[wp-hackers] Hacked blogs

madalin niladam at gmail.com
Sat Mar 28 09:46:21 GMT 2009


The problem i reported was actually related to the hosting that was
attacked. I was beeing hosted on hostmonster (server 177 if i can
recall better) and it looks like it was an internal problem.

Since, i've bought myself a dedicated server and installed suhosin -
which broke things at the beginning - that was later instructed only
to alert on problems. I've since, created a cronjob to run every 2
hours that emails me the last ALERT issues from the messages

Again, i must say that if i've tought the hacking was done directly on
my website digging a little bit, i've found a script on hostmonster
that was actually looking for all index.php and index.html files and
depending on the extension of the file (.php or .html) was adding the
iframe target. The script was fully automated so, wherever it could
write it did. For some reason on hostmonster all the files could be
modified by the nobody user and so, i got hacked.

Anyways, reading about chmod (http://en.wikipedia.org/wiki/Chmod) and
WordPress permissions
(http://codex.wordpress.org/Changing_File_Permissions) lead me to the
chmoding of the files which were since NO longer hacked.

This is an isolated issue, and let me say it's only related to the
fact that you have (probably) some outdated plugins (which take use of
the 777 issue) and therefore you were hacked.

As always, backup early, restore if needed :)


On Fri, Mar 27, 2009 at 2:53 PM, Lynne Pope <lynne.pope at gmail.com> wrote:
> 2009/3/27 Rich Pedley <elflop at googlemail.com>:
>> With everyone mentioning, and concentrating on plugins, these days I'd
>> advise that you check themes as well.
> It seems Joost's Twitter post telling everyone to keep an eye on their
> blogs is getting attention. I had another person report the same hack,
> but this time on WP2.6.5.
> Plugins in common were only Akismet, Tweetbacks and Google Sitemaps.
> BUT, both sites are using the same premium/commercial theme which
> contains a lot of code.
> This may be coincidence but I couldn't spot any vulnerabilities in the
> plugins they have in common, or in their server setup. If there is a
> common vulnerability in 2.6.5 & 2.7.1 I didn't manage to find it.
> I was careful not to suggest the theme is the culprit but have advised
> them to contact the theme developer (hope they don't go off saying I
> am casting aspersions on the theme!!!!)
> Lynne
> _______________________________________________
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
> http://lists.automattic.com/mailman/listinfo/wp-hackers

Cu drag,

More information about the wp-hackers mailing list