Hacked Sites


Author Message
Abland

Posted: 4/21/2013
Quote message 

Hi,

I just found out that there's been a huge surge over the past week or so in hack attempts on wordpress sites. It's using enough resources in the attack to really drain server hosting.

The attempt is to try and brute force the admin account, then once in create a new administrator:

sysadmin - with email sysadmin@wordpress.org

I've found a couple of my sites were hit so I changed the account to subscriber and saved, then changed the password and saved, then deleted the account.

Logins are limited to 4 attempts before locking out, and I have no "admin" user, but they got in anyway on the client sites.

Check your sites for this account and delete if you find it. I'm almost thinking it's a hacker attempt to make a statement by mass shutting down sites over the recent internet privacy bill - though I might be a bit paranoid on that thought :-)

 
Nick

Posted: 4/21/2013
Quote message 

There are a number of steps in securing a WP site:

The obvious ones:

- Set the correct folder permissions.
- Don't have a username called admin.
- Have a longer password, with letters and numbers, with at least one letter in caps.
- Always update WP to the latest version.
- You could setup a failed login limitation, but most attacks are by bits that have the ability to change their ip address each time.
- You can try setting up a captcha on your login screen, but some bots have the ability to do some optical character recognition.

Furthermore:
- Make sure your tables don't use the prefix "-wp".
- Make sure that WP does not transmit its' version number. You need to mute that.

And once you think that all the holes are plugged, you still get hacked. How? Just because you secured the codebase, it does not mean you are secure. You can still get security holes from:

- Plugins
-Themes - lately many free themes allegedly have backdoors and other malware - they are php files after all. The free themes from Wordpress.org are safe, as well as the themes from respectable premium theme makers, ie: Woothemes, Elegant Themes, etc...

There is an interesting solution that even if they know your usename and password, they still won't be able to access your backsite. This is how it works: After you enter your username and password, you will get a message on your smart phone for verification. So if anyone knows your credentials they will still need to have your phone to gain access.

Here is the plugins' url: http://wordpress.org/extend/plugins/duo-wordpress/

And here is the companies web site (checkout the video on the homepage) https://blog.duosecurity.com/2013/01/introducing-the-duo-5-minute-challenge/

I think WP has very loose security standards, and nobody checks the plugins that they distribute through their site for major security holes. Thankfully, there are many other plugins, that scan your plugins for security holes, and other security problems with your site in general. Unfortunately, very few people take security very seriously which always starts with a good and complete backup system.

 
Abland

Posted: 4/22/2013
Quote message 

Hi,

Thanks speedyp and Nick. I've just found a multisite that's been hacked. It was single client sites that were being attacked and hacked.

What's unnerving is there's no "admin" account - no registration enabled - user approve set up anyhow - complex passwords - 4 login limit
.. but it still got nailed.

Keep an eye out for username sysadmin

Has a zero registration date and user id 7777
 
speedyp

Posted: 4/22/2013
Quote message 

Bummer :-O

Hope they didn't do any damage.
Wordfence can check core files against the repository.

Thanks for the info & stay safe
 
Abland

Posted: 4/22/2013
Quote message 

Hi, speedyp,

Quote speedyp:
Wordfence can check core files against the repository.


Using it now: http://wordpress.org/extend/plugins/wordfence/

Looks like a file is being dropped into the wp-admin/images folder with various names:
icons32-something-something.php

It has eval64 code to pull in off site code. So deleting the account and changing passwords etc isn't enough - that file needs removed.

Excellent plugin for scanning - thanks speedyp
 
Abland

Posted: 4/22/2013
Quote message 

Hi, Nick,

So busy checking up on all sites I glossed over your post - but great info and worth a repeat.

Quote Nick:

There are a number of steps in securing a WP site:

The obvious ones:

- Set the correct folder permissions.
- Don't have a username called admin.
- Have a longer password, with letters and numbers, with at least one letter in caps.
- Always update WP to the latest version.
- You could setup a failed login limitation, but most attacks are by bits that have the ability to change their ip address each time.
- You can try setting up a captcha on your login screen, but some bots have the ability to do some optical character recognition.

Furthermore:
- Make sure your tables don't use the prefix "-wp".
- Make sure that WP does not transmit its' version number. You need to mute that.

And once you think that all the holes are plugged, you still get hacked. How? Just because you secured the codebase, it does not mean you are secure. You can still get security holes from:

- Plugins
-Themes - lately many free themes allegedly have backdoors and other malware - they are php files after all. The free themes from Wordpress.org are safe, as well as the themes from respectable premium theme makers, ie: Woothemes, Elegant Themes, etc...

