The MU forums have moved to WordPress.org

Hacked by Shit Eater OO7 (51 posts)

  1. demonicume
    Member
    Posted 17 years ago #

    i awoke to a dozen alerts in my inbox. i checked my site and it said:
    'HACKED BY SHIT EATER 007'

    it looks like my DBs are still intact and all my files are still on the server.

  2. demonicume
    Member
    Posted 17 years ago #

    more info. the index.php to my main file has been overwritten. for some reason i cant access the rest of the blogsite. when i try to access other blogs (subdirectories), i get redirected to wp-signup.php

    i think i was actually infiltrated before the last release. odd posts were showing up in my archives. mine is a sports ste, but people were coming to my site after having searched for WEP Hacks, etc. i changed everyone's email address, upgraded and moved on.

    as i asked before any ideas?

  3. demonicume
    Member
    Posted 17 years ago #

    replaced index.php with original file. got this message:

    -No WPMU site defined on this host. If you are the owner of this site, please check Debugging WPMU for further assistance.-

  4. demonicume
    Member
    Posted 17 years ago #

    now my databases are gone too. before i use my back up, does anyone have an idea of how this happened? is this the vulnerability in 1.2.1 that was posted about few weeks back?

  5. drmike
    Member
    Posted 17 years ago #

    Best thing would be to check the box's logs (ie webserver, firewall, etc.) to see what occured. The index.php file should be timestanped with the last time it got modified. That should be a starting point time wise.

  6. drmike
    Member
    Posted 17 years ago #

    Issue with the xmlrpc file I bet:

    http://wordpress.org/support/topic/120857

    Fixed in the most recent update:

    http://trac.mu.wordpress.org/changeset/994

  7. Farms2
    Member
    Posted 17 years ago #

    Any more news on how they got in?

  8. demonicume
    Member
    Posted 17 years ago #

    nearest i can tell, he got in thru the XML exploit. he only files affected were database files. i got the site back up, and before i could install the patched xmlrpc i was back down. this time, i inserted the patched file into the back upload and i have been good for a few hours now. the old-ass backup i used came before my last edit that mighta opened the site to a vulnerability. i'm thinking that this is it.

    i'll keep you posted and i'll post anything useful from my logs.

  9. suleiman
    Member
    Posted 17 years ago #

    thanks a ton demonicume.

  10. Farms2
    Member
    Posted 17 years ago #

    Glad to hear you're back up and stable.

  11. andrewbillits
    Member
    Posted 17 years ago #

    Maybe now would be a good time to start a wpmu mailing list. I don't look at everything in trac and missed this myself.

  12. demonicume
    Member
    Posted 17 years ago #

    LAST PERSON TO REGISTER BEFORE MY SITE WENT DOWN:
    geo_madrilenu@yahoo.com
    82.79.184.199'

    googling 'shit eater' brought up a bunch of sites that were hacked in similar fashion. he joins, exploits and leaves his card. but he also left an email address and some spam on another site. Seems he also pimps a pre-teen models site in his profile, and the site has a email the webmaster link.

    <a
    href="http://petiteteenagergalleries.com/galleries/">petiteteenagergalleries
    And webmaster email:
    greg@petiteteenager.com

    used the IP of his site 146.82.206.40 and did a whois on Network Solutions page:
    http://www.networksolutions.com/whois/results.jsp?domain=petiteteenager.com

    he's some bored SOB in Westchester, CA

    then i got the site back w/o the xmlrpc patch. he sent me an email with my own mass mailer and then bashed the site again:

    'realsportsbloggers.com and all its hosted blogs have been hacked by 'SHIT EATER 007'

    Database has successfully backed-up. It will soon be shared and uploaded online.

    Have a nice day!'

    got the site back up and stable with the patch. i've WPMU banned both of his IPs. looking at my logs, he'd tried to access the site a bunch of times... i'll post more info when i find it.

  13. drmike
    Member
    Posted 17 years ago #

    82.79.184.199 is in Romania for refence.

    I actually get Waltham, Massachusetts for the 146.* address.

  14. demonicume
    Member
    Posted 17 years ago #

    my bad, i was talking about the location of the supposed administrator.

  15. deanmundy
    Member
    Posted 17 years ago #

    My Blog http://thoughtfulconservative.wordpress.com has also been hacked and I have no way of regaining control, since the email I log on with (a Gmail account) is out of my control also (According to logins, the email account does not exist). Could there be some correlation? Or is this coincidence?

