[wp-hackers] 3.0 site got hacked

Dre Armeda dre at sucuri.net
Wed Jul 21 21:44:44 UTC 2010

On 7/21/10 2:26 PM, 24/7 wrote:
> Hi list,
> note that this is just FYI.
> My (never finished) portfolio-site got hacked in the last days (after
> the upgrade to 3.0).
The title of this is misleading. Have you confirmed 3.0 was the route 
cause? Can you provide a detailed exploit vector?

We've been seeing a lot of malware on various hosts as of late causing 
SEO poisoning (Pharma Hack) and redirects. These are not 3.0 issues. In 
a lot of cases this happens on really old versions of applications, and 
poorly managed shared hosts.

What version did you upgrade from? Do you have a shared hosting account 
and with who?

> Sadly i was that shocked, that i just reinstalled
> my theme and wp, that i forgot to download&  look over my code what
> exactly got hacked. I could now just search through my chronik to find
> the links. First i had the problem, that no page/post/whatever except
> the index/landing/front page was accessable (404). I thought i killed
> some parts of my page after plugin and wp updates. I deleted nearly
> all plugins and themes except hybrid theme. I left hybrid to see if i
> could access the posts via the preview of hybrid. Most of the pages
> left me with a 404, but one brought me to the following sites:
> (i break the link with "__." after the http:// to make it unaccessable
> for someone who may find and click it accidently)
> 1) http://__.www3.doligz30td.co.cc/?p=p52dcWplbW%2BHnc3KbmNToKV1lFPWpJyjX5TJl2JvY2fLksg%3D
Scan results for this site:

> 2) http://__.www.google.md
This is a legitimate site

> 3)
> http://__.www1.greedpays10.co.cc/?p=p52dcWplbW%2BHjsbIo22AgXOOipnVbWGWZInT1m6uqG2Lw8ydb5aYen5arK3NapaXlmRebGNpyl7HVqPajtfZ1m5oWKeih9eipqCecV6aoaXGaorcmpWkcVih1GqaYF6XXZySmWFlY2%2Bch9WemHGhqKykcmiQotLZlqKYlZuryZ%2BQk5%2FTXKLU1Zatm5vcnpRfk6Gpb6yZpanNjtjLbqSVmZ%2BZ2JbFVpHTnZ7X16qjl6nNxsitb6ihmaWVrKLEU8XToWtTqKV1lV%2BZaWeYXpyam1erpWiikpVwa2trZXFqcF%2FEkKGnhVaknZZ1nWCX
Scan results for this site:

> Maybe someone found something similar. I would suggest to contact me
> direct, so we don't clutter the list unless someone knows what exactly
> was the cause. You can do otherwise too, if you want. Thanks.

Those two sites are definitely serving malware but unless you can prove 
without a doubt it is WordPress 3.0, please don't write that it's hacked.


Dre armeda
> -K.
> _______________________________________________
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
> http://lists.automattic.com/mailman/listinfo/wp-hackers

More information about the wp-hackers mailing list