[wp-hackers] Black Hat Chinese Hackers - Looking for your input

MLR mlrichard at gmail.com
Mon Jun 2 22:19:28 GMT 2008


Hi Everyone,

My client is back up and running on a fresh WP 2.5.1 install.

The culprit of the whole redirect debacle with /wp-admin is exactly
the one I mentioned in my first post. I was able to re-create the
problem when everything worked fine and I re-activated THAT one.

Ask Apache WordPress Protector
http://www.askapache.com/wordpress/htaccess-password-protect.html

Could be an incompatibility with another plug in. I will have to test
this at some point.

Right now I'd rather be watching my new favorite porn: The Tudors.

Marie-Lynn
The Friendly Webmaster

On Mon, Jun 2, 2008 at 6:11 PM, Jorge Peña <jorgepblank at gmail.com> wrote:
> I used to use 1and1 but they're too 'corporate' and not 'flexible', I
> currently use DreamHost and really like it. They have a nice automatic
> installation and upgrade of WordPress which is really nice, it's not half
> as*ed or anything, it really works (As long as you haven't modified any core
> files, and if you have, when dreamhost upgrades wordpress it copies your
> entire site folder so you can simply diff and merge them together).
>
> On Mon, Jun 2, 2008 at 2:55 PM, MLR <mlrichard at gmail.com> wrote:
>
>> Is Bluehost a good place to host blogs? (historically)
>>
>> Currently my list is:
>>
>> 1and1 - The Best
>> Dreamhost - People seem to recommend it a lot but haven't used it yet.
>>
>> Never worked for me:
>>
>> A small orange
>> Yahoo Small Business Host
>>
>> Marie-Lynn
>>
>> On Mon, Jun 2, 2008 at 5:45 PM, Jason Webster <jason at intraffic.net> wrote:
>> > On a hilarious aside: About a year ago, the CEO of Bluehost's blog hacked
>> /
>> > spam injected.
>> >
>> > MLR wrote:
>> >>
>> >> Well of course it's on shared hosting as most other WP installations.
>> >>
>> >> I am reinstalling my way (not the fantastico way) from scratch and we
>> >> will see what happens in the next 24 hours. I have documented that all
>> >> necessary precautions are taken so when it becomes hacked again
>> >> Bluehost will not be able to hide its head in the sand.
>> >>
>> >> Thanks for all your help today, espescially George (Pearce) who walked
>> >> me through a lot of checks I had not thought about.
>> >>
>> >> Marie-Lynn
>> >>
>> >> On Mon, Jun 2, 2008 at 5:34 PM, Jason Webster <jason at intraffic.net>
>> wrote:
>> >>
>> >>>
>> >>> Shared hosting has the potential to get ugly, fast.
>> >>>
>> >>> Basically, you are potentially vulnerable to script insecurities on
>> other
>> >>> domains hosted there. I think it is very safe to say it had nothing to
>> do
>> >>> with WP.
>> >>>
>> >>> MLR wrote:
>> >>>
>> >>>>
>> >>>> Hi Dave,
>> >>>>
>> >>>> The database has been picked over and is clean.
>> >>>>
>> >>>> Either this is a brilliant WP Hack or it is not even a WP Hack.
>> >>>>
>> >>>> We also think it is Bluehost specific.
>> >>>>
>> >>>> Thanks for your input!
>> >>>>
>> >>>> Marie-Lynn
>> >>>>
>> >>>> On Mon, Jun 2, 2008 at 5:23 PM, MLR <mlrichard at gmail.com> wrote:
>> >>>>
>> >>>>
>> >>>>>
>> >>>>> The only odd thing I found was a file in the /wp-content/ called
>> >>>>> index.php which has an encrypted javascript call.
>> >>>>>
>> >>>>> removing it didn't change anything.
>> >>>>>
>> >>>>> ---
>> >>>>> ---
>> >>>>>
>> >>>>>
>> >>>>> On Mon, Jun 2, 2008 at 5:19 PM, George Pearce
>> >>>>> <pearce.gs at googlemail.com>
>> >>>>> wrote:
>> >>>>>
>> >>>>>
>> >>>>>>
>> >>>>>> I've been talking to Marie, and from what I can see there are no
>> >>>>>> affected
>> >>>>>> Wordpress files, there are some silly 777's, but all the files have
>> >>>>>> either
>> >>>>>> been refreshed or checked manually. Nothing seems to be in the
>> >>>>>> directory
>> >>>>>> that the blog is, either.
>> >>>>>> It's strange.
>> >>>>>> How else would that 404 be achieved, without editing any files.
>> Also,
>> >>>>>> a
>> >>>>>> javascript tag has attached itself to the bottom of the </html> on
>> >>>>>> each
>> >>>>>> page.
>> >>>>>>
>> >>>>>> (I'm replying because I've been talking to Marie for the last half
>> >>>>>> hour
>> >>>>>> :) )
>> >>>>>>
>> >>>>>> George
>> >>>>>>
>> >>>>>> -----Original Message-----
>> >>>>>> From: wp-hackers-bounces at lists.automattic.com
