Word Press Exploit

pam · 04-26-2008, 10:20 AM

This is seemingly affecting a lot of people. So far 1 of my blogs was hit but I've got it all fixed, I believe.

Has Your WordPress Been Hacked Recently? | WordPress Philippines

Serious vulnerability affecting most versions. Please check your files/logs.

seeandsee · 04-26-2008, 11:01 AM

Thanks for info Pam!

I will check my blogs right now!

micho · 04-26-2008, 11:21 AM

I think i had some similar hack problem on my mainstream blog :/

pam · 04-26-2008, 12:22 PM

I went into phpmyadmin and deleted their spam comments that don't show in your comments area. There was also a user named Word Press with no information and that was deleted. Some people claim to have extra plugins but I can't find any.

I deleted a ton of .giff and .pngg and ._old and ._new files. So far no wp-info.txt on any of my servers

Bandiz · 04-26-2008, 12:25 PM

I don't have any problems right now, But thanx for this info...

PornBlogger · 04-26-2008, 12:59 PM

thanks for the update Pam!

i created some blogs back in the day, but abandoned updating them.. that was back at Version (2.0.3).. lol

just upgraded from (2.0.3) to (2.5.1).. yeeehaw!

Jmart · 04-26-2008, 01:06 PM

Quote:

Originally Posted by pam

I went into phpmyadmin and deleted their spam comments that don't show in your comments area. There was also a user named Word Press with no information and that was deleted. Some people claim to have extra plugins but I can't find any.

I deleted a ton of .giff and .pngg and ._old and ._new files. So far no wp-info.txt on any of my servers

i've been deleting the comments and extra users as well. Were do you see the .giff, .pngg, files?

pam · 04-26-2008, 01:11 PM

Quote:

Originally Posted by Jmart

i've been deleting the comments and extra users as well. Were do you see the .giff, .pngg, files?

Mostly in /uploads which was 777. This is how the exploit works, they go to directories they can write to and upload files.

I also had several _old_php. files as well as _new_php files.

One install out of probably 140 ... so I shouldn't complain.

Jmart · 04-26-2008, 01:16 PM

ok thanks. this is a major pain in the ass.

it would be nice to have a program that manages all your blogs and tells you when something is changed or added, because now I'm going to be going through all of my databases on a regular basis to make sure stuff like this doesn't happen.

can the search engines see those comments that we are deleting in the comments database table?

Sister Mary · 04-26-2008, 02:13 PM

Thanks for the heads up Pam. I'm gonna check this out immediately. This is part of the game I still have to educate myself about.

pimp3611 · 04-26-2008, 04:05 PM

I'm getting a lot of these files like these...index.php.jpgg

I'm a little confused. I deleted the above file but what other steps do I need to take to secure the site and make sure nothing else exists?

pimp3611 · 04-26-2008, 04:36 PM

Looking into this more I've got a tonne of sites with the following problem:

"New files ending in _new, _old, .pngg, .jpgg, .giff appearing inside writable directories

See if there are any files in writable directories that have the same named as an existing file with the extensions _new.php, _old.php, .php.pngg, .php.jpgg, or .php.giff. These files will be executables that when called from a browser will display a fake “404 Not Found” error, but if called from a script with the matching hash from one of the hacked PHP scripts, will display system info about the server your site is sitting on."

What's should my next move be after deleting all the files?

PornBlogger · 04-26-2008, 04:51 PM

hey there pimp'

take a look at this post on the wordpress blog about the issue you are having, it was linked to the original post:

WordPress Exploit Topic

the writer, who experienced the same problem, explains what he/she did..

peace

motorbreath · 04-26-2008, 06:18 PM

I hate this stuff, I just found my oldest blog destroyed. Totally gone, just a new installation in its place. My password didn´t work anymore... I´m getting tired of this! This will be a long night of hard work.

pam · 04-26-2008, 06:31 PM

Go into phpmyadmin and look at the users. If there is one named WordPress with no information, no pass, nothing, delete it.