  16. lunabyte
    Member
    Posted 17 years ago #

    Better be asking the folks at WordPress.com.

  17. demonicume
    Member
    Posted 17 years ago #

    'I have no way of regaining control, since the email I log on with (a Gmail account) is out of my control also'

    it wont work. you need to restore you DB, and patch whatever hole he found.

  18. lunabyte
    Member
    Posted 17 years ago #

    Which, noting the address, is a wp.com issue. (cough cough).

    @andrew...

    Been thinking about exactly that. Or something along the same line.

    In the past couple of days, I've considered putting up a small forum specifically for the discussion of advanced MU topics, issues, etc.

    Not like to exclude the deal here, but someplace where a group of folks can collaborate on things without having to wade through tons of non-tech/low-end types of posts and such.

    Something where we can essentially skip having 4 pages of discussing a solution, and end up with a single post here instead, which in turn will make it easier for people to find the answer to something.

    Kinda like an aside to a conversation, then as things are resolved and such they can be added into the forum here as a brief synopsis, added to trac, or whatever.

    No special domain or anything super fancy, just a little hole in the wall with a single purpose.

  19. andrea_r
    Moderator
    Posted 17 years ago #

    count me in.

  20. lunabyte
    Member
    Posted 17 years ago #

    Cool.

    I'm setting it up at the moment, while I wait on a client to get back to me.

    Like I said, nothing fancy. I 'might' blend it with my main theme, but maybe not. I dunno yet. Might just stick with a stock theme, and 'fuh-get abou tit'.

  21. drmike
    Member
    Posted 17 years ago #

    Which, noting the address, is a wp.com issue. (cough cough).

    Probably guessed the password. Be sure to send in an email to support and let them know what occured.

    Would you rather do a mail list? Might be easier to deal with instead of yet another forum.

    maybe we can get matt to do a wpmu-forums one like the wp.org one. (I;d say org/com but I think I'm the only wp.com person on there)

  22. lunabyte
    Member
    Posted 17 years ago #

    Ah, that's the "genius" behind it.

    It does both.

    It can send out notifications, so something can be pushed out quickly (like the xmlrpc issue, or a new release notification), plus there is the conversation aspect.

    Plus, it has other capabilities as well.

    It's all set-up, unofficially supported, and ready to use.

    Only thing I ask is that folks register using the same username they have here. You can set the displayed name to whatever, but I'd (personally) like to keep a little bit of identification so people won't have to remember that "fred" over here is "killerClownOnAmission" over there. (me = Luke, my current username here is depricated, lol)

    Like I said, nothing special, but I can see it helping at least. Even if it's only that discussions are hashed out to a solution, and then posted here so that someone doesn't have to dig through 6 pages to figure out the final solution.

    As a note, it is for advanced discussion.
    That being said, have at it.

    Edit
    Oh yeah, the search function will be quite useful (once there is content). he he he

  23. andrea_r
    Moderator
    Posted 17 years ago #

    Man, you type like a girl. :D "killerClownOnAmission" ??? there goes my next username...

  24. lunabyte
    Member
    Posted 17 years ago #

    Heh. I was being sarcastic.

    It's all good, eh?

  25. andrea_r
    Moderator
    Posted 17 years ago #

    Well, *yeah*. :P

  26. lunabyte
    Member
    Posted 17 years ago #

    It all comes around... he he he...

  27. mzmartipants
    Member
    Posted 17 years ago #

    Can someone please change the title of this post? It causes me to go in fits of laughter. If I have some some kind of stroke from it, I'm gonna sue. :p

  28. lunabyte
    Member
    Posted 17 years ago #

    <rolls eyes>

    Actually, that's what's left behind. So, I'd consider it relevant for someone that has the same issue.

    It is funny though. lol

  29. mzmartipants
    Member
    Posted 17 years ago #

    I don't WANT it to be funny, it just is. Someone searching the forums for "shiteater" makes me laugh even harder!

    Um. You guys really should have some kind of disclaimer.

  30. lunabyte
    Member
    Posted 17 years ago #

    Well, if you woke up to that on your MU site, wouldn't that be what you search for?

About this Topic

  • Started 17 years ago by demonicume
  • Latest reply from andrea_r