There is an interesting solution that even if they know your usename and password, they still won't be able to access your backsite. This is how it works: After you enter your username and password, you will get a message on your smart phone for verification. So if anyone knows your credentials they will still need to have your phone to gain access.

Here is the plugins' url: http://wordpress.org/extend/plugins/duo-wordpress/

And here is the companies web site (checkout the video on the homepage) https://blog.duosecurity.com/2013/01/introducing-the-duo-5-minute-challenge/

I think WP has very loose security standards, and nobody checks the plugins that they distribute through their site for major security holes. Thankfully, there are many other plugins, that scan your plugins for security holes, and other security problems with your site in general. Unfortunately, very few people take security very seriously which always starts with a good and complete backup system.



 
wut

Posted: 4/22/2013
Quote message 

If your client's WP installations are getting hacked, it's your fault. Take the initiative to lock them down and educate your clients.
 
Abland

Posted: 4/22/2013
Quote message 

Hi, wut,

Quote wut:
If your client's WP installations are getting hacked, it's your fault. Take the initiative to lock them down and educate your clients.


Can't argue with that. Usually my fault if I get a cold, too - but sometimes the most careful precautions can still fail.

Fix it, maybe help others avoid it, and back to business.

 
Abland

Posted: 4/22/2013
Quote message 

Quote SiliconANGLE:
once your site is hacked (and the server it’s hosted on becomes compromised), it can then be used to infiltrate other sites.

http://siliconangle.com/blog/2013/04/15/how-to-sidestep-the-wordpress-botnet-hack/

On any type of shared hosting it's not just your wordpress site - it's also your neighbouring sites that can cause risk.

lol -
Quote me:
but sometimes the most careful precautions can still fail

 
ddye

Posted: 5/3/2013
Quote message 

Something to look out for is old versions of the Social Media Widget plugin, which gad a security flaw. We had a client site hacked yesterday, and I had to go through every site we have that uses the plugin (over 30 sites) and update it, so you can imagine the kind of night I had.

When a hacker adds code to the header or anywhere else, you can generally just delete and reload the theme and it will go away. That's how we got rid of the malware. Using BackupBuddy to keep you site backed up is a good idea too.

One little trick that works great to keep a client site going while you change themes is to create an identical theme and activate that one when you dump the main theme.

Use this site to check for malware:

http://sitecheck.sucuri.net/scanner
 
Tom

Posted: 5/3/2013
Quote message 

1. Update WordPress, plugins and themes.
2. Lock down WordPress.
3. Secure your PC from malware.
4. Use strong passwords and never store them on your PC.
5. See #1

:-)
 
Kizza42

Posted: 5/4/2013
Quote message 

Just FYI Guys, I had some older sites infected and the attack vector was older Artisteer generated themes. Remember to re generate your themes with newer versions of Artisteer and don't leave older version of the themes installed.
 
speedyp

Posted: 5/4/2013
Quote message 

Quote Kizza42:

Just FYI Guys, I had some older sites infected and the attack vector was older Artisteer generated themes. Remember to re generate your themes with newer versions of Artisteer and don't leave older version of the themes installed.


@Kizza42
That's quite alarming news and the first I've heard of such an issue.

Do you have more info, specifically which files in artisteer 3 were open to attack and then removed or secured in V4??

Or do you think it might have just been a coincidence?
Thanks
 
Abland

Posted: 5/7/2013
Quote message 

I noticed the WordPress login will glitch on a hacked site. Like entering the username, then tab to the next field requires two tries. And sometimes there's a quick flash of a double logo.

The hack files appear to be hyphenated with a normal looking prefix followed by personal names or other unusual names:

normal-unusual-unusual.php
 
Abland

Posted: 5/8/2013
Quote message 

Hi, speedyp,

Quote speedyp:
Do you have more info, specifically which files in artisteer 3 were open to attack and then removed or secured in V4??


I found version 3.x themes were getting code injected into the functions.php at the very top of the file. I'm looking to see if there's a way to protect existing themes.
 
Abland

Posted: 5/8/2013
Quote message 

http://www.esecurityplanet.com/open-source-security/top-5-wordpress-vulnerabilities-and-how-to-fix-them.html

The first set of .htaccess rules are particularly useful, but it's a good article overall.
 
speedyp

Posted: 5/8/2013
Quote message 

Great info Abland - Thanks
8-)