Hacks for 2.9.2

Mike
(@mike)

15 years, 9 months ago

Is anyone else encountering hacks on 2.9.2? I have found the following across about 10 sites:

– wp-includes/general-templates.php has been modified to include malicious code for malware
– wp-content/plugins/akismet/rss-feed.php has been added by a hack that in turn re-directs google searches
– write to /cgi-bin/ above public_html that redirects Google searches. I discovered this on Friday when Rackspace’s Cloud Sites got about 1000 hacks at once. I think I discovered the problem for them :). That hack modified wp-blog-header.php with a simple include(“”) command.

I didn’t notice many of these hacks until I used Google’s webmaster tools. With that, you can see what Google sees. Many of these malware and redirects only listen for Google, so you may never know about the problem. Just search

viagra site:yourdomain.com

I don’t need to know what the 2.9.2 hole is, but I would like the admins to acknowledge something is wrong. I have spent three days constantly catching up to these hacks. The Exploit Scanner misses some of the problems and simply deleting WP and re-installing isn’t working.

Viewing 6 replies - 1 through 6 (of 6 total)

Thread Starter Mike
(@mike)

15 years, 9 months ago

Oh and I know a moderator is going to post something like:

http://wordpress.org/support/topic/268083?replies=28#post-1065779

but I have followed every single tutorial and site. I have run about 25 sites since WP was released (user 47 on the forum!), and this is the first time I have ever encountered a hack. I have exhausted the standard methods and the “delete everything and re-install” no longer works.

steve-d
(@steve-d)

15 years, 9 months ago

Is anyone else encountering hacks on 2.9.2?

Yes. Your not alone. I noticed all kinds of bizarre server behavior going on during the April mass attacks. It was like the hackers had total and complete control of the Hosts systems. Haven’t been touched in a month now at NS. They got it under control. And, I’m to tired and exhausted to move at this point. I didn’t get into this to be hunched over a computer 24/7 for months on end trying to protect myself from organized armies of overseas hackers trying to “take us out”.

Nasty situation we are in here.

Thread Starter Mike
(@mike)

15 years, 9 months ago

I can now confirm that 2.9.2 has some sort of hole in it. I made a completely clean install of 2.9.2 on Rackspace Cloud Sites. Within three days, all queries were re-directing to a Canadian pharmacy. This is very pressing. I have used WordPress since .01 and never had this problem. Trying to stay on top of these hacks is a full-time job.

Peter Westwood
(@westi)

15 years, 9 months ago

@mike: If you have logs and details showing how they hacked your site please send them to [email protected] so we can investigate.

Cheers

Thread Starter Mike
(@mike)

15 years, 9 months ago

Will do. My priority was removing the hack. But I suspect it will come back in a day or to. Here is a summary of what is happening:

http://blog.sucuri.net/2010/05/seo-spam-network-details-of-wp-includes.html

It is important to note that you can’t see the code if you simply visit your site. The hacks are smart enough to check for Google IPs or referrals. So I recommend signing up for Google Webmasters:

http://www.google.com/webmasters/

and then using the “Labs –> Fetch as Googlebot” to check if you have been infected.

Mark Ratledge
(@songdogtech)

15 years, 9 months ago

I don’t use Rackspace, but it seems that logs are not easily accessable; and it’s more than WordPress on Rackspace An Open Letter to Rackspace Cloud Hosting | Snipe.Net

If you already have developer tools in Safari (or use addons in Firefox and IE), you can change the user agent in your web browser to check your own or others’ sites.

Viewing 6 replies - 1 through 6 (of 6 total)

The topic ‘Hacks for 2.9.2’ is closed to new replies.

Hacks for 2.9.2

Topics

Topics with no replies

Non-support topics

Resolved topics

Unresolved topics

All topics