Wordpress Blackhole Exploit? - GoFuckYourself.com

Tittytweaker · 07-22-2013, 10:36 AM

Just got hit with this yesterday evening.

AVG alerted me when I visited my site. A bit of code was inserted into the header.php file of every theme I had installed. I removed that chunk of code, and checked my site again. That time, a different warning popped up about a javascript that I had installed (which had been working just fine for many months). I removed that javascipt file and that seemed to fix the problem.

File permissions don't seem to have been changed, and to be safe I changed all of my passwords.

How did this happen? I thought I had WP locked down pretty well, so how did they manage to edit files on my server? Was this done at random in some sort of mass attack, or could it have been a single person doing this maliciously?

Could someone explain to me the basics behind this attack and maybe give me some security tips I may not have thought of yet?

Thanks in advance,
~TT

PornDude · 07-23-2013, 03:51 AM

Check the server logs and you will find out what happened.

ottopottomouse · 07-23-2013, 04:56 AM

Have you installed a new theme recently?

Tittytweaker · 07-23-2013, 08:17 AM

Quote:

Originally Posted by PikaPoka

Check the server logs and you will find out what happened.

What should I be looking for in the server logs?

Quote:

Originally Posted by ottopottomouse

Have you installed a new theme recently?

Nope, nothing new.

HomerSimpson · 07-28-2013, 04:07 PM

1. ask your host to investigate the issue
2. change your ftp passwords
3. change your wp-admin passwords

07-22-2013, 10:36 AM	#1
Tittytweaker Confirmed User Industry Role: Join Date: Dec 2012 Posts: 184	Wordpress Blackhole Exploit? Just got hit with this yesterday evening. AVG alerted me when I visited my site. A bit of code was inserted into the header.php file of every theme I had installed. I removed that chunk of code, and checked my site again. That time, a different warning popped up about a javascript that I had installed (which had been working just fine for many months). I removed that javascipt file and that seemed to fix the problem. File permissions don't seem to have been changed, and to be safe I changed all of my passwords. How did this happen? I thought I had WP locked down pretty well, so how did they manage to edit files on my server? Was this done at random in some sort of mass attack, or could it have been a single person doing this maliciously? Could someone explain to me the basics behind this attack and maybe give me some security tips I may not have thought of yet? Thanks in advance, ~TT __________________ www.tittytweaker.com

07-23-2013, 03:51 AM	#2
PornDude I'm still broke. Industry Role: Join Date: Jul 2008 Location: WildWildWest Posts: 3,084	Check the server logs and you will find out what happened. __________________ PornDude.com 🔥 PornWebmasters.com 🤑 MyGaySites.com 🤭 PornDudeCasting.com 🚀

07-23-2013, 04:56 AM	#3
ottopottomouse She is ugly, bad luck. Industry Role: Join Date: Jan 2010 Posts: 13,177	Have you installed a new theme recently? __________________ ↑ see post ↑ 13101

07-28-2013, 04:07 PM	#5
HomerSimpson Too lazy to set a custom title Industry Role: Join Date: Sep 2005 Location: Springfield Posts: 13,826	1. ask your host to investigate the issue 2. change your ftp passwords 3. change your wp-admin passwords __________________ Make a bank with Chaturbate - the best selling webcam program Ads that can't be block with AdBlockers !!! /// Best paying popup program (Bitcoin payouts) !!! PHP, MySql, Smarty, CodeIgniter, Laravel, WordPress, NATS... fixing stuff, server migrations & optimizations... My ICQ: 27429884 \| Email: