1. Advertising
    y u no do it?

    Advertising (learn more)

    Advertise virtually anything here, with CPM banner ads, CPM email ads and CPC contextual links. You can target relevant areas of the site and show ads based on geographical location of the user if you wish.

    Starts at just $1 per CPM or $0.10 per CPC.

Deface site : where are potential holes on my site

Discussion in 'Security' started by oncomp, Aug 11, 2012.

  1. #1
    Hi all,

    i have a wordpress site deface hacked. The defacer replace my index.php with this script :
    
    <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
    <html>
    <head>
    
    <title>HackeD By asL-Sabia {hamoooode}</title><meta http-equiv="Content-Language" content="ar-sa"><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><meta name="description" content="????? ?????? ,,asL-Sabia@hotmail.com,"><meta name="keywords" content="?? ???????? ????? ?????? AL???g_ÐeXt?r"></head><body style="cursor: crosshair;" link="#0000ee" alink="#ee0000" background="http://store2.up-00.com/Mar12/QUT08602.gif" bgcolor="#000000" vlink="#551a8b">
    
    <div style="text-align: center;"><b><font face="Fixedsys"><big style="color: red;"><b><big><big><big><b><font face="GGGGGGGGG">HaCKeD <span style="color: white;">By</span>&nbsp; asL-Sabia </font></b></big></big></big></b></big></font></b></div>
    
    <div align="center"><img src="http://store2.up-00.com/Mar12/PWo08748.jpg" width="900" height=""><br><br>
    <div align="center"><img src="http://store2.up-00.com/Mar12/wKE08422.jpg" width="" height=""><br>
    
    
    
    <body onLoad="type_text()" ; bgColor=#000000 text=#FF0000>
    <div style="width: 600px;height: 100px;" align="center">
    <script language="Javascript">
    <!--
    var tl=new Array(
    "Finding Vulnerability...................","Find :)","Bypassing Security...................","Getting Access...................Defacing...",
    "--0501002267>>Done.......","You Got Owned By asL-Sabia",
    "asL-Sabia....... HaCkeD YoU............", "That Was Damn Too Easy.......",
    "..............Contact Me For Security..................", " ..............asL-Sabia@hotmail.com.............."
    
    );
    var speed=50;
    var index=0; text_pos=0;
    var str_length=tl[0].length;
    var contents, row;
    
    function type_text()
    {
    contents='';
    row=Math.max(0,index-20);
    while(row<index)
    contents += tl[row++] + '\r\n';
    document.forms[0].elements[0].value = contents + tl[index].substring(0,text_pos) + "_";
    if(text_pos++==str_length)
    {
    text_pos=0;
    index++;
    if(index!=tl.length)
    {
    str_length=tl[index].length;
    setTimeout("type_text()",1500);
    }
    } else
    setTimeout("type_text()",speed);
    }
    //-->
    </script>
    <p align="center">
    <form><textarea style="background-color:#000000;color:#00ff00;" name="about" readonly="readonly" rows="10" cols="60"
    wrap="soft"></textarea></form></p>
    
    </div>
    <br><br><br><br><br>
    <center><font size=5 color=#00ff00><b>Greetz To:</b></font></center>
    <br>
    <center><font size=4 color=red><b>|All My friends|</b></font></center>
    <br>
    <center>
    <img src="http://store2.up-00.com/Mar12/PWo08748.jpg">
    <br>
    <font color=white size=4>0501002267</font>
    
    <embed src="http://www.youtube.com/v/iRAS-QnaM9A&autoplay=1" type="application/x-shockwave-flash" wmode="transparent" width="1" height="1"></embed>
    
    
    Code (markup):
    i wonder how this happen because all php files are locking to read only permission.
    SEMrush
     
    Solved! View solution.
    oncomp, Aug 11, 2012 IP
    SEMrush
  2. #2
    Almost all WordPress compromises are due to one of two things:

    - 777 permissions for e.g., your upload folder
    - WP version not up to date.

    Even if your PHP files are read-only, if you set your upload/content folders to 777 your website is vulnerable to a variety of hacks. If you do not religiously update your code, you are vulnerable to defacement hacks such as the one you experienced, and a variety of other hacks.
     
    Ray Baron, Aug 14, 2012 IP
  3. alversia

    alversia Peon

    Messages:
    34
    Likes Received:
    0
    Best Answers:
    0
    Trophy Points:
    0
    #3
    This is a Javascriptc code, it's just include function. I think that weak occur in some function...
     
    alversia, Aug 14, 2012 IP
  4. Ray Baron

    Ray Baron Member

    Messages:
    148
    Likes Received:
    10
    Best Answers:
    3
    Trophy Points:
    43
    #4
    This doesn't make much sense ...

    But I think you are saying that the compromise was probably due to bad code. That is why the recommendation above to religiously update your code.
     
    Ray Baron, Aug 14, 2012 IP
  5. jtpratt

    jtpratt Well-Known Member

    Messages:
    170
    Likes Received:
    3
    Best Answers:
    0
    Trophy Points:
    123
    #5
    Sites get hacked every day from a variety of things:
    - out of date WordPress version
    - out of date plugins
    - exploits in the theme (timthumb)
    - bad webhosts (godaddy)
    - connecting in FTP or wp-admin using insecure wifi
    - connecting using a compromised PC (trojan, keylogger)

    We have fixed so many of these sites in the last 3 years, we wrote a huge diy guide about it here:
    http://www.jtpratt.com/how-to-fix-a-hacked-wordpress-blog/
     
    jtpratt, Aug 15, 2012 IP
  6. Ray Baron

    Ray Baron Member

    Messages:
    148
    Likes Received:
    10
    Best Answers:
    3
    Trophy Points:
    43
    #6
    Fairly comprehensive write-up. I would add a paragraph about permissions to it.

    The number of webmasters who resort to 777 permissions on their website -- because they're on a host that uses mod_php rather than FastCGI or suphp -- is frightening. A much more common problem than the last two items on the list, IMO. ;)
     
    Ray Baron, Aug 16, 2012 IP
  7. applehost

    applehost Greenhorn

    Messages:
    48
    Likes Received:
    0
    Best Answers:
    1
    Trophy Points:
    16
    #7
    You will find its likely an exploit in word press its self or an exploit in a plugin or theme installed on the word press install.

    Were you running the latest versions of word press AS WELL AS any plugins and themes you use?

    Be sure to check the database to make sure no users have been added etc.

    I would advise restoring from a backup and then ensuring everything is up to date as a starting point.
     
    applehost, Aug 19, 2012 IP