Hacked Sites


Author Message
Abland

Posted: 4/21/2013
Quote message 

Hi,

I just found out that there's been a huge surge over the past week or so in hack attempts on wordpress sites. It's using enough resources in the attack to really drain server hosting.

The attempt is to try and brute force the admin account, then once in create a new administrator:

sysadmin - with email sysadmin@wordpress.org

I've found a couple of my sites were hit so I changed the account to subscriber and saved, then changed the password and saved, then deleted the account.

Logins are limited to 4 attempts before locking out, and I have no "admin" user, but they got in anyway on the client sites.

Check your sites for this account and delete if you find it. I'm almost thinking it's a hacker attempt to make a statement by mass shutting down sites over the recent internet privacy bill - though I might be a bit paranoid on that thought :-)

 
speedyp

Posted: 4/21/2013
Quote message 

Thanks for the heads-up Abland.

I read there's been a massive and sustained brute force attack on wp sites.

http://www.bbc.co.uk/news/technology-22152296

They're targetting the default "admin" user account with a bunch of common passwords. I updated all our sites last week & replaced any "admin" user accounts.

The best advice is to replace admin accounts and upgrade the strength of your passwords. Limiting login attempts might help, but they apparently have thousands of ip addresses...

From what I read, they might be trying to build up a botnet/ network of hacked wp sites which they can then use for a larger DDOS attack in the future.
 
Nick

Posted: 4/21/2013
Quote message 

There are a number of steps in securing a WP site:

The obvious ones:

- Set the correct folder permissions.
- Don't have a username called admin.
- Have a longer password, with letters and numbers, with at least one letter in caps.
- Always update WP to the latest version.
- You could setup a failed login limitation, but most attacks are by bits that have the ability to change their ip address each time.
- You can try setting up a captcha on your login screen, but some bots have the ability to do some optical character recognition.

Furthermore:
- Make sure your tables don't use the prefix "-wp".
- Make sure that WP does not transmit its' version number. You need to mute that.

And once you think that all the holes are plugged, you still get hacked. How? Just because you secured the codebase, it does not mean you are secure. You can still get security holes from:

- Plugins
-Themes - lately many free themes allegedly have backdoors and other malware - they are php files after all. The free themes from Wordpress.org are safe, as well as the themes from respectable premium theme makers, ie: Woothemes, Elegant Themes, etc...

There is an interesting solution that even if they know your usename and password, they still won't be able to access your backsite. This is how it works: After you enter your username and password, you will get a message on your smart phone for verification. So if anyone knows your credentials they will still need to have your phone to gain access.

Here is the plugins' url: http://wordpress.org/extend/plugins/duo-wordpress/

And here is the companies web site (checkout the video on the homepage) https://blog.duosecurity.com/2013/01/introducing-the-duo-5-minute-challenge/

I think WP has very loose security standards, and nobody checks the plugins that they distribute through their site for major security holes. Thankfully, there are many other plugins, that scan your plugins for security holes, and other security problems with your site in general. Unfortunately, very few people take security very seriously which always starts with a good and complete backup system.

 
Abland

Posted: 4/22/2013
Quote message 

Hi,

Thanks speedyp and Nick. I've just found a multisite that's been hacked. It was single client sites that were being attacked and hacked.

What's unnerving is there's no "admin" account - no registration enabled - user approve set up anyhow - complex passwords - 4 login limit
.. but it still got nailed.

Keep an eye out for username sysadmin

Has a zero registration date and user id 7777
 
speedyp

Posted: 4/22/2013
Quote message 

Bummer :-O

Hope they didn't do any damage.
Wordfence can check core files against the repository.

Thanks for the info & stay safe
 
Abland

Posted: 4/22/2013
Quote message 

Hi, speedyp,

Quote speedyp:
Wordfence can check core files against the repository.


Using it now: http://wordpress.org/extend/plugins/wordfence/

Looks like a file is being dropped into the wp-admin/images folder with various names:
icons32-something-something.php

It has eval64 code to pull in off site code. So deleting the account and changing passwords etc isn't enough - that file needs removed.

Excellent plugin for scanning - thanks speedyp
 
Abland

Posted: 4/22/2013
Quote message 

Hi, Nick,

So busy checking up on all sites I glossed over your post - but great info and worth a repeat.

Quote Nick:

There are a number of steps in securing a WP site:

The obvious ones:

- Set the correct folder permissions.
- Don't have a username called admin.
- Have a longer password, with letters and numbers, with at least one letter in caps.
- Always update WP to the latest version.
- You could setup a failed login limitation, but most attacks are by bits that have the ability to change their ip address each time.
- You can try setting up a captcha on your login screen, but some bots have the ability to do some optical character recognition.

Furthermore:
- Make sure your tables don't use the prefix "-wp".
- Make sure that WP does not transmit its' version number. You need to mute that.

And once you think that all the holes are plugged, you still get hacked. How? Just because you secured the codebase, it does not mean you are secure. You can still get security holes from:

- Plugins
-Themes - lately many free themes allegedly have backdoors and other malware - they are php files after all. The free themes from Wordpress.org are safe, as well as the themes from respectable premium theme makers, ie: Woothemes, Elegant Themes, etc...

There is an interesting solution that even if they know your usename and password, they still won't be able to access your backsite. This is how it works: After you enter your username and password, you will get a message on your smart phone for verification. So if anyone knows your credentials they will still need to have your phone to gain access.

