Hi all, i have a wordpress site deface hacked. The defacer replace my index.php with this script : <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <html> <head> <title>HackeD By asL-Sabia {hamoooode}</title><meta http-equiv="Content-Language" content="ar-sa"><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><meta name="description" content="????? ?????? ,,asL-Sabia@hotmail.com,"><meta name="keywords" content="?? ???????? ????? ?????? AL???g_ÃeXt?r"></head><body style="cursor: crosshair;" link="#0000ee" alink="#ee0000" background="http://store2.up-00.com/Mar12/QUT08602.gif" bgcolor="#000000" vlink="#551a8b"> <div style="text-align: center;"><b><font face="Fixedsys"><big style="color: red;"><b><big><big><big><b><font face="GGGGGGGGG">HaCKeD <span style="color: white;">By</span> asL-Sabia </font></b></big></big></big></b></big></font></b></div> <div align="center"><img src="http://store2.up-00.com/Mar12/PWo08748.jpg" width="900" height=""><br><br> <div align="center"><img src="http://store2.up-00.com/Mar12/wKE08422.jpg" width="" height=""><br> <body onLoad="type_text()" ; bgColor=#000000 text=#FF0000> <div style="width: 600px;height: 100px;" align="center"> <script language="Javascript"> <!-- var tl=new Array( "Finding Vulnerability...................","Find :)","Bypassing Security...................","Getting Access...................Defacing...", "--0501002267>>Done.......","You Got Owned By asL-Sabia", "asL-Sabia....... HaCkeD YoU............", "That Was Damn Too Easy.......", "..............Contact Me For Security..................", " ..............asL-Sabia@hotmail.com.............." ); var speed=50; var index=0; text_pos=0; var str_length=tl[0].length; var contents, row; function type_text() { contents=''; row=Math.max(0,index-20); while(row<index) contents += tl[row++] + '\r\n'; document.forms[0].elements[0].value = contents + tl[index].substring(0,text_pos) + "_"; if(text_pos++==str_length) { text_pos=0; index++; if(index!=tl.length) { str_length=tl[index].length; setTimeout("type_text()",1500); } } else setTimeout("type_text()",speed); } //--> </script> <p align="center"> <form><textarea style="background-color:#000000;color:#00ff00;" name="about" readonly="readonly" rows="10" cols="60" wrap="soft"></textarea></form></p> </div> <br><br><br><br><br> <center><font size=5 color=#00ff00><b>Greetz To:</b></font></center> <br> <center><font size=4 color=red><b>|All My friends|</b></font></center> <br> <center> <img src="http://store2.up-00.com/Mar12/PWo08748.jpg"> <br> <font color=white size=4>0501002267</font> <embed src="http://www.youtube.com/v/iRAS-QnaM9A&autoplay=1" type="application/x-shockwave-flash" wmode="transparent" width="1" height="1"></embed> Code (markup): i wonder how this happen because all php files are locking to read only permission.
Almost all WordPress compromises are due to one of two things: - 777 permissions for e.g., your upload folder - WP version not up to date. Even if your PHP files are read-only, if you set your upload/content folders to 777 your website is vulnerable to a variety of hacks. If you do not religiously update your code, you are vulnerable to defacement hacks such as the one you experienced, and a variety of other hacks.
This doesn't make much sense ... But I think you are saying that the compromise was probably due to bad code. That is why the recommendation above to religiously update your code.
Sites get hacked every day from a variety of things: - out of date WordPress version - out of date plugins - exploits in the theme (timthumb) - bad webhosts (godaddy) - connecting in FTP or wp-admin using insecure wifi - connecting using a compromised PC (trojan, keylogger) We have fixed so many of these sites in the last 3 years, we wrote a huge diy guide about it here: http://www.jtpratt.com/how-to-fix-a-hacked-wordpress-blog/
Fairly comprehensive write-up. I would add a paragraph about permissions to it. The number of webmasters who resort to 777 permissions on their website -- because they're on a host that uses mod_php rather than FastCGI or suphp -- is frightening. A much more common problem than the last two items on the list, IMO.
You will find its likely an exploit in word press its self or an exploit in a plugin or theme installed on the word press install. Were you running the latest versions of word press AS WELL AS any plugins and themes you use? Be sure to check the database to make sure no users have been added etc. I would advise restoring from a backup and then ensuring everything is up to date as a starting point.