[wp-hackers] Black Hat Chinese Hackers - Looking for your input
MLR
mlrichard at gmail.com
Mon Jun 2 21:25:20 GMT 2008
Hi Dave,
The database has been picked over and is clean.
Either this is a brilliant WP Hack or it is not even a WP Hack.
We also think it is Bluehost specific.
Thanks for your input!
Marie-Lynn
On Mon, Jun 2, 2008 at 5:23 PM, MLR <mlrichard at gmail.com> wrote:
> The only odd thing I found was a file in the /wp-content/ called
> index.php which has an encrypted javascript call.
>
> removing it didn't change anything.
>
> ---
> ---
>
>
> On Mon, Jun 2, 2008 at 5:19 PM, George Pearce <pearce.gs at googlemail.com> wrote:
>> I've been talking to Marie, and from what I can see there are no affected
>> Wordpress files, there are some silly 777's, but all the files have either
>> been refreshed or checked manually. Nothing seems to be in the directory
>> that the blog is, either.
>> It's strange.
>> How else would that 404 be achieved, without editing any files. Also, a
>> javascript tag has attached itself to the bottom of the </html> on each
>> page.
>>
>> (I'm replying because I've been talking to Marie for the last half hour :) )
>>
>> George
>>
>> -----Original Message-----
>> From: wp-hackers-bounces at lists.automattic.com
>> [mailto:wp-hackers-bounces at lists.automattic.com] On Behalf Of Jason Webster
>> Sent: 02 June 2008 22:16
>> To: wp-hackers at lists.automattic.com
>> Subject: Re: [wp-hackers] Black Hat Chinese Hackers - Looking for your input
>>
>> Here's a few things that would be useful to know:
>>
>> Are you sure Wordpress was the point of entry for the attack?
>>
>> What kind of hosting? ie, shared/dedicated.
>>
>> MLR wrote:
>>> Hi Guys,
>>>
>>> I have noticed two things:
>>> - The combination of the Words WordPress and Hack mostly return topics
>>> about making WP do cool things (the spirit of this mailing list)
>>> - Most requests for info about fixing hacked blogs are dead ends on
>>> wordpress.org
>>>
>>> Today I am trying to fix a hacked blog without simply starting over. I
>>> want to know what happened to create the following problem:
>>>
>>> All request in the address bar to ANY wp-admin files returns a 404 error.
>>>
>>> the .htaccess file seems clean.
>>>
>>> All files were at 2.5.1
>>>
>>> I have already overwritten all files in sequence to spot which one
>>> would have rogue code.
>>>
>>> I checked the theme it seems fine (no encoded bits of javascript or rogue
>> code)
>>>
>>> I have removed the javascript functions at the bottom of the index.php
>>> that a bot inserts everyday on the site.
>>>
>>> Your pointers will definitely help me understand the source of the issue.
>>>
>>> What is your opinion on the usefullness of this plugin?
>>> http://www.askapache.com/wordpress/htaccess-password-protect.html
>>>
>>> (I know this is easely done the classic way but don't we all have a
>>> gazillion blogs to manage!?!)
>>>
>>>
>>> Thanks a lot,
>>> Marie-Lynn
>>> http://www.friendly-webmaster.com
>>> _______________________________________________
>>> wp-hackers mailing list
>>> wp-hackers at lists.automattic.com
>>> http://lists.automattic.com/mailman/listinfo/wp-hackers
>>>
>>
>> _______________________________________________
>> wp-hackers mailing list
>> wp-hackers at lists.automattic.com
>> http://lists.automattic.com/mailman/listinfo/wp-hackers
>> No virus found in this incoming message.
>> Checked by AVG.
>> Version: 8.0.100 / Virus Database: 269.24.4/1478 - Release Date: 02/06/2008
>> 07:12
>>
>> _______________________________________________
>> wp-hackers mailing list
>> wp-hackers at lists.automattic.com
>> http://lists.automattic.com/mailman/listinfo/wp-hackers
>>
>
More information about the wp-hackers
mailing list