Blogs Hacked

If you have come across any scams or dishonest packages, products or strategies, discuss them here and expose them.
Feel free to name and shame the perpetrators! NO ADS!

Moderators: magnetize, Oosha, ftello, shezz

Blogs Hacked

Postby Tel » Wed Mar 11, 2009 7:38 pm

Just recently, some of my own hosted WP blogs have been hacked by Islamic geeks who have put up a pretty scary home-page in black with pro-Islamic, anti-US/Israeli messages. I discovered the latest one just today.

This time I did some digging and found on Statcounter that the site had been visited by someone in Rabat in Morocco. This is the search query they did, so it seems they're targeting any WP blogs on the IP that my host lives on:

search.live.com/results.aspx?q=ip%3A74.54.219.66 powered&first=31&FORM=PERE3

The IP address is: P

op-soekarno-adsl (196.206.66.48)

If this happens to anyone else, its not too difficult to clean, but they do get into the blog and change the admin user and password, then paste their code into the index.php file. Log-in to your cPanel and via phpmyadmin get into the database and change the admin username - make sure your email address is still specified. Then go back to the WP login panel and request a new password. Once you've logged in, delete the hack code in index-php and then paste the original code back in and that should be that.

Just because these fuckers are clever enough to hack your WP password, doesn't mean they're intelligent. I read through the code they injected and lo and behold there's some Adsense code in there, complete with account number. That's getting forwarded to Google.
User avatar
Tel
Site Admin
 
Posts: 2919
Joined: Sun Mar 25, 2007 4:52 am
Location: Spain

Re: Blogs Hacked

Postby lissie » Wed Mar 11, 2009 11:54 pm

I changed the admin user name on phpadmin - but the index.php files looks totally normal. How can you tell when the last modify date was in cpanel- the only way I know how to do it is to login via ftp - cpanel appears to have no option for this most basic command duh!
Is there anyway to get a command line prompt in cpanel?
Lis
Passive Income and Controversy!
lissie
 
Posts: 511
Joined: Tue Jun 17, 2008 3:22 am
Location: New Zealand

Re: Blogs Hacked

Postby Tel » Thu Mar 12, 2009 7:49 am

Don't know if you can in cPanel, but you can get the date change info via FTP.

Once I'd got my admin user password back and logged in to the blog, I checked the code in its own editor. Depending on your theme, they might have changed your home.php file as well/instead as index.php also check out style.css in case they did anything strange in there.
User avatar
Tel
Site Admin
 
Posts: 2919
Joined: Sun Mar 25, 2007 4:52 am
Location: Spain

Re: Blogs Hacked

Postby bgmacaw » Thu Mar 12, 2009 12:29 pm

Were you able to tell if this attack was a brute force or a SQL injection hack?
User avatar
bgmacaw
 
Posts: 471
Joined: Thu Apr 24, 2008 4:17 am

Re: Blogs Hacked

Postby Tel » Thu Mar 12, 2009 12:43 pm

Not too sure, although HostGator support said they've seen this before and believe they are taking advantage in a weakness in older versions of WP. Ok, that doesn't really tell us much and Lissie's site was on 2.7 so maybe these guys are a little more knowledgeable.

My guess is that they're not getting into the database, or if they are they're not doing any damage in there. They have a way to either break the password, or bypass it altogether to get into the blog's admin panel. There they change the admin user and password and edit the index.php file and paste their crap over the original. Then they get out and job done. The site then displays a typical terrorist style frightening looking homepage when you open it in your browser.

I got their IP via statcounter as they couldn't resist opening the site in their browser for 2 seconds to look at their own handiwork.
User avatar
Tel
Site Admin
 
Posts: 2919
Joined: Sun Mar 25, 2007 4:52 am
Location: Spain

Re: Blogs Hacked

Postby Phillip » Thu May 13, 2010 4:36 pm

Got hacked as well.
Completed Successfully...
0wn3d ~ By .. { Sniper-Q8!!
H4CK3D
AND f***ed
**Arabic**
f**k 4LL 4dmin in Sit

Google Translate wrote:Chevc Ann Hiat men increased
Vhabayt give you Drrs .. Index Halmrrp suspended the second time to withdraw Aldomyin

That's a wordpress 2.9.2 site . I am not exactly sure when it has happened but someone yesterday entered my site with the following search string from bing.