Go through your comment tables and look for spam

Change the admin password and if you have a wp-info.txt file, change everything on your entire server -- every password, every login.

Rofl · 04-26-2008, 06:53 PM

Anyone else have all their permissions set down to 000 if they change higher permissions?

Rofl · 04-26-2008, 07:16 PM

Quote:

Originally Posted by Rofl

Anyone else have all their permissions set down to 000 if they change higher permissions?

Forget that Im talking crap, my brain is fried from checking every file and every folder aargh!

pam · 04-26-2008, 08:08 PM

What's interesting is now to look at my error logs for today and see the IPs trying to exploit the exploit I removed

RageCash-Ben · 04-26-2008, 08:44 PM

fuck I hate stuff like this - thanks for the heads up Pam.

thebes · 04-27-2008, 02:29 AM

Sigh... just finished dealing with everything but the added entries to the databases. Two mainstream blogs got him, though it seems that there are no wp-info files. For some reason my new server has trouble with phpMyAdmin too.

I hate this sort of shit. I could have had a productive evening... now I get to clean up script-kiddie spoor.

04-26-2008, 11:01 AM	#2 (permalink)
seeandsee ■ Don't be good ■ Join Date: Jul 2005 Location: ~ MODERATORS HELL ~ Posts: 16,680 Points: 15	Thanks for info Pam! I will check my blogs right now! __________________ Click banner Make [Weg] Ca$h \| BOSBUCKS PAYS 75$ PPS \| JMC $ \| *** BOSBUCKS 75$ PER FREE TRIAL PROMO TILL END OF 2008 *** NICHECASTLE SHEMALES \| BOSBUCKS FOR YOU MILF, CELEBS, TEEN & VOD TRAFFIC

04-26-2008, 11:21 AM	#3 (permalink)
micho Bass I love You Join Date: Feb 2008 Location: Slovenia - EU Posts: 1,899 Points: 450	I think i had some similar hack problem on my mainstream blog :/ __________________ Want link exchange? Trade Blog Links Best Niche Sponsors: High Converting Sites (amateur, solo, milf, facial,anal...) \|1:300 Webcam \|Facials,Cumshot,Squirt \|50$ for 1$trial!!

04-26-2008, 12:25 PM	#5 (permalink)
Bandiz I like Adult Job Join Date: Apr 2008 Location: There where you think is working just scammers LT Posts: 46 Points: 225	I don't have any problems right now, But thanx for this info... __________________ Thunder-Ball.net - Member

04-26-2008, 12:59 PM	#6 (permalink)
PornBlogger I see you baby.. shakin that Ass! Join Date: Mar 2005 Location: Costa Rica Posts: 1,691 Points: 1,115	thanks for the update Pam! i created some blogs back in the day, but abandoned updating them.. that was back at Version (2.0.3).. lol just upgraded from (2.0.3) to (2.5.1).. yeeehaw! __________________ - Reading can help your $$$ status Vanity Email Service - "Be different.. Express Your Vanity!" Daily Political News - "Coffee and Politics... Yum!" -

04-26-2008, 02:13 PM	#10 (permalink)
Sister Mary God makes me sin to keep fat men thin. Join Date: Mar 2008 Location: Newfoundland, Canada Posts: 387 Points: 375	Thanks for the heads up Pam. I'm gonna check this out immediately. This is part of the game I still have to educate myself about. __________________ $Moo Cash Roolz!$ ------------------ Cogitatum maximae dilabuntur --Seneca...kinda "c'est le ton qui fait la musique" --hardcoreblogger

04-26-2008, 01:16 PM	#9 (permalink)
Jmart If you see a good move,find a better one Join Date: May 2005 Location: usa Posts: 570 Points: 165	ok thanks. this is a major pain in the ass. it would be nice to have a program that manages all your blogs and tells you when something is changed or added, because now I'm going to be going through all of my databases on a regular basis to make sure stuff like this doesn't happen. can the search engines see those comments that we are deleting in the comments database table?

