[wp-hackers] 3.0 site got hacked

[Dre Armeda]

On 7/21/10 2:26 PM, 24/7 wrote:
> Hi list,
>
> note that this is just FYI.
>
> My (never finished) portfolio-site got hacked in the last days (after
> the upgrade to 3.0).
The title of this is misleading. Have you confirmed 3.0 was the route 
cause? Can you provide a detailed exploit vector?

We've been seeing a lot of malware on various hosts as of late causing 
SEO poisoning (Pharma Hack) and redirects. These are not 3.0 issues. In 
a lot of cases this happens on really old versions of applications, and 
poorly managed shared hosts.

What version did you upgrade from? Do you have a shared hosting account 
and with who?

> Sadly i was that shocked, that i just reinstalled
> my theme and wp, that i forgot to download&  look over my code what
> exactly got hacked. I could now just search through my chronik to find
> the links. First i had the problem, that no page/post/whatever except
> the index/landing/front page was accessable (404). I thought i killed
> some parts of my page after plugin and wp updates. I deleted nearly
> all plugins and themes except hybrid theme. I left hybrid to see if i
> could access the posts via the preview of hybrid. Most of the pages
> left me with a 404, but one brought me to the following sites:
>
> (i break the link with "__." after the http:// to make it unaccessable
> for someone who may find and click it accidently)
>
> 1) http://__.www3.doligz30td.co.cc/?p=p52dcWplbW%2BHnc3KbmNToKV1lFPWpJyjX5TJl2JvY2fLksg%3D
>    
Scan results for this site:
http://sucuri.net/?page=saved-scan&scan=fb65af3bdd3152ba289ecb23c5d366af-saved

> 2) http://__.www.google.md
>    
This is a legitimate site

> 3)
> http://__.www1.greedpays10.co.cc/?p=p52dcWplbW%2BHjsbIo22AgXOOipnVbWGWZInT1m6uqG2Lw8ydb5aYen5arK3NapaXlmRebGNpyl7HVqPajtfZ1m5oWKeih9eipqCecV6aoaXGaorcmpWkcVih1GqaYF6XXZySmWFlY2%2Bch9WemHGhqKykcmiQotLZlqKYlZuryZ%2BQk5%2FTXKLU1Zatm5vcnpRfk6Gpb6yZpanNjtjLbqSVmZ%2BZ2JbFVpHTnZ7X16qjl6nNxsitb6ihmaWVrKLEU8XToWtTqKV1lV%2BZaWeYXpyam1erpWiikpVwa2trZXFqcF%2FEkKGnhVaknZZ1nWCX
>
>    
Scan results for this site:
http://sucuri.net/?page=saved-scan&scan=281ce27bd83c5fb888ccb1d15e1829ff-saved

> Maybe someone found something similar. I would suggest to contact me
> direct, so we don't clutter the list unless someone knows what exactly
> was the cause. You can do otherwise too, if you want. Thanks.
>    

Those two sites are definitely serving malware but unless you can prove 
without a doubt it is WordPress 3.0, please don't write that it's hacked.

Thanks,

Dre armeda
> -K.
> _______________________________________________
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
> http://lists.automattic.com/mailman/listinfo/wp-hackers
>