HACKED! Is Your WordPress Site Being Turned into a Cheap Luxury Store?

One of the Incsub team was very upset yesterday to discover that his WordPress site had been hacked. Somehow, a brand new WordPress install had been set up within his WordPress installation. Here’s what the website looks like:

Shiny Shiny Louis Vuitton bags! Who wouldn’t want to be selling those on their websites? They’re so damned popular that people are flocking to sell them. Personal blogs, delicious food websites, computer websites, book websites, tech websites, chat websites, shoe websites, just about everyone is getting on the bandwagon. Check it out on Google.

Or wait…. yeah, I guess they’ve been hacked too:

A brand new website gets installed in a folder /tall/.  The site is a fully functional e-commerce site. Interestingly, it looks the perpetrators are currently being sued by Chanel. Try visiting http://www.cheap-luxury-store.com

Our dev is currently working on fixing the problem and once we know the cause and the fix we’ll definitely let you know.

We also told WordPress.org yesterday so they are aware of the problem and if there is an issue with WordPress they’ll no doubt be fixing it.

In the meantime, we thought we ought to warn you and also ask if anyone has had this problem and, if so, how they fixed it.

Featured Plugin - WordPress Newsletter Plugin

Now there's no need to pay for a third party service to sign up, manage and send beautiful email newsletters to your subscriber base - this plugin has got the lot.
Find out more
Tags

Comments (36)

  1. I had something very similar only much worse happen to my sites last week. One of the hacks was so bad that I was actually contacted by a rather ominous government agency, enough said…
    I’m glad to see that I am not the only one and really look forward to a potential fix for this.

  2. This is probably a rogue plugin or theme that people install. I suspect that the default permissions in WordPress, which you can overwrite but are ignored by some plugins and themes, are to blame for this – many set permissions to 755 for example and even the default instructions tell you to do this.

    I set the owner:group to user:www-data (Ubuntu 10.04 server) recursively with files 640 and directories 2751. wp-config, .htaccess and a few others need g+w. ftp belongs to www-data. This keeps it clean and means that, if someone ftp’s in (chrooted of course) they can’t read anyone elses files on my shared hosting system.

    In wp-content you sometimes have to reset the directory to 2771 so directories can be created but there is generally no need for this except when installing new plugins (if at all). I pre-initialise wp-content/cache, wp-content/upload and wp-content/upgrade anyway.

    googling inurl:tall wp-content “cheap luxury store” gave 1.6 million hits but that is still a lot!

  3. Where is the directory /tall/ located within the WP structure. Interestingly yesterday Website Defender noted a new WordPress install. I am not great at the command line but can access through FTP easily. Where should we look?

  4. why is this news not all over the wp blogosphere by now? One would have thought that with that many sites compromised that wp themselves would even be talking about it by now….

  5. seriously amazed to have not heard about this anywhere else yet. Why no info put out by wp yet? At the very least, warnings would seem appropriate considering the scale of effected sites.

    • Because it’s a known exploit discovered months ago that DID get talked about. It’s exploiting a problem in an older version of TimThumb and anyone who was responsible about their hosting patched it months ago.

  6. Just checked and I was clean. I just started to do upgrades to all my sites to 3.3. I wonder if one could clean this offending site and put your own aff id into it to make the $$ yourself!…lol It looks like a nice site just underhanded way to get free traffic. Prob not good idea tho never know what else is hidden in there!

  7. If I’m not mistaken, the comment by “Nadeem Khan” – “thanks for sharing this … i learned a lot from this article !” is what we call “comment spam”. I have a feeling that Nadeem is not real.

    Nadeem, If you are an actual human and not a bot, many apologies!! I spend quite a bit of time deleting “Great article! I learned a lot” from my comment spam folder.

  8. There is actually a really simple solution. Your site will be still be compromised until we know what the exploit is they are using but to stop people from being able to access you can put the following in your htaccess file in the root of your WordPress install:

    # Refuse direct access in wp-content except the plugins directory
    RewriteCond %{THE_REQUEST} ^[A-Z]{3,9}\ /wp-content/.*$ [NC]
    RewriteCond %{THE_REQUEST} !^[A-Z]{3,9}\ /wp-content/plugins/.*$ [NC]
    RewriteCond %{REQUEST_FILENAME} ^.+\.(php|html|htm|txt|pdf)$ [NC]
    RewriteRule .* – [F,NS,L]

    The above code isn’t fail safe, you need to experiment on your own site to make sure everything that needs to be served is served.

  9. Also subscribing to comments! But to add some content, I have just spent a couple of weeks rebuilding and armouring a client site that had been hacked for the second time.

    I don’t know how they got in but the wp-upload directory was 755 rather than the recommended 750.

    What was even more worrying is that wp-upload on the brand new WP install (under Softaculous) was also 755!!! So I suggest people check this.

    I mean to do another clean install to see if this is the default, but that was WP 3.2.1 so it may well be fixed in 3.3 We shall see :-)

    Mark

    • What were the plugins and themes added? I would check the permissions after every plugin and theme is added and activated. And cron a job to do the same even every minute if necessary and check the logs..

  10. Been having all sorts of fun removing pharma ads from a charity’s three hacked blogs. A WordPress 3.3 upgrade mostly fixed it, but there was code to remove from the header.php file in the theme, a hacked Akismet plugin and dodgy .htaccess file to delete, FTP passwords to change, folder permissions to check. Took most of a day to sort the mess out.

    And now I have to watch out for a full scale infiltration by handbags. Just great!

  11. You guys will keep having problems… pay a programmer to build your own cms… any popular cms lik wordpress, joomla or drupal is NOT safe… they will hack you sooner or later.

  12. We had this hack (yesterday) and cleared it by running a series of sed scripts to remove the inserted code from all html pages. The hack is quite invasive inserting code before tags and after tags. Once you have removed the source the site needs to be restored from back up or a series of clean up scripts run. We do not use wordpress (partly because of its vulnerabilities) but it was installed specifically to make the hack. We are still investigating how it was installed.

  13. It was not WP that caused the hack bc they got in somehow b4 they installed wp. WP is not as vulnerable as people might think in itself. It is the use of easily bruteforced cracked pw’s for the admin area, ftp, or server but that can apply to any cms.

    I had my sites hacked bc i used the same webspace or all my sites and they cracked the main one that had the other domains as an “add on domain” to that account. They got in and had access to all sites thru ftp.

    I have my own vps and NOW I have each domain on its own webspace and each one has its own ftp login. I also changed ALL the pws from something like bg01246 to something like @#$%bGko97468^&$fhuTT$. It should make them move on to an easier victim now. Plus if they do get in they will only have access to one site.

    I have HGator vps and all I had to do was tell them and they cleaned all my sites for me w/o charge to my surprise. I tried to fix them myself but could not bc I have many sites and did not know where to start so I asked them and they took care of it in a few hours. Oh and I make daily backups now too keeping the last 3 days just in case i make infected backup. I only had 1 weekly bu and it was infected so I could not use them to fix myself.

Participate