Global HACK Alert!! Please Everyone Check This Thread and Save Yourself!

Yes it is true!!

All types of sites including WP blogs to VBulletin Forums are being struck by a weird and dangerous hack globally.

The Threats:

1) Taking away your visitors and redirecting them to their site without you knowing about it.

2) Creating 3 or 4 extra files per folder throughout the site. 1 file will be a .htaccess file, 1 file will be .htaccesse file and the last one will a random generated numbered Php file within every single folder

3) Hidden Files: HTACCESS files are being generated throughout with characteristics containing: Options -MultiViews ErrorDocument 404 //wp-content/88758.php.


Prevention:

1) None so far!!
2) Manual Deletes
3) Finally Change Password and Monitor!


My Action:

1) Manually deleting those files immediately in a folder by folder basis. 3 or 4 files will have to deleted from each folder. Cpanel will not trace the Htaccess and Htaccesse files and neither will ftp. You will HAVE TO TURN ON View Hidden Files to actually trace them.

2) And I am the midst of letting you all know about it. Those who are infected already will have a WEIRD, RANDOM PHP File in each folder which will contain somethhing similar:

The PHP File will be named at random numbers like 214224.php, 1123502.php or anything similar, basically random numbers!


I am in between a break of deleting those files individually. Just wanted to let you all know.

Please be safe and spread the word.

Do a google of the first few lines from that php file to know more.​

Also, adding to the bad news. It actually has been happening for a while but recently the trend is going up fast.

Please do provide feedback if and when you find you are hacked. Additionally if you find a solution please let us know here!!

 

Apparently it also creates an additional file which is 0 byte in size.

The 0 byte sized file does not appear in all folders, at least in my case.

 

I have a couple of those PHP files with that code but never knew what they were, thought they were shells..

 

Dude!! Double check those files Must be the worst thing that ever happened on the net.


I am still deleting files one by one and it is 7 AM in my place Couldnt even sleep!

 

I see some posts about this going all the way back to 2005. None of them report exactly how it's being done.

First, upgrade all your scripts (WordPress, whatever) to the latest versions.

Then you can do some things that improve security:

1) In case it's a script insertion attack that is getting in by PHP, use php.ini or .htaccess to:

Set register_globals Off
Set allow_url_fopen Off
Set allow_url_include Off
Use .htaccess to block all requests that have http:// in the query string part of the request.

If your site's functionality depends on these things, your site won't work properly after you do this, but it has a good chance of blocking the attacks and buying you some time to work on what's really wrong with the site's security.

2) In case the site's being hacked by a malicious server "neighbor" (less likely but possible):
--Don't have any folder set at 777 permissions. Use 755. Depending on the software you use, some parts of your site might not work properly after you do this, so you'll have to figure out a workaround.
--Don't have any file set at 666 permissions. Use 644. Same thing, it might break your site's functionality.

As before, the idea is to buy time so you don't have to spend all day deleting files. You can't win at that game. They can hack faster than you can clean up.

-----

http://wordpress.org/support/topic/220523 describes how to use .htaccess to secure your WP admin so you (from your IP address) are the only one who can log in.

 

nothing happened to my site yet.

 

Ok, This is pathetic. Moderators need to change the subject asap.

This is NOT a global disaster, your a god of chaos....


WP blog owners - update your plugins and ensure all of your files permissions are correct.

The thread starters blog was compromised due to an insecure PHP file which was writable, or a directory was writable ( incorrect permissions ).

Ive since had several clients with infected WP blogs and Ive investigated - turns out it was insecure permissions on all 8 infections.

Don't panic people..

 

SSANZ, exactly correct.

With this exact exploit being in circulation since 2005, obviously standard security precautions will prevent it.

I didn't mean to imply otherwise. Everything I posted is standard security precautions.

 

Not really Einstein. Thing is neither of my folders had 777. The maximum permission was set to 755.

Still, by your credentials it seems you are a server tech guy so you know what you might be talking about rather that I. The fact of 8 infections on the same server is something to look out for.

Anyway, didnt want people to suffer the way I did. Just wanted them to be cautioned about it so take your own actions, but remember better safe than sorry.

So go on and chill Bill




---xx---





Hey Steve thanks a lot for the instructions. At least will come handy for anyone who is infected or about to be infected. Cheerios!

 

Ok, so what is the attack vector, exactly?

 

Bah... probably little script kiddies... I have got my Error 404 page to email me whenever people hit a 404 on my site... and I'm getting a lot everyday, don't bother me though. The IC3 seem to love having a huge list of IP Addresses sent them, not sure they'd be doing anything with them though. :/

 

What I love seeing in the logs is idiots trying SQL injection attacks on static HTML files

I just block FTP, SSH, etc access to only come from a static IP.

The attack is probably coming from a buggy plugin or some such, but I love how godofchaos scares everyone with the warning but doesn't actually say HOW they get in - prevent is better than cure...

 

1 Big Prevention Step Is.


- Select Your Host Wisely.. Some Hosts are very cheap but they also indulge in this kind of hacking..
- Before Shifting Other Sites To your main server check the codes properly
- When you buy new sites also see if any suspicous codes are added just in case

Hope this helps to some extent.

Regards
Bohra

 

Those idiots are probably...

a) Idiots

b) People who run autmated scripts

c) People who know that you can easily make the web server parse html files as if they were php, asp, etc. Those people would, however, know how to tell if this is going on or not.

 

I'm going with options A and B, lol. Once, I sat there tailing the logs in real time, watching some moron from France (or using a French computer as a proxy) try different mysql-injection query strings on index.html.

In the end I got bored and redirected his IP to goatse. He stopped rather quickly.

 

keep your register_globals, url fopen and url include off.

You need to keep your doors closed, leaving them wide open and blaming the thief wont help at all.

 

I totally agree with your first sentence.

.SR

 

Surely the host matters a lot, no denying that! However, it is not always the host's fault and the issue of "being hacked" depends on so many other important factors.

For example,

I am on Wordpress and it is not my host's responsibility to upgrade them instantly when there is a new release. Hackers can easily scan for exploit and utilize them.

Even themes and outdated plugins can be the cause of a hack and the host, no matter how big or small, is not responsible for the hack.

I am not defending my host, honestly I am not! But, I do feel that it is a side by side walk to success online and better hosts cannot protect you if you cannot protect yourself in the first place.

I have fixed that issue anyway.

 

Man that's not a global hack.

They redirected your website.

Simple hacking method.

Never use unknown plugins for WP and keep your VB forum pathched always any exploit is dangerous.

 

he is ryt. script from unknon sources may contain malicious codes...