[wp-hackers] Black Hat Chinese Hackers - Looking for your input

Jorge Peña jorgepblank at gmail.com
Mon Jun 2 22:11:54 GMT 2008 

I used to use 1and1 but they're too 'corporate' and not 'flexible', I
currently use DreamHost and really like it. They have a nice automatic
installation and upgrade of WordPress which is really nice, it's not half
as*ed or anything, it really works (As long as you haven't modified any core
files, and if you have, when dreamhost upgrades wordpress it copies your
entire site folder so you can simply diff and merge them together).

On Mon, Jun 2, 2008 at 2:55 PM, MLR <mlrichard at gmail.com> wrote:

> Is Bluehost a good place to host blogs? (historically)
>
> Currently my list is:
>
> 1and1 - The Best
> Dreamhost - People seem to recommend it a lot but haven't used it yet.
>
> Never worked for me:
>
> A small orange
> Yahoo Small Business Host
>
> Marie-Lynn
>
> On Mon, Jun 2, 2008 at 5:45 PM, Jason Webster <jason at intraffic.net> wrote:
> > On a hilarious aside: About a year ago, the CEO of Bluehost's blog hacked
> /
> > spam injected.
> >
> > MLR wrote:
> >>
> >> Well of course it's on shared hosting as most other WP installations.
> >>
> >> I am reinstalling my way (not the fantastico way) from scratch and we
> >> will see what happens in the next 24 hours. I have documented that all
> >> necessary precautions are taken so when it becomes hacked again
> >> Bluehost will not be able to hide its head in the sand.
> >>
> >> Thanks for all your help today, espescially George (Pearce) who walked
> >> me through a lot of checks I had not thought about.
> >>
> >> Marie-Lynn
> >>
> >> On Mon, Jun 2, 2008 at 5:34 PM, Jason Webster <jason at intraffic.net>
> wrote:
> >>
> >>>
> >>> Shared hosting has the potential to get ugly, fast.
> >>>
> >>> Basically, you are potentially vulnerable to script insecurities on
> other
> >>> domains hosted there. I think it is very safe to say it had nothing to
> do
> >>> with WP.
> >>>
> >>> MLR wrote:
> >>>
> >>>>
> >>>> Hi Dave,
> >>>>
> >>>> The database has been picked over and is clean.
> >>>>
> >>>> Either this is a brilliant WP Hack or it is not even a WP Hack.
> >>>>
> >>>> We also think it is Bluehost specific.
> >>>>
> >>>> Thanks for your input!
> >>>>
> >>>> Marie-Lynn
> >>>>
> >>>> On Mon, Jun 2, 2008 at 5:23 PM, MLR <mlrichard at gmail.com> wrote:
> >>>>
> >>>>
> >>>>>
> >>>>> The only odd thing I found was a file in the /wp-content/ called
> >>>>> index.php which has an encrypted javascript call.
> >>>>>
> >>>>> removing it didn't change anything.
> >>>>>
> >>>>> ---
> >>>>> ---
> >>>>>
> >>>>>
> >>>>> On Mon, Jun 2, 2008 at 5:19 PM, George Pearce
> >>>>> <pearce.gs at googlemail.com>
> >>>>> wrote:
> >>>>>
> >>>>>
> >>>>>>
> >>>>>> I've been talking to Marie, and from what I can see there are no
> >>>>>> affected
> >>>>>> Wordpress files, there are some silly 777's, but all the files have
> >>>>>> either
> >>>>>> been refreshed or checked manually. Nothing seems to be in the
> >>>>>> directory
> >>>>>> that the blog is, either.
> >>>>>> It's strange.
> >>>>>> How else would that 404 be achieved, without editing any files.
> Also,
> >>>>>> a
> >>>>>> javascript tag has attached itself to the bottom of the </html> on
> >>>>>> each
> >>>>>> page.
> >>>>>>
> >>>>>> (I'm replying because I've been talking to Marie for the last half
> >>>>>> hour
> >>>>>> :) )
> >>>>>>
> >>>>>> George
> >>>>>>
> >>>>>> -----Original Message-----
> >>>>>> From: wp-hackers-bounces at lists.automattic.com
> >>>>>> [mailto:wp-hackers-bounces at lists.automattic.com] On Behalf Of Jason
> >>>>>> Webster
> >>>>>> Sent: 02 June 2008 22:16
> >>>>>> To: wp-hackers at lists.automattic.com
> >>>>>> Subject: Re: [wp-hackers] Black Hat Chinese Hackers - Looking for
> your
> >>>>>> input
