mfouad
Member
Posted 16 years ago #
hello all
i'm indyword but forgot the password
my site once it's running and working perfectly in a beta testing then i found this on the home page
'Hacked ßy Ozkul Can
DALIMIZI KIRANIN AGACINI KOKUNDEN SOKERIZ
MUSL?M HACKER TUK?S
cw-ozkulcan@hotmail.com
<font color="red" face="Tahoma" size="6"><font color="grey" face="Tahoma" size="6">-</font></font>
Fatal error: Call to undefined function: wp() in /**************/wp-blog-header.php on line 15'
all file permission was so fine and everything was just as perfect as it should be and as told by drmike and others here on the MU forums before
i'm so confused as it's not the first time .. it's the 3rd for me and i don't think i will be able to use MU again like this
so please help
Adel Samuel
mfouad
Member
Posted 16 years ago #
please i need ur help figuring out what is the problem ASAP
plzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz
I would make a bet that you are using a windows server. If that is the case, make sure you have everything updated, then change all admin and FTP passwords. I have seen this type of thing before on some of my boxes and it seems to be an issue with IIS or a portion of it, but I can't track it down. I am just dealing with it since it is something I am used to getting from MS products.
mfouad
Member
Posted 16 years ago #
actually i don't use windows servers anymore
i was just asking how can i protect myself from such future attacks ?
Is there anything in your logs? How about the firewall logs? What file is getting hacked? Are you sure the file permissions are set correctly? Have you changed your password on your MU account? How about your hosting account?
mfouad
Member
Posted 16 years ago #
drmike
thanks for replying my post
i found that he changed the wp-config.php file .. the file permission was 644
till now i don't know how he can get access to edit this file and how to prevent this in future
regards
mfouad
Member
Posted 16 years ago #
the wp-cnfig file has become as this
[removed file so I could read the thread - drmike]
*sigh*
Is there anything in your logs? How about the firewall logs? What file is getting hacked? Are you sure the file permissions are set correctly? Have you changed your password on your MU account? How about your hosting account?
There was no need to post that file. There is a need to answer questions posed to you though. If you're still able to, please remove all of the text from your previous post. It's hard enough scrolling past all that.
"i found that he changed the wp-config.php file .. the file permission was 644"
This is how they got in.
But how did they get to the file though. 644 would be correct as that just makes it readable. If it's a php file, the text within it would still not be visable to a visitor.
My money is on they got access to the hosting account but without knowing more, we don't know for certain.
They could still get it by pointing their FTP program there and getting it, or any other non-browser way.
If the username/password in the file is the same as the hosting account, well there's a no-brainer there. Might as well hang a sign.
They would still have to have a log in and a password for FTP though.
Unless mfouad is set up for anonymous access to his or her site. That's a big nono.
mfouad
Member
Posted 16 years ago #
well .. i didn't allow anonymous access for FTP and the account password and username are not the same as my FTP or account access ones .. actually alot difference between both
i changed the password after installation
removed install matters ... used latest MU 18-8 at this time
usually change the passwords each cpl days
and didn't even give blog.dir 777 permission as i didn't need it for the time
everything fixed after reuploading config file for sure
before this time they accessed to the index file due to permission stuff and another time without accessing permission thing
i really wish to know how
A couple of observations as to the process here:
1) We need a set of MD5 sums to be really sure what files got hacked. Tardiff http://tardiff.sourceforge.net/ might be useful for this. It will fail to the extent that you have modified random files.
2) The hacked file - thanks for this. It would have been better as an attachment, though I think these forums don't offer the ability to attach a file. (Perhaps you can attach it to codex?)
3) The forums here do have limitations (such as not being able to edit another's posting). Have there been threads discussing a replacement for them?
i had the same thing a while back index.php was alter to almost the same code.
i found loads of stuff in the db of posts as admin with css code in them and other php/html
and it happened over and over no matter what i did permissions at one point where all set to read only,
then my ex web host put mod_security on thier servers and it stoped.
might of been just chance as i also did some other things at same time like making the admin password Nice and long and random
*& too many others and too long ago to list*
as for posting a file . you could post the content
to a pastebin
mrcleaver - #2 - forums do not allow for attchments. Please don't suggest they put it in the codex, that's not what it's for. Any code that a forum user wants us to look at should be linked to in a spot on their server, a file hosting place or pastebin.
#3 - this forum software is also by the WP developers, so NO, it won't be replaced. There have been countless threads about it all over the place.
matrix monkey - they didn't have mod_security???? Thank God they are your EX host.
