HackerOne users: Testing against this community violates our program's Terms of Service and will result in your bounty being denied.

Hacked via Wordpress Plugin wysija-newsletters

vrijvlindervrijvlinder Papillon-Sauvage MVP
edited July 2014 in Feedback

I have been hacked with some strange php code that was injected into all php files from Vanilla and Wordpress some of the code is as bellow but is longer. I tried erasing it but it is not just in the config but on all php files. My accounts were suspended for this... 8 forums and 3 wordpress ... I will likely have to reinstall all of them and the plugins and themes. This is a real disaster.
All my permissions were correct and even on read only files this code was written to the file.

<?php $oayviptblj = (rest of code deleted by UnderDog)

Tagged:

Comments

  • hgtonighthgtonight ∞ · New Moderator

    Looks like a pretty standard hijack script. The variable stores some arbitrary PHP code encoded for obscurity. This is decoded and executed. You might find some clues if you go through the motions and decode the string, but I wouldn't bother.

    Clean it or throw it out. Backup your db and check it for malicious code.

    Sorry :(

    Search first

    Check out the Documentation! We are always looking for new content and pull requests.

    Click on insightful, awesome, and funny reactions to thank community volunteers for their valuable posts.

  • vrijvlindervrijvlinder Papillon-Sauvage MVP

    I will have to reinstall everything!! all php files even those that had only read permissions were injected with this...But strangely only one domain was not affected. But I think my host got hacked because how do you explain 7 domains all with Vanilla and Wordpress ?

    It is impossible to clean the files there are thousands of them. I thought it was just the config folder but it is in every php file....

  • I suggest scanning your home computers, and for anyone that has privileged access to do it. Update the anti-virus software first.

    People don't realize this vector in exploiting web-admins. But actually the weakest link is often yourself and your staffers. You have access the site so you are the obvious choice to target. it is isn't personal, they simple infect loads of people, and soon enough they will infect sites through them.

    Happened with a client of mine and spent ages looking for the exploit, when it was a staffer, who kept reinfecting the server over an over.

    You will have to clear up all the files which means installation normally.

    What you are seeing is the payload, and if this continue most likely you won't just get the one style. To explain, the illicit space is effectively being hired out on the black market for various spam, to whoever wants it, not only that but the virus people are most likely is hiring out the exploit for whatever payload.

    Not all payloads will be obvious, some may not show visible signs becuase they only target search engines not people.

    Not only do these scripts make your server severely compromised, it will often hammer them, because many of them do taxing operations like "call home" scripts (not to mention he privacy implications).

    They will put effort into trying to make the code as hidden as possible, so every file has to be replaced sorry.

    grep is your friend.

    UnderDogmtschirs
  • x00x00 MVP
    edited July 2014

    In the vast majority of attacks, they don't care about you. People often think they are personally targets and take it personally. This can be a case, but usually where you have something specific that someone else doesn't, that is worth targeting. Or hacktivism, or lolz, which you can usually avoid by staying away from all the bullshit.

    For the vast majority, you are simply a mean to an end. Either to be a platform for serving spam or to facilitate the spam network in some way. Or to facilitate the spread of viruses which can be used to a wide range off illicit operations.

    grep is your friend.

  • vrijvlindervrijvlinder Papillon-Sauvage MVP
    edited July 2014

    I'm in a Mac it is clean and the only one with admin access on all . I think that the host was hacked they need to restore from a good backup

  • @vrijvlinder said:
    I'm in a Mac it is clean and the only one with admin access on all . I think that the host was hacked they need to restore from a good backup

    Possibly, but it could be your implementation. Just becuase a host provide the server space, doesn't mean they can guard against everything the customer does or doesn't do. There is responsibility on both parties.

    Cheap hosts are largely to blame in the sense the perpetrate the myth that web mastering is a walk in the park with little or no learning curve, and don't provide adequate infrastructure to do anything about anyway.

    I reiterate, the point I made about viruses, this is a very efficient vector and does these sort of attacks. Make sure, then you can consider other possibilities.

    grep is your friend.

    UnderDog
  • peregrineperegrine MVP
    edited July 2014

    @vrijvlinder said:
    I'm in a Mac it is clean and the only one with admin access on all . I think that the host was hacked they need to restore from a good backup

    It could be, you can't rule that out. Have you contacted your host, to see if others have been compromised as well.

    although of a different nature than your experience.

    http://arstechnica.com/security/2013/04/huge-attack-on-wordpress-sites-could-spawn-never-before-seen-super-botnet/

    Sorry to hear about your problems. Its never fun.

    I may not provide the completed solution you might desire, but I do try to provide honest suggestions to help you solve your issue.

    UnderDog
  • so a certain extent virtual hosting is individually sand-boxed.

    grep is your friend.

  • vrijvlindervrijvlinder Papillon-Sauvage MVP

    Yea I contacted the host as soon as I noticed they said I had malicious scrips even read only files were affected it is a bloody pain in the arse!!

  • vrijvlindervrijvlinder Papillon-Sauvage MVP
    edited July 2014

    I still don't know if they will be able to restore my site, but upon scanning I found this , some html/ExpKit.gen3 virus which I am not sure how it got there because my computer is clean. I saw that in a cache file from chrome, but it could be from any site, I am in Mexico and I do visit gov sites which are notorious for being infected ...

    This could not happen at a worse time. I just don't have the time to work on the fix.

    BTW this is not a cheap host by any means not in my opinion based on comparisons of services safety and reliability. They are also vulnerable and not immune to attack.

    I had not seen a php script like that before on anything. I had not been working on my sites or doing any uploading via ftp of anything malicious. Have no users really and the other site with wordpress belongs to a friend and she is also on a mac and reportedly was just working on an article before this happened. She called me to ask me to look at something strange in her site and that she could log in and all was normal in that regard because as she was telling me this I was looking at her site and it was already 500 so I blamed her for maybe doing something bad ....

    Then checked all my sites and all forums and wordpress were 500 except one. So I really believe the host was compromised because they are the only other ones who have access to my files at top level.

    UnderDog
  • That sounds likely however...

    If you file didn't have read permission, and critically those file weren't assigned to the web server (process) user, then under normal circumstances, it wouldn't be able to write to those specific files. This wouldn't completely stop an attack, but may limit the impact of overwriting files. However it depends very much, how php and the server has been set up, and if you even have the capacity to do anything about it.

    If the process user does own the files, then it could be able to do anything it wants with your files using a magnitude of methods.

    Of course often these attack use a combination of exploits chained together. So nothing is full proof, but still file management is important.

    Sometimes php is been run through a special handler like suPHP, believing this is somehow better. However this isn't necessarily the case, depending on how it is being used. It can also confuse inexperienced webmaster who are used to a very generic way of file arrangement and won't adjust to different (even smart) setups, if there is any attempt at file management at all.

    The reason I still say to scan your computer is, this something that would have you and host umming and arring. As the payload may be clear, but it wouldn't actually a and exploit on the server, you would be the exploit.

    grep is your friend.

    UnderDogvrijvlinder
  • vrijvlindervrijvlinder Papillon-Sauvage MVP

    yes I did scan my computer but never find anything. I have not been using a windows pc for sometime now. I always associated these sort of attacks being facilitated by js . This is the first time I see an exploit in php.

    But as hgtonight mentioned that whole string of code was encoded so it could have also calling some js to execute . A nightmare nonetheless...

  • But as hgtonight mentioned that whole string of code was encoded so it could have also calling some js to execute . A nightmare nonetheless...

    yes this is the payload not the exploit.

    I'm glad you are sorting it.

    grep is your friend.

    UnderDog
Sign In or Register to comment.