard at gmail.com> wrote:
>   
>> The only odd thing I found was a file in the /wp-content/ called
>> index.php which has an encrypted javascript call.
>>
>> removing it didn't change anything.
>>
>> ---
>> ---
>>
>>
>> On Mon, Jun 2, 2008 at 5:19 PM, George Pearce <pearce.gs at googlemail.com> wrote:
>>     
>>> I've been talking to Marie, and from what I can see there are no affected
>>> Wordpress files, there are some silly 777's, but all the files have either
>>> been refreshed or checked manually. Nothing seems to be in the directory
>>> that the blog is, either.
>>> It's strange.
>>> How else would that 404 be achieved, without editing any files. Also, a
>>> javascript tag has attached itself to the bottom of the </html> on each
>>> page.
>>>
>>> (I'm replying because I've been talking to Marie for the last half hour :) )
>>>
>>> George
>>>
>>> -----Original Message-----
>>> From: wp-hackers-bounces at lists.automattic.com
>>> [mailto:wp-hackers-bounces at lists.automattic.com] On Behalf Of Jason Webster
>>> Sent: 02 June 2008 22:16
>>> To: wp-hackers at lists.automattic.com
>>> Subject: Re: [wp-hackers] Black Hat Chinese Hackers - Looking for your input
>>>
>>> Here's a few things that would be useful to know:
>>>
>>> Are you sure Wordpress was the point of entry for the attack?
>>>
>>> What kind of hosting? ie, shared/dedicated.
>>>
>>> MLR wrote:
>>>       
>>>> Hi Guys,
>>>>
>>>> I have noticed two things:
>>>> - The combination of the Words WordPress and Hack mostly return topics
>>>> about making WP do cool things (the spirit of this mailing list)
>>>> - Most requests for info about fixing hacked blogs are dead ends on
>>>> wordpress.org
>>>>
>>>> Today I am trying to fix a hacked blog without simply starting over. I
>>>> want to know what happened to create the following problem:
>>>>
>>>> All request in the address bar to ANY wp-admin files returns a 404 error.
>>>>
>>>> the .htaccess file seems clean.
>>>>
>>>> All files were at 2.5.1
>>>>
>>>> I have already overwritten all files in sequence to spot which one
>>>> would have rogue code.
>>>>
>>>> I checked the theme it seems fine (no encoded bits of javascript or rogue
>>>>         
>>> code)
>>>       
>>>> I have removed the javascript functions at the bottom of the index.php
>>>> that a bot inserts everyday on the site.
>>>>
>>>> Your pointers will definitely help me understand the source of the issue.
>>>>
>>>> What is your opinion on the usefullness of this plugin?
>>>> http://www.askapache.com/wordpress/htaccess-password-protect.html
>>>>
>>>> (I know this is easely done the classic way but don't we all have a
>>>> gazillion blogs to manage!?!)
>>>>
>>>>
>>>> Thanks a lot,
>>>> Marie-Lynn
>>>> http://www.friendly-webmaster.com
>>>> _______________________________________________
>>>> wp-hackers mailing list
>>>> wp-hackers at lists.automattic.com
>>>> http://lists.automattic.com/mailman/listinfo/wp-hackers
>>>>
>>>>         
>>> _______________________________________________
>>> wp-hackers mailing list
>>> wp-hackers at lists.automattic.com
>>> http://lists.automattic.com/mailman/listinfo/wp-hackers
>>> No virus found in this incoming message.
>>> Checked by AVG.
>>> Version: 8.0.100 / Virus Database: 269.24.4/1478 - Release Date: 02/06/2008
>>> 07:12
>>>
>>> _______________________________________________
>>> wp-hackers mailing list
>>> wp-hackers at lists.automattic.com
>>> http://lists.automattic.com/mailman/listinfo/wp-hackers
>>>
>>>       
> _______________________________________________
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
> http://lists.automattic.com/mailman/listinfo/wp-hackers
>   



More information about the wp-hackers mailing list