Here is the plugins' url: http://wordpress.org/extend/plugins/duo-wordpress/

And here is the companies web site (checkout the video on the homepage) https://blog.duosecurity.com/2013/01/introducing-the-duo-5-minute-challenge/

I think WP has very loose security standards, and nobody checks the plugins that they distribute through their site for major security holes. Thankfully, there are many other plugins, that scan your plugins for security holes, and other security problems with your site in general. Unfortunately, very few people take security very seriously which always starts with a good and complete backup system.



 
wut

Posted: 4/22/2013
Quote message 

If your client's WP installations are getting hacked, it's your fault. Take the initiative to lock them down and educate your clients.
 
Abland

Posted: 4/22/2013
Quote message 

Hi, wut,

Quote wut:
If your client's WP installations are getting hacked, it's your fault. Take the initiative to lock them down and educate your clients.


Can't argue with that. Usually my fault if I get a cold, too - but sometimes the most careful precautions can still fail.

Fix it, maybe help others avoid it, and back to business.

 
Abland

Posted: 4/22/2013
Quote message 

Quote SiliconANGLE:
once your site is hacked (and the server it’s hosted on becomes compromised), it can then be used to infiltrate other sites.

http://siliconangle.com/blog/2013/04/15/how-to-sidestep-the-wordpress-botnet-hack/

On any type of shared hosting it's not just your wordpress site - it's also your neighbouring sites that can cause risk.

lol -
Quote me:
but sometimes the most careful precautions can still fail

 
ddye

Posted: 5/3/2013
Quote message 

Something to look out for is old versions of the Social Media Widget plugin, which gad a security flaw. We had a client site hacked yesterday, and I had to go through every site we have that uses the plugin (over 30 sites) and update it, so you can imagine the kind of night I had.

When a hacker adds code to the header or anywhere else, you can generally just delete and reload the theme and it will go away. That's how we got rid of the malware. Using BackupBuddy to keep you site backed up is a good idea too.

One little trick that works great to keep a client site going while you change themes is to create an identical theme and activate that one when you dump the main theme.

Use this site to check for malware:

http://sitecheck.sucuri.net/scanner
 
Tom

Posted: 5/3/2013
Quote message 

1. Update WordPress, plugins and themes.
2. Lock down WordPress.
3. Secure your PC from malware.
4. Use strong passwords and never store them on your PC.
5. See #1

:-)
 
harry

Posted: 5/4/2013
Quote message 

Just another few tips :

http://www.tipsandtricks-hq.com/cool-wordpress-htaccess-tips-to-boost-your-wordpress-sites-security-1676


Restrict Access to WP Admin directory by IP Address

If you are running a single user blog site, there is no reason to allow others to access WordPress administration panel. You can protect your WP admin from unauthorized access by listing your static IP address in the .htaccess. Here’s the trick

order deny,allow
allow from a.b.c.d # This is your static IP
deny from all


==

Protect WP-Config

The wp-config.php file in your WordPress installation contains some real important secrets, like database name, database username and password etc. You have no choice but to keep it secure.

# protect wpconfig.php
<Files wp-config.php>
order allow,deny
deny from all
</Files>

==

Protect .htaccess itself!

Last thing you want after spending so much time protecting your site with .htaccess, is to leave the file itself open to attack. The following hack prevents external access to any file starttng with .hta

<Files ~ “^.*\.([Hh][Tt][Aa])”>
order allow,deny
deny from all
satisfy all
</Files>
Better still, you can rename the .htaccess to any other name you like

# rename htaccess files
AccessFileName ht.access

==


Also check your plugin code and the versions they display in your source. Once loaded the plugin check the source of the website and try to find out if there is any comments about the used plugin and version. Then scan the folder of the plugin and remove the text so it won't be displayed in the source.

Also procted every folder of your plugin with an empty .html website. Since the plugin folder is static, people can type in the name of the plugin in the url and when the directory is not protected with a .html file, they can browse through your plugin folder. ALWAYS PROTECT THIS !!!!


 
Kizza42

Posted: 5/4/2013
Quote message 

Just FYI Guys, I had some older sites infected and the attack vector was older Artisteer generated themes. Remember to re generate your themes with newer versions of Artisteer and don't leave older version of the themes installed.
 
speedyp

Posted: 5/4/2013
Quote message 

Quote Kizza42:

Just FYI Guys, I had some older sites infected and the attack vector was older Artisteer generated themes. Remember to re generate your themes with newer versions of Artisteer and don't leave older version of the themes installed.


@Kizza42
That's quite alarming news and the first I've heard of such an issue.

Do you have more info, specifically which files in artisteer 3 were open to attack and then removed or secured in V4??

Or do you think it might have just been a coincidence?
Thanks
 
Abland

Posted: 5/7/2013
Quote message 

I noticed the WordPress login will glitch on a hacked site. Like entering the username, then tab to the next field requires two tries. And sometimes there's a quick flash of a double logo.

The hack files appear to be hyphenated with a normal looking prefix followed by personal names or other unusual names:

normal-unusual-unusual.php
 
Abland

Posted: 5/8/2013
Quote message 

Hi, speedyp,

Quote speedyp:
Do you have more info, specifically which files in artisteer 3 were open to attack and then removed or secured in V4??


I found version 3.x themes were getting code injected into the functions.php at the very top of the file. I'm looking to see if there's a way to protect existing themes.
 
Abland

Posted: 5/8/2013
Quote message 

http://www.esecurityplanet.com/open-source-security/top-5-wordpress-vulnerabilities-and-how-to-fix-them.html

The first set of .htaccess rules are particularly useful, but it's a good article overall.
 
speedyp

Posted: 5/8/2013
Quote message 

Great info Abland - Thanks
8-)