Any Wordpress Experts Out There? Site Hacked.

[Changian]

Hi

My site - iamkohchang.com was using an older version of Wordpress - 2.7.1.

A few days ago it was hacked and redirected visitors to a Japanese porn site after they had been on the site for 60 seconds. I found the code in the header and a sidebar widget and removed it. But the problem came back again a couple of days later. This time there was an immediate redirect to the same site.

I read some wordpress forums and found there was a worm that attacked older sites. I think the hack exploited a vulnerability that allowed someone to request a new password for the site and get entry - as when i tried to logon my password didnt work.

The only course of action seemed to be to reinstall everything and start again. But first find the cause of the problem.

I tried checking all the obvious places for lines of code but cant find anything. Tried looking in places in the database but found nothing.

I installed WP 2.8.4 in a new directory to try again. Linked it to the old database and it looked OK, didn't revert to the porn site immediately so I though that was the end of the problem.

However, this morning I noticed the index.php had the redirect code in it again.

I've no idea how to fix this really. I'd rather not have to cut & paste the whole site page by page - image by image - 500+ posts & pages, so if anyone can offer any help / advice. let me know. Happy to pay for your time or swap for accommodation on Koh Chang etc

[Changian]

Thanks for the offers of help via PM that I received. Hopefully I have now found the causes and fixed it . . we will see in the next day or so.

[Crushdepth]

I got a warning from my hosting company about a security hole in Wordpress a couple of weeks ago, here it is in case it applies to you:

------------

The following is a notice for those clients who use WordPress on their VPS or Dedicated servers. Normally we post vulnerability notices in our community forums; however, we are aware that a large number of our clients use WordPress.

If you’re running a self-hosted WordPress (WordPress) blog that isn’t up-to-date (version 2.8.4), you’re advised to upgrade immediately to the latest version of the software to avoid an ongoing attack.

The warning comes from Lorelle on WordPress after it was discovered that a nasty attack is exploiting security holes in previous versions of the blogging software, creating a new “hidden” Administrator account and getting right down to the database level. These attacks are said to be “growing by the hour”. Lorelle writes:

There are two clues that your WordPress site has been attacked.

There are strange additions to the pretty permalinks, such as example.com/category/post-title/%&(%7B$%7Beval(base64_decode($_SERVER%5BHTTP_REFER ER%5D))%7D%7D|.+)&%/. The keywords are “eval” and “base64_decode.”

The second clue is that a “back door” was created by a “hidden” Administrator. Check your site users for “Administrator (2)” or a name you do not recognize. You will probably be unable to access that account.

All users are advised to upgrade to the latest version of WordPress immediately.

[Changian]

No luck in getting things fixed yet. Anyone know any good web design companies in BKK that k now about this stuff?

[BrokenChaos]

Why dont you just get a proper website made?

[Crushdepth]

If you've burned everything off the server and done a *clean* install with the latest version and still have problems, it may be that the server itself has a security hole elsewhere. It is quite common in shared webhosting for a server to get hacked via someone else's account.

Try moving your site to a different webhosting company.

[Veazer]

Any chance you've added a module with a vulnerability that hasn't been patched or some critical files you've left as publicly writeable?