[wp-hackers] 3.0 site got hacked

Aaron Jorbin aaron at jorb.in
Wed Jul 21 22:39:22 UTC 2010


Your host seems to be having some problems:

http://weblog.mediatemple.net/weblog/category/system-incidents/1378-information-about-compromised-sites/

http://aaron.jorb.in
twitter: twitter.com/aaronjorbin


On Wed, Jul 21, 2010 at 5:44 PM, Dre Armeda <dre at sucuri.net> wrote:

> On 7/21/10 2:26 PM, 24/7 wrote:
>
>> Hi list,
>>
>> note that this is just FYI.
>>
>> My (never finished) portfolio-site got hacked in the last days (after
>> the upgrade to 3.0).
>>
> The title of this is misleading. Have you confirmed 3.0 was the route
> cause? Can you provide a detailed exploit vector?
>
> We've been seeing a lot of malware on various hosts as of late causing SEO
> poisoning (Pharma Hack) and redirects. These are not 3.0 issues. In a lot of
> cases this happens on really old versions of applications, and poorly
> managed shared hosts.
>
> What version did you upgrade from? Do you have a shared hosting account and
> with who?
>
>
>  Sadly i was that shocked, that i just reinstalled
>> my theme and wp, that i forgot to download&  look over my code what
>> exactly got hacked. I could now just search through my chronik to find
>> the links. First i had the problem, that no page/post/whatever except
>> the index/landing/front page was accessable (404). I thought i killed
>> some parts of my page after plugin and wp updates. I deleted nearly
>> all plugins and themes except hybrid theme. I left hybrid to see if i
>> could access the posts via the preview of hybrid. Most of the pages
>> left me with a 404, but one brought me to the following sites:
>>
>> (i break the link with "__." after the http:// to make it unaccessable
>> for someone who may find and click it accidently)
>>
>> 1) http://__.
>> www3.doligz30td.co.cc/?p=p52dcWplbW%2BHnc3KbmNToKV1lFPWpJyjX5TJl2JvY2fLksg%3D
>>
>>
> Scan results for this site:
>
> http://sucuri.net/?page=saved-scan&scan=fb65af3bdd3152ba289ecb23c5d366af-saved
>
>
>  2) http://__.www.google.md
>>
>>
> This is a legitimate site
>
>
>  3)
>> http://__.
>> www1.greedpays10.co.cc/?p=p52dcWplbW%2BHjsbIo22AgXOOipnVbWGWZInT1m6uqG2Lw8ydb5aYen5arK3NapaXlmRebGNpyl7HVqPajtfZ1m5oWKeih9eipqCecV6aoaXGaorcmpWkcVih1GqaYF6XXZySmWFlY2%2Bch9WemHGhqKykcmiQotLZlqKYlZuryZ%2BQk5%2FTXKLU1Zatm5vcnpRfk6Gpb6yZpanNjtjLbqSVmZ%2BZ2JbFVpHTnZ7X16qjl6nNxsitb6ihmaWVrKLEU8XToWtTqKV1lV%2BZaWeYXpyam1erpWiikpVwa2trZXFqcF%2FEkKGnhVaknZZ1nWCX
>>
>>
>>
> Scan results for this site:
>
> http://sucuri.net/?page=saved-scan&scan=281ce27bd83c5fb888ccb1d15e1829ff-saved
>
>
>  Maybe someone found something similar. I would suggest to contact me
>> direct, so we don't clutter the list unless someone knows what exactly
>> was the cause. You can do otherwise too, if you want. Thanks.
>>
>>
>
> Those two sites are definitely serving malware but unless you can prove
> without a doubt it is WordPress 3.0, please don't write that it's hacked.
>
> Thanks,
>
> Dre armeda
>
>  -K.
>> _______________________________________________
>> wp-hackers mailing list
>> wp-hackers at lists.automattic.com
>> http://lists.automattic.com/mailman/listinfo/wp-hackers
>>
>>
> _______________________________________________
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
> http://lists.automattic.com/mailman/listinfo/wp-hackers
>


More information about the wp-hackers mailing list