Comments on: Devious WordPress Hack Using wp_remote_fopen http://www.askshane.org/daily-tips/devious-wordpress-hack-using-wp_remote_fopen.php Sound Strategies for Building an Online Business You Can Retire On Thu, 26 Aug 2010 17:15:14 +0000 hourly 1 http://wordpress.org/?v=3.0.1 By: Andrew A. Peterson http://www.askshane.org/daily-tips/devious-wordpress-hack-using-wp_remote_fopen.php/comment-page-1#comment-61219 Andrew A. Peterson Sat, 20 Jun 2009 08:51:44 +0000 http://www.askshane.org/?p=760#comment-61219 I just got done dealing with this one. The code is squirted into the bottom of the header.php files of all uploaded themes. I recommend: -WP Security Scan (a plugin that double checks for vulnerabilities like bad permissions settings and can even auto rename your database table prefixes for you which is apparently a common security problem) -Cookies For Comments (a plugin that makes it so commenters must have loaded the Stylesheet... Seems like some of these things get in thru unmoderated comments.) -Not having a User named "admin" -Having a strong password (numbers and both capital and lower case letters) -Staying on top of deleting spam comments (most of the attacks I've seen were on blogs that don't keep up with their moderation... Maybe this is a chicken and egg thing) -Of course, Akismet Finally, I think certain hosting companies are more susceptible to attacks than others. Any thoughts? I just got done dealing with this one.
The code is squirted into the bottom of the header.php files of all uploaded themes.
I recommend:

-WP Security Scan (a plugin that double checks for vulnerabilities like bad permissions settings and can even auto rename your database table prefixes for you which is apparently a common security problem)

-Cookies For Comments (a plugin that makes it so commenters must have loaded the Stylesheet… Seems like some of these things get in thru unmoderated comments.)

-Not having a User named “admin”

-Having a strong password (numbers and both capital and lower case letters)

-Staying on top of deleting spam comments (most of the attacks I’ve seen were on blogs that don’t keep up with their moderation… Maybe this is a chicken and egg thing)

-Of course, Akismet

Finally, I think certain hosting companies are more susceptible to attacks than others. Any thoughts?

]]> By: Jonty http://www.askshane.org/daily-tips/devious-wordpress-hack-using-wp_remote_fopen.php/comment-page-1#comment-61177 Jonty Thu, 21 May 2009 10:44:05 +0000 http://www.askshane.org/?p=760#comment-61177 We were also hacked two days ago. They got into the headers.php file in the template. We are still looking at how, but it may have been through not having chmod settings too low. Possible that it came in through a plugin or from bbpress. We are examining all of these. We were also hacked two days ago. They got into the headers.php file in the template. We are still looking at how, but it may have been through not having chmod settings too low.

Possible that it came in through a plugin or from bbpress. We are examining all of these.

]]> By: Eric Marden http://www.askshane.org/daily-tips/devious-wordpress-hack-using-wp_remote_fopen.php/comment-page-1#comment-61168 Eric Marden Fri, 15 May 2009 07:41:13 +0000 http://www.askshane.org/?p=760#comment-61168 Just investigated an instance of this on a new client's existing WordPress blog, and wanted to add a couple more details: In my instance he was up to http://qwetro.com/ss/test_23.txt The contents of this file (as well as the link to it) were base64 encoded. Decoding them revealed the link and the spam contents. The spam was what looked like serialzed php. There was also a remv.php script that was essentially a backdoor (remote viewer). It was in wp-content/themes. @TRaef - i'll show you the code. contact me thru my url. Just investigated an instance of this on a new client’s existing WordPress blog, and wanted to add a couple more details:

In my instance he was up to http://qwetro.com/ss/test_23.txt
The contents of this file (as well as the link to it) were base64 encoded. Decoding them revealed the link and the spam contents.

The spam was what looked like serialzed php.

There was also a remv.php script that was essentially a backdoor (remote viewer). It was in wp-content/themes.

