Maintenence Tonight

November 13, 2007 | Posted in News |

In case you have noticed anything wierd around the box lately, it appears my site has been compromised, so tonight I will be wiping my server and starting from scratch. If anyone has any security tips for wordpress and how to help prevent a future attack, I’m all ears. The only clue I have is that one user saw a white screen with the phrase “Already Hacked by Magic SEO Toolz.” There have also been spammy links inserted in my RSS. Sorry for the inconvenience, and I’ll have everything back to normal as soon as I can. This couldn’t have happened on a worse week. (The week I have to pack all my shit and move to another state).

If anyone has any info or would like to help (I’m not a Wordpress Guru) you can email me at contact(at)bittbox.com.

~Bitt

Related Posts:

  1. New Server

This entry was posted on Tuesday, November 13th, 2007 at 7:14 am and is filed under News. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.
Stumble It
Add to Del.icio.us

Did you like this post?

Digging and sharing is a great way to say thanks!

27 Responses to “Maintenence Tonight”

  1. Vagelis Nov 13, 07 at 7:28 am

    It’s a shame,
    if Wordpress is the one to blame, then I assume there are lots of guys now worried.
    I believe that it is not though, maybe your host is to blame.

  2. Israel Jernigan Nov 13, 07 at 7:31 am

    Man, that sucks.

    I’ve heard of wordpress plugins bringing hacks into the blog. Like hidden ads, and links that you don’t see unless you are actually looking at the html.

  3. ridlo Nov 13, 07 at 7:39 am

    Patch your new kernel with grsecurity; secure /tmp (and the other partitions as well…don’t allow block devices or write access unless the partition requires it, like /var), chroot your apache & php installs; harden apache & PHP; install mod_security. The list goes on :)

  4. davi Nov 13, 07 at 8:14 am

    good luck, man

  5. lizzard Nov 13, 07 at 8:15 am

    there is a lovely little thing called bastile linux which is a hardening tool that you can use to secure up your server Bit. Lotsa nice tutorials as well. If you need help, email me, I can point you in the right direction and give you some help. Lord knows you have given me enough help.

  6. Diego440 Nov 13, 07 at 8:34 am

    So where ya headed?

  7. jason Nov 13, 07 at 8:40 am

    bit…

    most web defacements are due to the web server software and web application being hacked. with dynamic, db based systems like wordpress its is even more likely that the hack occured through the web application and web server software via SQL injection, or poorly written plugins/extensions.

    I agree with ridlo’s points/recommendations. chroot’ing your apache deployment is huge. Also make sure that you use good strong passwords and rotate them often. Consider that if your database was compromised then any data within that db could be vulnerable, including your password’s.

    i’ll email you privately so you have my actual information.
    jason

  8. Amy Gahran Nov 13, 07 at 9:06 am

    Damn! This same exact thing just happened to me, and I have to prepare for a big trip too. Bad timing.

    See: http://snipurl.com/1tktf

    By any chance were you at Blogworld Expo? I was on the open wifi there and suspect that’s where the hacker sniffed my password.

    I’m also currently running an older version of Wordpress. I’ve arranged for an upgrade, but that hasn’t happened yet.

    Sounds like from what your commenters say that more might have been compromised on your site, and mine, than just Wordpress. I’m in over my head here, I don’t really understand server-side stuff. I’d appreciate assistance for how to fix this and secure my site more appropriately. I’ll be watching this thread for tips.

    - Amy Gahran

  9. contentious.com - This blog is still hacked, grrrrrrr….. Nov 13, 07 at 9:17 am

    [...] The blog BittBox is experiencing an identical problem. The comment thread there offers some [...]

  10. BittBox Nov 13, 07 at 9:33 am

    Amy,

    I’m running the latest version of WP, so that won’t fix it. :(

    ~Bitt

  11. Tom Nov 13, 07 at 9:38 am

    Yet another reason I don’t like PHP.

  12. dersu Nov 13, 07 at 9:45 am

    f’in hackers, best of luck. looking forward to your return.