>> >>>>>> [mailto:wp-hackers-bounces at lists.automattic.com] On Behalf Of Jason
>> >>>>>> Webster
>> >>>>>> Sent: 02 June 2008 22:16
>> >>>>>> To: wp-hackers at lists.automattic.com
>> >>>>>> Subject: Re: [wp-hackers] Black Hat Chinese Hackers - Looking for
>> your
>> >>>>>> input
>> >>>>>>
>> >>>>>> Here's a few things that would be useful to know:
>> >>>>>>
>> >>>>>> Are you sure Wordpress was the point of entry for the attack?
>> >>>>>>
>> >>>>>> What kind of hosting? ie, shared/dedicated.
>> >>>>>>
>> >>>>>> MLR wrote:
>> >>>>>>
>> >>>>>>
>> >>>>>>>
>> >>>>>>> Hi Guys,
>> >>>>>>>
>> >>>>>>> I have noticed two things:
>> >>>>>>> - The combination of the Words WordPress and Hack mostly return
>> >>>>>>> topics
>> >>>>>>> about making WP do cool things (the spirit of this mailing list)
>> >>>>>>> - Most requests for info about fixing hacked blogs are dead ends on
>> >>>>>>> wordpress.org
>> >>>>>>>
>> >>>>>>> Today I am trying to fix a hacked blog without simply starting
>> over.
>> >>>>>>> I
>> >>>>>>> want to know what happened to create the following problem:
>> >>>>>>>
>> >>>>>>> All request in the address bar to ANY wp-admin files returns a 404
>> >>>>>>> error.
>> >>>>>>>
>> >>>>>>> the .htaccess file seems clean.
>> >>>>>>>
>> >>>>>>> All files were at 2.5.1
>> >>>>>>>
>> >>>>>>> I have already overwritten all files in sequence to spot which one
>> >>>>>>> would have rogue code.
>> >>>>>>>
>> >>>>>>> I checked the theme it seems fine (no encoded bits of javascript or
>> >>>>>>> rogue
>> >>>>>>>
>> >>>>>>>
>> >>>>>>
>> >>>>>> code)
>> >>>>>>
>> >>>>>>
>> >>>>>>>
>> >>>>>>> I have removed the javascript functions at the bottom of the
>> >>>>>>> index.php
>> >>>>>>> that a bot inserts everyday on the site.
>> >>>>>>>
>> >>>>>>> Your pointers will definitely help me understand the source of the
>> >>>>>>> issue.
>> >>>>>>>
>> >>>>>>> What is your opinion on the usefullness of this plugin?
>> >>>>>>> http://www.askapache.com/wordpress/htaccess-password-protect.html
>> >>>>>>>
>> >>>>>>> (I know this is easely done the classic way but don't we all have a
>> >>>>>>> gazillion blogs to manage!?!)
>> >>>>>>>
>> >>>>>>>
>> >>>>>>> Thanks a lot,
>> >>>>>>> Marie-Lynn
>> >>>>>>> http://www.friendly-webmaster.com
>> >>>>>>> _______________________________________________
>> >>>>>>> wp-hackers mailing list
>> >>>>>>> wp-hackers at lists.automattic.com
>> >>>>>>> http://lists.automattic.com/mailman/listinfo/wp-hackers
>> >>>>>>>
>> >>>>>>>
>> >>>>>>>
>> >>>>>>
>> >>>>>> _______________________________________________
>> >>>>>> wp-hackers mailing list
>> >>>>>> wp-hackers at lists.automattic.com
>> >>>>>> http://lists.automattic.com/mailman/listinfo/wp-hackers
>> >>>>>> No virus found in this incoming message.
>> >>>>>> Checked by AVG.
>> >>>>>> Version: 8.0.100 / Virus Database: 269.24.4/1478 - Release Date:
>> >>>>>> 02/06/2008
>> >>>>>> 07:12
>> >>>>>>
>> >>>>>> _______________________________________________
>> >>>>>> wp-hackers mailing list
>> >>>>>> wp-hackers at lists.automattic.com
>> >>>>>> http://lists.automattic.com/mailman/listinfo/wp-hackers
>> >>>>>>
>> >>>>>>
>> >>>>>>
>> >>>>
>> >>>> _______________________________________________
>> >>>> wp-hackers mailing list
>> >>>> wp-hackers at lists.automattic.com
>> >>>> http://lists.automattic.com/mailman/listinfo/wp-hackers
>> >>>>
>> >>>>
>> >>>
>> >>> _______________________________________________
>> >>> wp-hackers mailing list
>> >>> wp-hackers at lists.automattic.com
>> >>> http://lists.automattic.com/mailman/listinfo/wp-hackers
>> >>>
>> >>>
>> >>
>> >> _______________________________________________
>> >> wp-hackers mailing list
>> >> wp-hackers at lists.automattic.com
>> >> http://lists.automattic.com/mailman/listinfo/wp-hackers
>> >>
>> >
>> > _______________________________________________
>> > wp-hackers mailing list
>> > wp-hackers at lists.automattic.com
>> > http://lists.automattic.com/mailman/listinfo/wp-hackers
>> >
>> _______________________________________________
>> wp-hackers mailing list
>> wp-hackers at lists.automattic.com
>> http://lists.automattic.com/mailman/listinfo/wp-hackers
>>
> _______________________________________________
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
> http://lists.automattic.com/mailman/listinfo/wp-hackers
>


More information about the wp-hackers mailing list