04-26-2008, 04:05 PM	#11 (permalink)
pimp3611 Step it up Join Date: Aug 2005 Location: Canada Posts: 1,607 Points: 1,060	I'm getting a lot of these files like these...index.php.jpgg I'm a little confused. I deleted the above file but what other steps do I need to take to secure the site and make sure nothing else exists? __________________ Make ONE SALE and get a check with this sponsor - 387 sites to promote -

04-26-2008, 04:36 PM	#12 (permalink)
pimp3611 Step it up Join Date: Aug 2005 Location: Canada Posts: 1,607 Points: 1,060	Looking into this more I've got a tonne of sites with the following problem: "New files ending in _new, _old, .pngg, .jpgg, .giff appearing inside writable directories See if there are any files in writable directories that have the same named as an existing file with the extensions _new.php, _old.php, .php.pngg, .php.jpgg, or .php.giff. These files will be executables that when called from a browser will display a fake “404 Not Found” error, but if called from a script with the matching hash from one of the hacked PHP scripts, will display system info about the server your site is sitting on." What's should my next move be after deleting all the files? __________________ Make ONE SALE and get a check with this sponsor - 387 sites to promote -

04-26-2008, 04:51 PM	#13 (permalink)
PornBlogger I see you baby.. shakin that Ass! Join Date: Mar 2005 Location: Costa Rica Posts: 1,691 Points: 1,115	hey there pimp' take a look at this post on the wordpress blog about the issue you are having, it was linked to the original post: WordPress Exploit Topic the writer, who experienced the same problem, explains what he/she did.. peace __________________ - Reading can help your $$$ status Vanity Email Service - "Be different.. Express Your Vanity!" Daily Political News - "Coffee and Politics... Yum!" - Last edited by PornBlogger : 04-26-2008 at 04:52 PM. Reason: added more info

04-26-2008, 06:18 PM	#14 (permalink)
motorbreath Right or wrong, I´m the one with the gun Join Date: Apr 2006 Posts: 132 Points: 660	I hate this stuff, I just found my oldest blog destroyed. Totally gone, just a new installation in its place. My password didn´t work anymore... I´m getting tired of this! This will be a long night of hard work. __________________ 1:425

04-26-2008, 06:53 PM	#16 (permalink)
Rofl Poom Poom Rule! Join Date: Dec 2006 Location: Old Blighty Posts: 2,739 Points: 2,530	Anyone else have all their permissions set down to 000 if they change higher permissions? __________________ What have YOU done recently? 3 great VOYEUR sites (my fave sponsor) \| AEBN VOD Sponsor \| Convert in style

04-26-2008, 08:44 PM	#19 (permalink)
RageCash-Ben . Join Date: Oct 2007 Posts: 2,567 Points: 26,331	fuck I hate stuff like this - thanks for the heads up Pam. __________________ RAGE CASH \|\| ELITE DOLLARS \|\| STFU CASH \|\| MEAT CASH RSS FEEDS 1 \| 2 \| 3 \| 4 \| 5 \| 6 \| 7 TUBE VIDEOS 1 \| 2 \| 3

04-27-2008, 02:29 AM	#20 (permalink)
thebes Getting back into the biz Join Date: Apr 2004 Location: Back in the Belly of the Beast Posts: 2,172 Points: 2,540	Sigh... just finished dealing with everything but the added entries to the databases. Two mainstream blogs got him, though it seems that there are no wp-info files. For some reason my new server has trouble with phpMyAdmin too. I hate this sort of shit. I could have had a productive evening... now I get to clean up script-kiddie spoor.

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode

Netpond Resources
Resource Directory	Tutorials & Articles	Webmaster Tools	Netpond News

Netpond Resources
LustDollars	WildCash	PussyCash	Royal-Cash
Fetish Hits	Cyberwurx	MaxCash	Fuck You Cash
DatingGold