  13. Gerardo Nov 13, 07 at 9:54 am

    Bitt that sucks im pretty sure that if you ask the support people of wordpress might help you out finding the problem.-

    best of luck

    Gg

  14. MAD_MAN Nov 13, 07 at 11:51 am

    hay, good luck … sorry i cant help you :( didn’t have to deal which security issues till now …

    lg mad_man

  15. BittBox Nov 13, 07 at 12:07 pm

    Jonic You Rock!

    A friend of mine in the UK found the problem. It was a hacked version of the “Recent Posts” plug-in. I deleted it and it seems to have fixed the problem! Still making sure. Thanks to everyone for helping.

    ~Bitt

  16. Mark Nov 13, 07 at 12:20 pm

    Bitt,

    Please remove “Hacked by …..” from your post. “Hacked by kiddies” will do.

    Thanks

  17. Israel Jernigan Nov 13, 07 at 12:20 pm

    Awesome!!!! Glad you might have found the problem.

  18. BittBox Nov 13, 07 at 12:36 pm

    Mark,
    May I ask why?
    ~BItt

  19. jason Nov 13, 07 at 2:55 pm

    (Tom) Not sure why PHP is the issue…properly coded PHP works just fine. Unfortunately significant portions of the open source community fail to code the necessary variable checking routines necessary to safely process data.

    Bitt - I’m glad to hear that you found the vulnerable plugin…

    jason…

  20. Amy Gahran Nov 13, 07 at 2:57 pm

    Jay

    On my blog, the problem was a hacked Akismet plugin, which has now been reinstalled.

    Doesn’t look like they’re targeting one particular plugin, could be any plugin. But you and I were both hacked via plugins.

    - Amy Gahran

  21. Dino Nov 13, 07 at 3:22 pm

    Now why would somebody use a plugin for bringing out the Recent Posts? You can actually just use the WordPress loop. :)

  22. BittBox Nov 13, 07 at 3:24 pm

    Dino,

    I wasn’t even using it, My sidebar uses the widget that comes with wordpress

    ~Bitt

  23. Gilfil Nov 13, 07 at 5:11 pm

    One of my blogs was affected by this “hack”.

    I could identify that everytime that the word “Select” or “select” is placed in a form or query (both GET and POST) on the URL, the hack attacks.

    I have more than one blog running wordpress on the box, and only one was affected.

    I am now replacing the full script….

  24. Oliver Nov 13, 07 at 7:30 pm

    If it’s any consolation even sites run by programmers get bitten: I found the same message on ajaxian.com a while back (they seem to have fixed the issue)

  25. Tom Nov 13, 07 at 10:36 pm

    Jason:

    > (Tom) Not sure why PHP is the issue…properly coded PHP works just fine.

    Properly coded Java works just fine. That doesn’t mean it is good.

    The problem is that PHP, out of the box, is terribly insecure. (check out that there is a “safe mode” for it and look at how many options there are for that).

    It is only made worse by the culture of PHP development. I have seen a lot of PHP. Most of it completely fails to incorporate even the most basic concepts of modularity, abstraction and code reuse. It is often the victim of the worst thing computers ever gave us: copy and paste.

    Besides …. As far as I am concerned, PHP is a “dumbed down” Perl. Why not just do everything in Perl? That way, you can keep your code OUT of the document directory like it SHOULD be.

    ALL of WordPress’s executable code is in one directory tree, starting at the DocumentRoot. This is … not wise.

  26. Mark Nov 16, 07 at 10:09 am

    Hi Bittbox,

    It’s just accepted best practice to not publish/advertise/glorify the work of script kiddies.

    They’re in the cracking business for glory/backlinks(money), take away both and they lose their motive.

    Maybe I’m being naive, but nevertheless, that is my view and just a suggestion.

    Cheers

  27. kablo kanali Dec 3, 07 at 8:44 am

    thanks

LEAVE A COMMENT




Message: