Comments on: WordPress 2.7.1 hacked? http://blog.silverstone.nu/2009/04/04/wordpress-271-hacked/ ~ There is no reality, only perception Thu, 02 Feb 2012 16:13:20 +0000 hourly 1 http://wordpress.org/?v=3.3.1 By: Voss http://blog.silverstone.nu/2009/04/04/wordpress-271-hacked/comment-page-1/#comment-207 Voss Thu, 07 May 2009 00:06:46 +0000 http://blog.silverstone.nu/?p=958#comment-207 Thanks for your fast answer, meanwhile i found this site, there it is explained how they did it (look for a post of "bandurao"): http://forum.parallels.com/showthread.php?t=78164 I looked then for a keylogger with this program: http://dewasoft.com/privacy/kldetector.htm , and yes, it found some files on my local computer which belong to a keylogger. Unfortunately the kldetector can not remove the keylogger, so i will have to setup a new system. Thanks for your fast answer, meanwhile i found this site, there it is explained how they did it (look for a post of “bandurao”):

http://forum.parallels.com/showthread.php?t=78164

I looked then for a keylogger with this program:

http://dewasoft.com/privacy/kldetector.htm

, and yes, it found some files on my local computer which belong to a keylogger.
Unfortunately the kldetector can not remove the keylogger, so i will have to setup a new system.

]]> By: Draupner http://blog.silverstone.nu/2009/04/04/wordpress-271-hacked/comment-page-1/#comment-206 Draupner Wed, 06 May 2009 06:21:59 +0000 http://blog.silverstone.nu/?p=958#comment-206 This stopped happen for me once I changed FTP passwords and re-installed one of my computers that behaved strangely (and had LeechFTP with my sites bookmarked). My computer didn't start to act up until after a few days tho (Windows XP). This stopped happen for me once I changed FTP passwords and re-installed one of my computers that behaved strangely (and had LeechFTP with my sites bookmarked). My computer didn’t start to act up until after a few days tho (Windows XP).

]]> By: Voss http://blog.silverstone.nu/2009/04/04/wordpress-271-hacked/comment-page-1/#comment-205 Voss Tue, 05 May 2009 23:48:36 +0000 http://blog.silverstone.nu/?p=958#comment-205 At 28th April 2 of my servers (both Ubuntu servers) were hacked in the same way you described, all webpages were downloaded and then uploaded with the above mentioned malware code. The hacker has apparently had account names and passwords for FTP on both machines, one runs Proftpd and the other Vsftpd. My first thought was they have had hacked my workstation, but nothing to find on it with several programs like Spybot, Malwarebyte, Hijackthis or Avira. Are there any new informations on this phenomenon? At 28th April 2 of my servers (both Ubuntu servers) were hacked in the same way you described, all webpages were downloaded and then uploaded with the above mentioned malware code.
The hacker has apparently had account names and passwords for FTP on both machines, one runs Proftpd and the other Vsftpd.
My first thought was they have had hacked my workstation, but nothing to find on it with several programs like Spybot, Malwarebyte, Hijackthis or Avira. Are there any new informations on this phenomenon?

]]> By: John http://blog.silverstone.nu/2009/04/04/wordpress-271-hacked/comment-page-1/#comment-185 John Tue, 14 Apr 2009 15:48:14 +0000 http://blog.silverstone.nu/?p=958#comment-185 Just did a complete malware search with spybot and ad-aware and 0 found, still wonder what caused this Just did a complete malware search with spybot and ad-aware and 0 found, still wonder what caused this

]]> By: Draupner http://blog.silverstone.nu/2009/04/04/wordpress-271-hacked/comment-page-1/#comment-184 Draupner Tue, 14 Apr 2009 14:25:34 +0000 http://blog.silverstone.nu/?p=958#comment-184 Yeah I think so too. Since my PC was acting really strange too, and I got the FTP logs. Didn't have time to investigate for any malware on my computer tho. Yeah I think so too. Since my PC was acting really strange too, and I got the FTP logs. Didn’t have time to investigate for any malware on my computer tho.

