[wp-hackers] Black Hat Chinese Hackers - Looking for your input

Jason Webster jason at intraffic.net
Mon Jun 2 21:45:41 GMT 2008 

On a hilarious aside: About a year ago, the CEO of Bluehost's blog 
hacked / spam injected.

MLR wrote:
> Well of course it's on shared hosting as most other WP installations.
>
> I am reinstalling my way (not the fantastico way) from scratch and we
> will see what happens in the next 24 hours. I have documented that all
> necessary precautions are taken so when it becomes hacked again
> Bluehost will not be able to hide its head in the sand.
>
> Thanks for all your help today, espescially George (Pearce) who walked
> me through a lot of checks I had not thought about.
>
> Marie-Lynn
>
> On Mon, Jun 2, 2008 at 5:34 PM, Jason Webster <jason at intraffic.net> wrote:
>   
>> Shared hosting has the potential to get ugly, fast.
>>
>> Basically, you are potentially vulnerable to script insecurities on other
>> domains hosted there. I think it is very safe to say it had nothing to do
>> with WP.
>>
>> MLR wrote:
>>     
>>> Hi Dave,
>>>
>>> The database has been picked over and is clean.
>>>
>>> Either this is a brilliant WP Hack or it is not even a WP Hack.
>>>
>>> We also think it is Bluehost specific.
>>>
>>> Thanks for your input!
>>>
>>> Marie-Lynn
>>>
>>> On Mon, Jun 2, 2008 at 5:23 PM, MLR <mlrichard at gmail.com> wrote:
>>>
>>>       
>>>> The only odd thing I found was a file in the /wp-content/ called
>>>> index.php which has an encrypted javascript call.
>>>>
>>>> removing it didn't change anything.
>>>>
>>>> ---
>>>> ---
>>>>
>>>>
>>>> On Mon, Jun 2, 2008 at 5:19 PM, George Pearce <pearce.gs at googlemail.com>
>>>> wrote:
>>>>
>>>>         
>>>>> I've been talking to Marie, and from what I can see there are no
>>>>> affected
>>>>> Wordpress files, there are some silly 777's, but all the files have
>>>>> either
>>>>> been refreshed or checked manually. Nothing seems to be in the directory
>>>>> that the blog is, either.
>>>>> It's strange.
>>>>> How else would that 404 be achieved, without editing any files. Also, a
>>>>> javascript tag has attached itself to the bottom of the </html> on each
>>>>> page.
>>>>>
>>>>> (I'm replying because I've been talking to Marie for the last half hour
>>>>> :) )
>>>>>
>>>>> George
>>>>>
>>>>> -----Original Message-----
>>>>> From: wp-hackers-bounces at lists.automattic.com
>>>>> [mailto:wp-hackers-bounces at lists.automattic.com] On Behalf Of Jason
>>>>> Webster
>>>>> Sent: 02 June 2008 22:16
>>>>> To: wp-hackers at lists.automattic.com
>>>>> Subject: Re: [wp-hackers] Black Hat Chinese Hackers - Looking for your
>>>>> input
>>>>>
>>>>> Here's a few things that would be useful to know:
>>>>>
>>>>> Are you sure Wordpress was the point of entry for the attack?
>>>>>
>>>>> What kind of hosting? ie, shared/dedicated.
>>>>>
>>>>> MLR wrote:
>>>>>
>>>>>           
>>>>>> Hi Guys,
>>>>>>
>>>>>> I have noticed two things:
>>>>>> - The combination of the Words WordPress and Hack mostly return topics
>>>>>> about making WP do cool things (the spirit of this mailing list)
>>>>>> - Most requests for info about fixing hacked blogs are dead ends on
>>>>>> wordpress.org
>>>>>>
>>>>>> Today I am trying to fix a hacked blog without simply starting over. I
>>>>>> want to know what happened to create the following problem:
>>>>>>
>>>>>> All request in the address bar to ANY wp-admin files returns a 404
>>>>>> error.
>>>>>>
>>>>>> the .htaccess file seems clean.
>>>>>>
>>>>>> All files were at 2.5.1
>>>>>>
>>>>>> I have already overwritten all files in sequence to spot which one
>>>>>> would have rogue code.
>>>>>>
>>>>>> I checked the theme it seems fine (no encoded bits of javascript or
>>>>>> rogue
>>>>>>
>>>>>>             
>>>>> code)
>>>>>
>>>>>           
>>>>>> I have removed the javascript functions at the bottom of the index.php
>>>>>> that a bot inserts everyday on the site.
>>>>>>
>>>>>> Your pointers will definitely help me understand the source of the
>>>>>> issue.
>>>>>>
>>>>>> What is your opinion on the usefullness of this plugin?
>>>>>> http://www.askapache.com/wordpress/htaccess-password-protect.html
>>>>>>
>>>>>> (I know this is easely done the classic way but don't we all have a
>>>>>> gazillion blogs to manage!?!)
>>>>>>
>>>>>>
>>>>>> Thanks a lot,
>>>>>> Marie-Lynn
>>>>>> http://www.friendly-webmaster.com
>>>>>> _______________________________________________
>>>>>> wp-hackers mailing list
>>>>>> wp-hackers at lists.automattic.com
>>>>>> http://lists.automattic.com/mailman/listinfo/wp-hackers
>>>>>>
>>>>>>
>>>>>>             
>>>>> _______________________________________________
>>>>> wp-hackers mailing list
>>>>> wp-hackers at lists.automattic.com
>>>>> http://lists.automattic.com/mailman/listinfo/wp-hackers
>>>>> No virus found in this incoming message.
>>>>> Checked by AVG.
>>>>> Version: 8.0.100 / Virus Database: 269.24.4/1478 - Release Date:
>>>>> 02/06/2008
>>>>> 07:12
>>>>>
>>>>> _______________________________________________
>>>>> wp-hackers mailing list
>>>>> wp-hackers at lists.automattic.com
>>>>> http://lists.automattic.com/mailman/listinfo/wp-hackers
>>>>>
>>>>>
>>>>>           
>>> _______________________________________________
>>> wp-hackers mailing list
>>> wp-hackers at lists.automattic.com
>>> http://lists.automattic.com/mailman/listinfo/wp-hackers
>>>
>>>       
>> _______________________________________________
>> wp-hackers mailing list
>> wp-hackers at lists.automattic.com
>> http://lists.automattic.com/mailman/listinfo/wp-hackers
>>
>>     
> _______________________________________________
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
> http://lists.automattic.com/mailman/listinfo/wp-hackers
>

More information about the wp-hackers mailing list