@TRaef – i’ll show you the code. contact me thru my url.

]]> By: TRaef http://www.askshane.org/daily-tips/devious-wordpress-hack-using-wp_remote_fopen.php/comment-page-1#comment-60564 TRaef Thu, 19 Mar 2009 11:39:02 +0000 http://www.askshane.org/?p=760#comment-60564 We'll check them both out later today and I'll let you know. Shane, can we take this off-line? Or if Sire doesn't mind we'll continue this in this blog. Let me know... We’ll check them both out later today and I’ll let you know.

Shane, can we take this off-line? Or if Sire doesn’t mind we’ll continue this in this blog.

Let me know…

]]> By: Sire http://www.askshane.org/daily-tips/devious-wordpress-hack-using-wp_remote_fopen.php/comment-page-1#comment-60562 Sire Thu, 19 Mar 2009 04:14:25 +0000 http://www.askshane.org/?p=760#comment-60562 It was one of two sites and I'm not sure which. It was either http://www.blogsire.com/myblog/ or http://www.theelusivepotofgold.com/MyBlog/ Do you think there was a possibility that it was hacked? It was one of two sites and I’m not sure which. It was either http://www.blogsire.com/myblog/ or http://www.theelusivepotofgold.com/MyBlog/

Do you think there was a possibility that it was hacked?

]]> By: TRaef http://www.askshane.org/daily-tips/devious-wordpress-hack-using-wp_remote_fopen.php/comment-page-1#comment-60561 TRaef Thu, 19 Mar 2009 04:02:42 +0000 http://www.askshane.org/?p=760#comment-60561 Sire, if you'd like to mention your site, we would be happy to scan it for you at no charge and send you the report. Sire, if you’d like to mention your site, we would be happy to scan it for you at no charge and send you the report.

]]> By: Sire http://www.askshane.org/daily-tips/devious-wordpress-hack-using-wp_remote_fopen.php/comment-page-1#comment-60560 Sire Thu, 19 Mar 2009 03:52:49 +0000 http://www.askshane.org/?p=760#comment-60560 This is very interesting as I know of a user who visits some of my blogs that complains of being taken to another site automatically. I know it's not because of anything that I've done and it has always mystified me. I've tried the adipex site but it couldn't find anything? This is very interesting as I know of a user who visits some of my blogs that complains of being taken to another site automatically. I know it’s not because of anything that I’ve done and it has always mystified me. I’ve tried the adipex site but it couldn’t find anything?

]]> By: Redmanthatcould http://www.askshane.org/daily-tips/devious-wordpress-hack-using-wp_remote_fopen.php/comment-page-1#comment-60519 Redmanthatcould Thu, 05 Mar 2009 22:28:22 +0000 http://www.askshane.org/?p=760#comment-60519 Thanks for the heads up, Shane. Will keep a look out and hopefully we don't get hit. Jeff Thanks for the heads up, Shane. Will keep a look out and hopefully we don’t get hit.

Jeff

]]> By: kdogg http://www.askshane.org/daily-tips/devious-wordpress-hack-using-wp_remote_fopen.php/comment-page-1#comment-60514 kdogg Tue, 03 Mar 2009 07:20:38 +0000 http://www.askshane.org/?p=760#comment-60514 havent seen this on any of my blog networks being successful.. i always run either the latest trunk, or development 2.8-bleeding edge or the latest 2.7.* dev versions though.. havent seen this on any of my blog networks being successful.. i always run either the latest trunk, or development 2.8-bleeding edge or the latest 2.7.* dev versions though..

]]> By: Shane http://www.askshane.org/daily-tips/devious-wordpress-hack-using-wp_remote_fopen.php/comment-page-1#comment-60505 Shane Sat, 28 Feb 2009 00:53:54 +0000 http://www.askshane.org/?p=760#comment-60505 Regrettably no, Jake. Still looking :( Regrettably no, Jake. Still looking :(

]]>