]]> By: John http://blog.silverstone.nu/2009/04/04/wordpress-271-hacked/comment-page-1/#comment-183 John Tue, 14 Apr 2009 13:57:32 +0000 http://blog.silverstone.nu/?p=958#comment-183 by the way this has nothing to do with wordpress cuz all websites on my hotel got hacked and theres forums, galleries etc and home made pages and all got hacked no matter if they were SQL based or not and it didnt matter if they were in PHP or just straight HTML as well. No failed attempts on the FTP login when i check my own logs at my own server so i guess it has to do with some malware or something. Gonna check more when i get home, i tried to find people that suffered from this and this is the only place so far on the net that experienced the same thing. by the way this has nothing to do with wordpress cuz all websites on my hotel got hacked and theres forums, galleries etc and home made pages and all got hacked no matter if they were SQL based or not and it didnt matter if they were in PHP or just straight HTML as well. No failed attempts on the FTP login when i check my own logs at my own server so i guess it has to do with some malware or something. Gonna check more when i get home, i tried to find people that suffered from this and this is the only place so far on the net that experienced the same thing.

]]> By: Draupner http://blog.silverstone.nu/2009/04/04/wordpress-271-hacked/comment-page-1/#comment-182 Draupner Tue, 14 Apr 2009 13:52:16 +0000 http://blog.silverstone.nu/?p=958#comment-182 Check with your webhotel and see if you can get the FTP logs and see who uploaded those files. Also check your folders for any php-file that shouldn't be there and try to figure out how it was uploaded there. Ofcourse there might be some security issue with Wordpress or some plugin or theme also, but I know for sure that the files was uploaded by FTP on my sites. Perhaps we can try to find out also if we have some common plugins on our blogs to see if that one might be the issue? Check with your webhotel and see if you can get the FTP logs and see who uploaded those files. Also check your folders for any php-file that shouldn’t be there and try to figure out how it was uploaded there. Ofcourse there might be some security issue with WordPress or some plugin or theme also, but I know for sure that the files was uploaded by FTP on my sites. Perhaps we can try to find out also if we have some common plugins on our blogs to see if that one might be the issue?

]]> By: John http://blog.silverstone.nu/2009/04/04/wordpress-271-hacked/comment-page-1/#comment-181 John Tue, 14 Apr 2009 13:48:22 +0000 http://blog.silverstone.nu/?p=958#comment-181 i got hacked as well on 2 different servers and 1 was my own the other was at a commercial webhotel and it puted the same code in index.php db.php and some of the include files but never touched any of the files for the admin interface which i find very odd. I also found out that it was puted code inside ALL js files and html files. Not sure what caused this cuz i been running all spyware detection shit there is but cant find any on my comp? i got hacked as well on 2 different servers and 1 was my own the other was at a commercial webhotel and it puted the same code in index.php db.php and some of the include files but never touched any of the files for the admin interface which i find very odd.

I also found out that it was puted code inside ALL js files and html files. Not sure what caused this cuz i been running all spyware detection shit there is but cant find any on my comp?

]]> By: Draupner http://blog.silverstone.nu/2009/04/04/wordpress-271-hacked/comment-page-1/#comment-180 Draupner Mon, 13 Apr 2009 12:11:45 +0000 http://blog.silverstone.nu/?p=958#comment-180 if they logged on via FTP then they must have got the password from somewhere else? like from some malware on my computer in my case. i'm basing this on these facts: 1. ftp logs shows successful logins and downloads/uploads of my files, but no failed attempts. 2. two of my sites were hacked in the exact same way, two different webhotels, but both were bookmarked in my ftp software on my computer. 3. my computer was behaving very strange, menues not working, not being able to perform certain tasks etc. if they logged on via FTP then they must have got the password from somewhere else? like from some malware on my computer in my case. i’m basing this on these facts:
1. ftp logs shows successful logins and downloads/uploads of my files, but no failed attempts.
2. two of my sites were hacked in the exact same way, two different webhotels, but both were bookmarked in my ftp software on my computer.
3. my computer was behaving very strange, menues not working, not being able to perform certain tasks etc.

]]> By: raphaele http://blog.silverstone.nu/2009/04/04/wordpress-271-hacked/comment-page-1/#comment-179 raphaele Mon, 13 Apr 2009 11:55:10 +0000 http://blog.silverstone.nu/?p=958#comment-179 i am not 99% convinced this attack is done via FTP: 1 - forbidding chmod function in php.ini doesn't prevent the hackers to change the rights on my files 2 - proftpd logs show successfull connections from host that are not me, time corresponding to attacks i am not 99% convinced this attack is done via FTP:
1 – forbidding chmod function in php.ini doesn’t prevent the hackers to change the rights on my files
2 – proftpd logs show successfull connections from host that are not me, time corresponding to attacks

]]>