Hacked, solved, and request

Hi guys...

Bad days since 3 days now. One of my network has been hacked with the famous

<?php eval(gzinflate(base64_decode'

exploit, and drive me crazy. Fortunately i had backups, after 3 days i have been able to run the network again without data lost after hours of stress (the exploit came back few minutes after restore)

Installed wordfence a security plugin quite cool and even took a premium api.

Since this morning the network is stable, but still not identified the backdoor origin.

Have you any experience in that bulls.... ????

BUT :

- this occured after Quick cache died (please if you use it remove it cleanly )and tried to install W3 total cache. The 5 minutes during wp-content was in 777 and the server was down.
The install process of this plugin is just totally unsecure, and managed to remove it totally.

- I removed ALL themes using thimthumb (just in case)
==> please guys, make a selection of themes for the farm that does NOT use it....

- I blocked all russia, and known blacklisted ip directly on the server since had many attempt to connect to "admin" (false) username

- I deleted all transient in the database, and suppress all inactive blogs.

- installed wordfence and scan, scan scan....

Now a little request. You guys are aware with security, please share. Htaccess protections, advices are welcome.

* Please tell me if there is a way to FORCE user setting up a nickname different from their user name. A little plugin would be welcome.

* Is it possible that the ads code injection textbox of prosites may be unsecure ?

thanks :slight_smile:

  • Will Ashworth

    Ah, man...I'm sorry. Been there, done that; as a web host.

    Might be worth considering CloudFlare if you haven't. They use project honeypot's data and basically block out the idiots. So far, not a single issue. In fact, I partnered with them to give it free through the hosting control panel to all hosting clients as a one-click process to connect it to your hosting.

    The other thing was going to be TimThumb. You've already covered that.

    Last, consider how you're hosting. I use mod_security with Apache, as well as SuPHP on all servers. At least that way one site compromised doesn't hose the rest of the sites on the server.

    Good luck, and post back if you have any questions!

  • phillcoxon

    It's often very difficult to determine how the bad guys got in.

    The most important thing is to keep all software and plugins up to date, have good folder and file permissions and run scans like you're doing with Wordfence.

    If you have ssh access it can make it easier to search for files with base64_decode in them or known suspicious filenames such as _cache.php _wp_cache.php (both of which I found on two client sites last week).

    Follow the documentation provided at the bottom of the Wordfence plugin page and you'll be pretty much set. In the meantime keep scanning daily and backing up.

    Make sure your backups are off server - either in something like Amazon S3, remote FTP or downloaded manually. I always work on the principle that if a hacker is in your server they'll quite happily delete your code AND any local backups just to be a jerk.

  • Imperative Ideas

    Timthumb actually doesn't have the vulnerabilities that it used to. Rather than deny yourself the ability to create new images on the fly, try this:
    http://wordpress.org/extend/plugins/timthumb-vulnerability-scanner/

    That'll get you set up with the latest version by updating all of your plugins.

    To be honest, a SQL injection doesn't even have to come from bad code on your site. Depending on how your host is set up, an adjacent WordPress install can be used to pollute the entire MySQL database. You could run a Domaintz.com query and see what other sites are on your IP, then see if any of them have the same infection.

    Most often though, I see these sorts of things on a multi-site hosting account where the client has some forgotten WordPress install floating around the internet. The old install was identified by a bot, targeted, and auto-infected. Because the old site often has broad access to your entire MySQL setup, the other sites get infected along with it.

    Friends don't let friends leave dead WordPress sites on their hosting accounts.

  • Imperative Ideas

    If you are of a technical persuasion, consider this article as well:
    http://wp.tutsplus.com/tutorials/creative-coding/data-sanitization-and-validation-with-wordpress/

    Many themes, especially custom ones, are poorly sanitized. As a result, SQL injection becomes purely academic.

    Again, most infections are not caused because a Russian notices your site, reads a blog with some cat captions, and decides to start hacking. This stuff is 100% automated.

  • Aphrodite

    Hi thanks for that. I did not speak about sql injection :slight_smile: no problem with that. I spoke about code injection in files (sorry about the word injection, typically used for sql ? but iam french huh ^^)

    a piece of code directly written on files (themes files such as header.php). No trace of that in the database. Moreover, the server is suphp, there is NO folder in 777 but 755. After logs analysis that came from a bad conjonction between a cached file (quick cache) and a forgotten timthumb file in a theme (taht was updated, but this time my paranoia was in vacation i did not check the tumb version...)

    Well about timthumb, i definitly will abadonne it. There is no need to use an external script to thumb files, Elegant themes has abandoned it totally for the core WP thumb system. I really prefer security from gadget functionalities. Sure it ads some nice features but the price is to expensive.

    Moreover there is a BIG problem with timthumb in multisite. Unless it becomes a real plugin, and use the normal folders instead of a theme subfolder /cache/ that means that ALL user using this particular theme will have datas mixed in the same folder. That also mean it is hard to trace any activity from one specific user, and that if the blog / user is deleted, the cached files remain !

    So anyway in a multisite, there is NO place for timthumb.

    Themeforest have lost a client... as almost all themes use it.

Thank NAME, for their help.

Let NAME know exactly why they deserved these points.

Gift a custom amount of points.