[wp-hackers] Black Hat Chinese Hackers - Looking for your input

MLR mlrichard at gmail.com
Mon Jun 2 21:39:22 GMT 2008 

Well of course it's on shared hosting as most other WP installations.

I am reinstalling my way (not the fantastico way) from scratch and we
will see what happens in the next 24 hours. I have documented that all
necessary precautions are taken so when it becomes hacked again
Bluehost will not be able to hide its head in the sand.

Thanks for all your help today, espescially George (Pearce) who walked
me through a lot of checks I had not thought about.

Marie-Lynn

On Mon, Jun 2, 2008 at 5:34 PM, Jason Webster <jason at intraffic.net> wrote:
> Shared hosting has the potential to get ugly, fast.
>
> Basically, you are potentially vulnerable to script insecurities on other
> domains hosted there. I think it is very safe to say it had nothing to do
> with WP.
>
> MLR wrote:
>>
>> Hi Dave,
>>
>> The database has been picked over and is clean.
>>
>> Either this is a brilliant WP Hack or it is not even a WP Hack.
>>
>> We also think it is Bluehost specific.
>>
>> Thanks for your input!
>>
>> Marie-Lynn
>>
>> On Mon, Jun 2, 2008 at 5:23 PM, MLR <mlrichard at gmail.com> wrote:
>>
>>>
>>> The only odd thing I found was a file in the /wp-content/ called
>>> index.php which has an encrypted javascript call.
>>>
>>> removing it didn't change anything.
>>>
>>> ---
>>> ---
>>>
>>>
>>> On Mon, Jun 2, 2008 at 5:19 PM, George Pearce <pearce.gs at googlemail.com>
>>> wrote:
>>>
>>>>
>>>> I've been talking to Marie, and from what I can see there are no
>>>> affected
>>>> Wordpress files, there are some silly 777's, but all the files have
>>>> either
>>>> been refreshed or checked manually. Nothing seems to be in the directory
>>>> that the blog is, either.
>>>> It's strange.
>>>> How else would that 404 be achieved, without editing any files. Also, a
>>>> javascript tag has attached itself to the bottom of the </html> on each
>>>> page.
>>>>
>>>> (I'm replying because I've been talking to Marie for the last half hour
>>>> :) )
>>>>
>>>> George
>>>>
>>>> -----Original Message-----
>>>> From: wp-hackers-bounces at lists.automattic.com
>>>> [mailto:wp-hackers-bounces at lists.automattic.com] On Behalf Of Jason
>>>> Webster
>>>> Sent: 02 June 2008 22:16
>>>> To: wp-hackers at lists.automattic.com
>>>> Subject: Re: [wp-hackers] Black Hat Chinese Hackers - Looking for your
>>>> input
>>>>
>>>> Here's a few things that would be useful to know:
>>>>
>>>> Are you sure Wordpress was the point of entry for the attack?
>>>>
>>>> What kind of hosting? ie, shared/dedicated.
>>>>
>>>> MLR wrote:
>>>>
>>>>>
>>>>> Hi Guys,
>>>>>
>>>>> I have noticed two things:
>>>>> - The combination of the Words WordPress and Hack mostly return topics
>>>>> about making WP do cool things (the spirit of this mailing list)
>>>>> - Most requests for info about fixing hacked blogs are dead ends on
>>>>> wordpress.org
>>>>>
>>>>> Today I am trying to fix a hacked blog without simply starting over. I
>>>>> want to know what happened to create the following problem:
>>>>>
>>>>> All request in the address bar to ANY wp-admin files returns a 404
>>>>> error.
>>>>>
>>>>> the .htaccess file seems clean.
>>>>>
>>>>> All files were at 2.5.1
>>>>>
>>>>> I have already overwritten all files in sequence to spot which one
>>>>> would have rogue code.
>>>>>
>>>>> I checked the theme it seems fine (no encoded bits of javascript or
>>>>> rogue
>>>>>
>>>>
>>>> code)
>>>>
>>>>>
>>>>> I have removed the javascript functions at the bottom of the index.php
>>>>> that a bot inserts everyday on the site.
>>>>>
>>>>> Your pointers will definitely help me understand the source of the
>>>>> issue.
>>>>>
>>>>> What is your opinion on the usefullness of this plugin?
>>>>> http://www.askapache.com/wordpress/htaccess-password-protect.html
>>>>>
>>>>> (I know this is easely done the classic way but don't we all have a
>>>>> gazillion blogs to manage!?!)
>>>>>
>>>>>
>>>>> Thanks a lot,
>>>>> Marie-Lynn
>>>>> http://www.friendly-webmaster.com
>>>>> _______________________________________________
>>>>> wp-hackers mailing list
>>>>> wp-hackers at lists.automattic.com
>>>>> http://lists.automattic.com/mailman/listinfo/wp-hackers
>>>>>
>>>>>
>>>>
>>>> _______________________________________________
>>>> wp-hackers mailing list
>>>> wp-hackers at lists.automattic.com
>>>> http://lists.automattic.com/mailman/listinfo/wp-hackers
>>>> No virus found in this incoming message.
>>>> Checked by AVG.
>>>> Version: 8.0.100 / Virus Database: 269.24.4/1478 - Release Date:
>>>> 02/06/2008
>>>> 07:12
>>>>
>>>> _______________________________________________
>>>> wp-hackers mailing list
>>>> wp-hackers at lists.automattic.com
>>>> http://lists.automattic.com/mailman/listinfo/wp-hackers
>>>>
>>>>
>>
>> _______________________________________________
>> wp-hackers mailing list
>> wp-hackers at lists.automattic.com
>> http://lists.automattic.com/mailman/listinfo/wp-hackers
>>
>
> _______________________________________________
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
> http://lists.automattic.com/mailman/listinfo/wp-hackers
>

More information about the wp-hackers mailing list