Advertisement
If you have a new account but are having problems posting or verifying your account, please email us on hello@boards.ie for help. Thanks :)
Hello all! Please ensure that you are posting a new thread or question in the appropriate forum. The Feedback forum is overwhelmed with questions that are having to be moved elsewhere. If you need help to verify your account contact hello@boards.ie

R365 hosted site hacked - trying to find redirection code

Options
  • 03-11-2009 11:14am
    #1
    daymobrew
    Registered Users Posts: 6,509 ✭✭✭


    I am helping a friend sort out the hacked http://www.whatistandfor.ie. It seems to be a number of r365 sites hacked by team mosta.

    I haven't contacted R365 yet - figuring I'd get quicker help here.
    When I try to get to the Wordpress login page it tries to redirect it to the hackers' site.

    Here is the wget debug output: 
    $ wget -d http://www.whatistandfor.ie/wp-admin/
DEBUG output created by Wget 1.11.4 on cygwin.

--2009-11-03 10:07:13--  http://www.whatistandfor.ie/wp-admin/
Resolving www.whatistandfor.ie... 79.140.140.64
Caching www.whatistandfor.ie => 79.140.140.64
Connecting to www.whatistandfor.ie|79.140.140.64|:80... connected.
Created socket 3.
Releasing 0x00dc08b8 (new refcount 1).

---request begin---
GET /wp-admin/ HTTP/1.0
User-Agent: Wget/1.11.4
Accept: */*
Host: www.whatistandfor.ie
Connection: Keep-Alive

---request end---
HTTP request sent, awaiting response...
---response begin---
HTTP/1.1 302 Found
Date: Tue, 03 Nov 2009 10:07:15 GMT
Server: Apache/1.3.37 (Unix) PHP/5.2.3 mod_psoft_traffic/0.2 mod_ssl/2.8.28 Open
SSL/0.9.8b
X-Powered-By: PHP/5.2.3
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Tue, 03 Nov 2009 10:07:15 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
[b]Location: http://HaCkEdByTeaMMosTa/wp-login.php?redirect_to=http%3A%2F%2Fwww.whatistandfor.ie%2Fwp-admin%2F[/b]
Connection: close
Content-Type: text/html

---response end---
302 Found
[b]Location: http://HaCkEdByTeaMMosTa/wp-login.php?redirect_to=http%3A%2F%2Fwww.whatistandfor.ie%2Fwp-admin%2F[/b] [following]
Closed fd 3
--2009-11-03 10:07:14--  http://hackedbyteammosta/wp-login.php?redirect_to=http%3A%2F%2Fwww.whatistandfor.ie%2Fwp-admin%2F
Resolving hackedbyteammosta... failed: Unknown host.
wget: unable to resolve host address `hackedbyteammosta'

    There isn't any mention of this redirection in the files or the .htaccess file in the site's root dir.
    Is it likely to be higher up the chain e.g. in a r365 controlled .htaccess file?


Comments

  • Options
    #2
    AARRRGH
    Closed Accounts Posts: 12,382 ✭✭✭✭AARRRGH


    Surely if you grep 'HaCkEdByTeaMMosTa' or their URL you'll find where the redirect has been injected?


  • Options
    #3
    daymobrew
    Registered Users Posts: 6,509 ✭✭✭daymobrew


    AARRRGH wrote: »
    Surely if you grep 'HaCkEdByTeaMMosTa' or their URL you'll find where the redirect has been injected?
    The string is not in any of the files under the document root. I searched for 'hack', 'mosta' and 'eval' and didn't see anything that concerned me.
    There aren't any redirects set up in the control panel.

    R365's support are claiming it was SQL injection (the Wordpress installation is 2.7.1 - the latest on that branch) and suggest upgrading to 2.8.5. This is something I plan to do.

    Since I found other hacked sites on the same R365 server (according to the ask.com search), I think that the hack was to the R365 server rather than to individual sites.


  • Options
    #4
    fergalr
    Registered Users Posts: 1,922 ✭✭✭fergalr


    So, the problem is that the site was initially supposed to display teh Green information, but this other group has subverted it somehow, and changed something deep inside (you aren't sure what exactly they changed) to make it display their message instead?
    So, you are trying to find out what exactly they changed, and if possible, change it back? But you no longer seem to have control over it? or aren't sure exactly what changed, and can't see any way to get it to revert it fully to the way it was when it was originally installed? And you're also not sure if its the system that its in thats responsible for what happened, or if the problem is specific to the individual site itself?


  • Options
    #5
    daymobrew
    Registered Users Posts: 6,509 ✭✭✭daymobrew


    fergalr wrote: »
    So, the problem is that the site was initially supposed to display teh Green information, but this other group has subverted it somehow, and changed something deep inside (you aren't sure what exactly they changed) to make it display their message instead?
    So, you are trying to find out what exactly they changed, and if possible, change it back? But you no longer seem to have control over it? or aren't sure exactly what changed, and can't see any way to get it to revert it fully to the way it was when it was originally installed? And you're also not sure if its the system that its in thats responsible for what happened, or if the problem is specific to the individual site itself?
    The maintainer of the site keeps changing and it has recently fallen into my friend's lap. There is little transfer of knowledge with such a change.

    Yes, I want to find out what they changed and to fix it. I am not sure what changed.
    A bizarre thing with the site is that the db was set up by another R365 account! This means that I don't have phpMyAdmin access (though have just downloaded a script to do a dump and I can now see the changes). I am going to write a small php script to essentially manually undo the changes.

    I honestly think that more than one site was compromised.


  • Options
    #6
    daymobrew
    Registered Users Posts: 6,509 ✭✭✭daymobrew


    I have fixed this - I got a sql dump of the db and found the 5 rows that were changed (blog url, description, admin email and admin password).
    I wrote the php script to correct the values and now I can login.

    The redirection of the login page (to the hackers' site), was caused by the above rows.

    I will be trying to update to 2.8.5 next.


  • Advertisement
  • Options
    #7
    cgarvey
    Registered Users Posts: 3,886 ✭✭✭cgarvey


    A very common problem with older WP installs, so do update, as a matter of urgency!


  • Options
    #8
    daymobrew
    Registered Users Posts: 6,509 ✭✭✭daymobrew


    cgarvey wrote: »
    A very common problem with older WP installs, so do update, as a matter of urgency!
    I thought that, as 2.7.1 is the latest on the 2.7 branch, that it was relatively secure. I know that some of the 2.8 updates have been for security issues.

    The site has a number of out-of-date plugins. I think I'm trying to decide whether to update them before updating WP.


  • Options
    #9
    Jadearama
    Closed Accounts Posts: 4 Jadearama


    thanks for the info daymobrew

    A client account got hacked on Thursday evening just after 7.30pm, by the same crew, but a much more random smash and burn style. (also on 365 hosting) Not going to mention any urls for obvious privacy reasons.

    ftp - hacked, don't know much about the fix as it was sorted by someone else

    1st wordpress - deleted most of the php throughout hirearchy including all contents of wp-admin folder and wp-content folder leaving just a bit of wp-theme.

    2nd wordpress - only deleted initial index.php that calls wp-blog-header.php so an easy fix as its a generic file.

    3rd wordpress - deleted about 15 or so random files (that I can see are missing) have tried to repopulate in hope of getting basics up, but no good. i'm about to reinstall wp on temporary server and link back to original db, fingers crossed that works??????

    Custom Designed App - again lots of random files deleted, not my work so don't know to what extend.

    So thats been my day!!!

    Jade


Advertisement