> >>>>>>
> >>>>>> Here's a few things that would be useful to know:
> >>>>>>
> >>>>>> Are you sure Wordpress was the point of entry for the attack?
> >>>>>>
> >>>>>> What kind of hosting? ie, shared/dedicated.
> >>>>>>
> >>>>>> MLR wrote:
> >>>>>>
> >>>>>>
> >>>>>>>
> >>>>>>> Hi Guys,
> >>>>>>>
> >>>>>>> I have noticed two things:
> >>>>>>> - The combination of the Words WordPress and Hack mostly return
> >>>>>>> topics
> >>>>>>> about making WP do cool things (the spirit of this mailing list)
> >>>>>>> - Most requests for info about fixing hacked blogs are dead ends on
> >>>>>>> wordpress.org
> >>>>>>>
> >>>>>>> Today I am trying to fix a hacked blog without simply starting
> over.
> >>>>>>> I
> >>>>>>> want to know what happened to create the following problem:
> >>>>>>>
> >>>>>>> All request in the address bar to ANY wp-admin files returns a 404
> >>>>>>> error.
> >>>>>>>
> >>>>>>> the .htaccess file seems clean.
> >>>>>>>
> >>>>>>> All files were at 2.5.1
> >>>>>>>
> >>>>>>> I have already overwritten all files in sequence to spot which one
> >>>>>>> would have rogue code.
> >>>>>>>
> >>>>>>> I checked the theme it seems fine (no encoded bits of javascript or
> >>>>>>> rogue
> >>>>>>>
> >>>>>>>
> >>>>>>
> >>>>>> code)
> >>>>>>
> >>>>>>
> >>>>>>>
> >>>>>>> I have removed the javascript functions at the bottom of the
> >>>>>>> index.php
> >>>>>>> that a bot inserts everyday on the site.
> >>>>>>>
> >>>>>>> Your pointers will definitely help me understand the source of the
> >>>>>>> issue.
> >>>>>>>
> >>>>>>> What is your opinion on the usefullness of this plugin?
> >>>>>>> http://www.askapache.com/wordpress/htaccess-password-protect.html
> >>>>>>>
> >>>>>>> (I know this is easely done the classic way but don't we all have a
> >>>>>>> gazillion blogs to manage!?!)
> >>>>>>>
> >>>>>>>
> >>>>>>> Thanks a lot,
> >>>>>>> Marie-Lynn
> >>>>>>> http://www.friendly-webmaster.com
> >>>>>>> _______________________________________________
> >>>>>>> wp-hackers mailing list
> >>>>>>> wp-hackers at lists.automattic.com
> >>>>>>> http://lists.automattic.com/mailman/listinfo/wp-hackers
> >>>>>>>
> >>>>>>>
> >>>>>>>
> >>>>>>
> >>>>>> _______________________________________________
> >>>>>> wp-hackers mailing list
> >>>>>> wp-hackers at lists.automattic.com
> >>>>>> http://lists.automattic.com/mailman/listinfo/wp-hackers
> >>>>>> No virus found in this incoming message.
> >>>>>> Checked by AVG.
> >>>>>> Version: 8.0.100 / Virus Database: 269.24.4/1478 - Release Date:
> >>>>>> 02/06/2008
> >>>>>> 07:12
> >>>>>>
> >>>>>> _______________________________________________
> >>>>>> wp-hackers mailing list
> >>>>>> wp-hackers at lists.automattic.com
> >>>>>> http://lists.automattic.com/mailman/listinfo/wp-hackers
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>
> >>>> _______________________________________________
> >>>> wp-hackers mailing list
> >>>> wp-hackers at lists.automattic.com
> >>>> http://lists.automattic.com/mailman/listinfo/wp-hackers
> >>>>
> >>>>
> >>>
> >>> _______________________________________________
> >>> wp-hackers mailing list
> >>> wp-hackers at lists.automattic.com
> >>> http://lists.automattic.com/mailman/listinfo/wp-hackers
> >>>
> >>>
> >>
> >> _______________________________________________
> >> wp-hackers mailing list
> >> wp-hackers at lists.automattic.com
> >> http://lists.automattic.com/mailman/listinfo/wp-hackers
> >>
> >
> > _______________________________________________
> > wp-hackers mailing list
> > wp-hackers at lists.automattic.com
> > http://lists.automattic.com/mailman/listinfo/wp-hackers
> >
> _______________________________________________
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
> http://lists.automattic.com/mailman/listinfo/wp-hackers
>

More information about the wp-hackers mailing list