|
#1
Jun 15, 2010, 08:38 AM
|
|
hi.
My wordpress' website was just hacked. I strongly suspect Atahualpa, because re-downloading and re-installing it (version 3.4.6) solved the problem.
Any page of the website showed this crew signature: "uah-crew".
The "hacked" 3.4.6 version is available for reviewing. Just PM or email me and I'll send it to you.
Thanks for the attention.
Michele
|
#2
Jun 15, 2010, 09:16 AM
|
|
|
|
23,765 posts · Mar 2009
OSX 10.11.5 WP 4.x Atahualpa(all) Safari, Firefox, Chrome
|
|
I would suspect it is your wordpress and/or server that was hacked.
Who is your host?
contact them and tell them you have been hacked.
What version of WordPress are you running?
use FTP and go look at the dates on all your other themes and all other wordpress files and see if there are any with a date that doesn't match the others.
Change your wordpress admin password
check all users in wordpress
cange your ftp passwotd
look to see if there are any other FTP users you don't know
change your cpanel/host password, check to see if there are any others you don't recognize
scan your wordpress database for any potential sql injections
do a google search on 'wordpress hacked' and follow the directions
This is not a fun thing to have happen or easy thing to have fixed. Hundreds of wordpress sites were hacked into a couple months ago at bluehost and it was a server security issue.
good luck recovering
__________________
"Tell me and I forget, teach me and I may remember, involve me and I learn." - Benjamin Franklin
Juggledad | Forum Moderator/Support
|
#3
Jun 15, 2010, 09:49 AM
|
|
Dear juggledad,
All I can say is that public_html/wp-content/themes/atahualpa/index.php had been re-written. I am still investigating how. WP is 2.9.2.
The original directory has already been replaced on server, and re-installing Atahualpa solved the problem.
Thanks for your suggestions, please feel free to change the subject of this post if you feel it's not an atahualpa "hole".
Will keep you posted.
|
#4
Jun 15, 2010, 10:38 AM
|
|
|
|
23,765 posts · Mar 2009
OSX 10.11.5 WP 4.x Atahualpa(all) Safari, Firefox, Chrome
|
|
You have wordpress installed in 'public_html'???? how secure is it?
who is the host?
what is the url?
__________________
"Tell me and I forget, teach me and I may remember, involve me and I learn." - Benjamin Franklin
Juggledad | Forum Moderator/Support
|
#5
Jun 15, 2010, 10:50 AM
|
|
url is www.tendertonaveitalia.net
host is hostingplan.net / Cpanel / linux
pardon my ignorance, what is wrong with putting wordpress on your root home directory?
Tnx.
|
#6
Jun 15, 2010, 10:51 AM
|
|
|
|
23,765 posts · Mar 2009
OSX 10.11.5 WP 4.x Atahualpa(all) Safari, Firefox, Chrome
|
|
when I see 'public' in a folder name, alarms go off. Now it might be quite secure, but I'd check it out. It's just me being nervous.
Have you contacted the host to see if anyone else was hacked?
__________________
"Tell me and I forget, teach me and I may remember, involve me and I learn." - Benjamin Franklin
Juggledad | Forum Moderator/Support
|
#7
Jun 15, 2010, 11:16 AM
|
|
Quote:
Originally Posted by juggledad
when I see 'public' in a folder name, alarms go off. Now it might be quite secure, but I'd check it out. It's just me being nervous.
Have you contacted the host to see if anyone else was hacked?
|
I see. "public html" is just an alias to "www". It's the place where all the "web" stuff go.
Yes I did contact my host. hopefully They'll find out how the hacker got his hands on the index.php.
Thanks you for your feedbacks. Cheers!
|
#8
Jun 15, 2010, 12:09 PM
|
|
I had a site get hacked not too long ago with exactly the same method. It wasn't anything to do with the theme, apparently they got in through a plug-in that I hadn't updated. So check and make sure they're all up to the current version.
|
#9
Jun 15, 2010, 12:32 PM
|
|
Quote:
Originally Posted by DannyLife
I had a site get hacked not too long ago with exactly the same method. It wasn't anything to do with the theme, apparently they got in through a plug-in that I hadn't updated. So check and make sure they're all up to the current version.
|
yes, I found this via google. Only: I do not have ImageManager installed. Was this your plugin?
------
================================================== =============
Wordpress xinha4wp xinha_core plugins File Upload Vulnerability
================================================== =============
################################################## ##################
Author : Hackeri-AL
Contact : hackeri-al[at]live[dot]com
Greetz : LoocK3D & all Albania and Kosova Hackers
My Group : UAH-Crew = United Albania Hackers
################################################## ##################
[~] DORK: /imagemanager/demo_images/wp/ site: com ,de , org / etc...
--------------------------------------------------------------------
[~] You go to: htpp://web.com/wp-content/plugins/xinha4wp/xinha_core/plugins/ImageManager/
[~] Then we : htpp://web.com/wp-content/plugins/xinha4wp/xinha_core/plugins/ImageManager/manager.php <[ upload here shell ]
[~] Shell : htpp://web.com/wp-content/plugins/xinha4wp/xinha_core/plugins/ImageManager/demo_images/yourShell.php
################################################## ##################
[~] Video: http://www.youtube.com/watch?v=BG-OVjG8dcs
################################################## ##################
[~] Proud 2 be Albania
[~] Proud 2 be Muslim
[~] United States of Albania
################################################## ##################
# Inj3ct0r.com [2010-04-16]
------
|
#10
Jun 15, 2010, 12:58 PM
|
|
Sorry, I never got to see the details. My host dealt with it and informed me that I needed to update the plug-ins. I wasn't using ImageManager either though.
|
#11
Jun 15, 2010, 01:15 PM
|
|
I see. Thanks. All my plugins are updated now. Hope my host will be able to tell me what the problem was.
|
#12
Jun 17, 2010, 10:09 PM
|
|
|
34 posts · Jun 2010
Fredrikstad, Norway
|
|
Quote:
Originally Posted by juggledad
when I see 'public' in a folder name, alarms go off. Now it might be quite secure, but I'd check it out. It's just me being nervous.
|
The public_html alias www is the standard (By Linux based Web Hosts) naming of the user folder that will serve as the root folder for the web site. Similar to public_ftp for you ftp site. It's just a name. It doesn't imply it initially has write access for everyone.
|
Thread Tools |
Search this Thread |
|
|
Display Modes |
Linear Mode
|
|