ip:**mysiteip** wordpress


They came from 168.187.75.85 in Kuwait

What's the easiest way out from this? Delete the site completely then do a revert from an old backup? Or can I just get away with by chaing the passwords and the usernames and deleting the theme and uploading it again? Looks like they just modified my header as usual
User avatar
Phillip
 
Posts: 666
Joined: Wed Oct 28, 2009 8:45 pm
Location: Finland

Re: Blogs Hacked

Postby Tel » Fri May 14, 2010 6:39 am

It depends what they injected into your blog. In my case all they did was upload a new index.php file overwriting mine. I just uploaded a backup over that and it was fine again. If they got your header, you should be able to upload a fresh header from the theme if you download a fresh version to your pc and upload the header.php file into the theme on your server via ftp.

Check through other files on there for anything that has a recent modified date that you can't account for and check it out too.
User avatar
Tel
Site Admin
 
Posts: 2919
Joined: Sun Mar 25, 2007 4:52 am
Location: Spain

Re: Blogs Hacked

Postby Phillip » Thu Feb 03, 2011 5:22 pm

Hacked once again from IP : 79.172.142.106
Code: Select all
HaCKeD By : TeaM SQL HEX

I bear witness that there is no god but Allah, Mohammad is the Messenger of Allah
 


There is no god but Allah, Muhammad is the herald of Allah 

::: Hacker Saudi Arabia :::


SILVER FoX      DMAR SKOOD      Al5aterHaCkEr

Dch@hotmail.com        Hyy@Hotmail.com     o_8a@hotmail.com



 
User avatar
Phillip
 
Posts: 666
Joined: Wed Oct 28, 2009 8:45 pm
Location: Finland

Re: Blogs Hacked

Postby Tel » Thu Feb 03, 2011 6:34 pm

You'd think with all that intelligence these guys would figure out they could actually use their skills to make something worthwhile of their lives.
User avatar
Tel
Site Admin
 
Posts: 2919
Joined: Sun Mar 25, 2007 4:52 am
Location: Spain

Re: Blogs Hacked

Postby Phillip » Fri Feb 04, 2011 7:12 am

I couldn't even figure out how they hacked it. Not the typical header.php modification, they even changed my admin e-mail address so I can't get a new password for it. Maybe just a brute force password hack, I guess I'll need to setup login lockdown to all of my WP sites..

Maybe just a coincidence, but both of these sites were hosted at hostnine. I have never been hacked over at Hostgator
User avatar
Phillip
 
Posts: 666
Joined: Wed Oct 28, 2009 8:45 pm
Location: Finland

Re: Blogs Hacked

Postby Tel » Fri Feb 04, 2011 7:45 am

They got a couple of mine at Hostgator a while ago, changed the admin but not the email. They must have learned that one since then. I'd guess it was a brute force attack - they managed to get into mine even though the version of WP was the latest and the password was really tough with special characters and numbers in. Its no great problem to fix through cpanel/phpmyadmin but its still a pain in the arse.

Maybe they found some kind of backdoor, which wouldn't surprise me all that much. Bill Gates has been leaving them in MS for his hacking buddies to find from the start! :lol:
User avatar
Tel
Site Admin
 
Posts: 2919
Joined: Sun Mar 25, 2007 4:52 am
Location: Spain

Re: Blogs Hacked

Postby Phillip » Fri Feb 04, 2011 8:43 am

Tel wrote:They got a couple of mine at Hostgator a while ago, changed the admin but not the email. They must have learned that one since then. I'd guess it was a brute force attack - they managed to get into mine even though the version of WP was the latest and the password was really tough with special characters and numbers in. Its no great problem to fix through cpanel/phpmyadmin but its still a pain in the arse.

Maybe they found some kind of backdoor, which wouldn't surprise me all that much. Bill Gates has been leaving them in MS for his hacking buddies to find from the start! :lol:


My passwords are also "impossible" to guess :D True that about Bill Gates and backdoors, but Wordpress is open source - there shouldn't be such idiocracy :)
User avatar
Phillip
 
Posts: 666
Joined: Wed Oct 28, 2009 8:45 pm
Location: Finland


Return to Scams, Spams and Rip Offs

Who is online

Users browsing this forum: No registered users and 1 guest

cron