Jun 132010

wordpress threat detectedMany of you over the past few months have experienced the onslaught of WordPress attacks which has plagued site owners – and loyal fans, alike.  I maintain multiple WordPress blogs in addition to our beloved She-geeks.com site, as well as my clients’ WordPress blogs.  While refraining from too much detail, I had the unfortunate duty of ridding two such WordPress websites of these WordPress attacks.  While both of the blogs I’m referring to maintained updated software (plugins and core files), they still fell victim to these attacks.  The attacks I am referring to primarily affected PHP pages, which would mean that A LOT of sites out there on the internet had the potential for infection.  The code would essentially insert itself into each PHP page on your site and/or WordPress blog and add strings of code which contained “eval(base64_decode“ in some way, shape or form.  This script is generally found at the very top of the page’s code – I assume so it hits first.

I spent hours upon hours working to isolate the issues and hand-remove the malicious code only to have it reappear a week later.  I ultimately had to bring on the “big dogs” in WordPress blog security, Sucuri.net.  David and the rest of the Sucuri Crew were able to solve all site issues within 30 minutes.  It was a beautiful thing.  You see, although I managed to remove most of the “malicious eval code” during these attacks myself, there appeared to be a snippet of code eluding my capture.  This code, also referred to as a backdoor by many, was hiding in the shadows of unending lines of code.  Its really too much code to parse through with the naked eye…nevermind the fact that manual removal like that is likely not the most efficient method when time (and money) is of the essence.  What can I say, I was stubborn.   Needless to say, the Sucuri Crew was very efficient and truly a life saver on that day.

Below I’ve outlined some of what I found online pertaining to the malicious attacks as well as some portions from my personal experience with the nefarious code.

Some of the malicious strings of code which were present:

“http://holasionweb dot com/oo dot php”

holasion web

There are a few mentions of solutions you can try but, in the end, the only solution which seemed to work in my case was enlisting Sucuri’s help.  However, I’ll list a few better known solutions for this type of WordPress attack:

  1. completely deleting your WordPress install and reinstalling on your hosting account (note: not fun)
  2. logging into your hosting provider and accessing an CLEAN archive version of your website. (note: you’d need to know an archived date in which your blog was completely clean and free of the bad code)
  3. Sucuri offers a free “cleaning” script which you can run yourself and seems to have helped quite a few people resolve their issues

Additional documented information which may prove useful for others is shown below.  You may see some similarities.  If you’ve collected any additional information or have a similar story to share, we’re all ears.

Xorg malware info

Holasion web info

realsafe malware info

suitecase52 malware info

More information on Sucuri Security:

“Sucuri Security is the leading provider of web-based integrity monitoring and malware detection solutions – delivered as a service. Sucuri solutions are deployed remotely in a matter of minutes anywhere in the world, allowing our customers to immediately detect web-based malware and monitor their internet presence. Sucuri’s web monitoring solution is used today by more than 8,000 sites worldwide. Sucuri was founded in 2008.

In simple terms, we clean up the mess. If your site got hacked, blacklisted or infected with malware, we fix it for you. If your site is clean, we monitor it to let you know if a problem ever happens. We work fast, we are affordable and we get things done.”

Click here to check them out: sucuri security

VN:F [1.9.6_1107]
Rating: 0.0/10 (0 votes cast)
VN:F [1.9.6_1107]
Rating: 0 (from 0 votes)
Posted by admin Tagged with: , , , , , , , , , , , , , , , ,
Jul 242009
07.24.09 by jewels

As you all know, on July 21st we released a new Facebook code found by member AG on our donor’s board, with plans to release it to our private code board 24 hours later. The morning of July 22nd, before I posted it into our private code board, someone here had already leaked AG’s code to another site. Which then leaked it to an additional site. Lord only knows how many it’s on by now….

For those of you who are not taking the time to analyze the situation, allow me to explain it to you. No one has access to codes at she-geeks unless you are a registered member. Why is this? Because we like to KEEP CODES ALIVE! Requiring registration in order to view the code boards keeps search engines and web spiders from being able to access our codes. If our codes were exposed to Google, what would be the point in having them? Once they’re general knowledge on the net, they are quickly fixed.

Now the person who leaked the code, leaked it to a site that is PUBLIC! This site posted AG’s code in both a PUBLIC BLOG POST, and a PUBLIC FORUM POST. The next lulu that took it from there posted it in a PUBLIC BLOG POST, and a PUBLIC FORUM POST. What you need to understand is that sites that give a damn about their members, and their member’s hard work, do not act irresponsibly to destroy that work. Posting codes in places that are publicly available to search engines is exactly how codes get DESTROYED. Any site that posts codes out in the open could care less about the codes-they are simply looking to raise their SERPS and receive “internet recognition”.

I hope you have taken the time read through this, as it is not just a rant. I hope you have a more thorough understanding now as to why we are so adamant that our members keep our private codes PRIVATE. When you share them around the internet, especially to sites like the ones that posted them on the 22nd, you are effectively working to patch the codes. And that is just NOT FAIR to the people that work so hard to find them, nor to the people who so desperately need to use them.

VN:F [1.9.6_1107]
Rating: 0.0/10 (0 votes cast)
VN:F [1.9.6_1107]
Rating: 0 (from 0 votes)
Posted by admin Tagged with: , , ,
Jul 212009
07.21.09 by jewels
One of our members has submitted a working code to see pics and comments. It’s available in the donor’s forum now and will be released to the code board tomorrow. It’s a nice workaround now that the photostalker app isn’t working. Get it while it’s hot :)
Edit: 7-22-09 This code has now been released on our private codes board to all she-geeks members.
VN:F [1.9.6_1107]
Rating: 0.0/10 (0 votes cast)
VN:F [1.9.6_1107]
Rating: 0 (from 0 votes)
Posted by admin Tagged with: , ,
Rss Feed Tweeter button Facebook button Technorati button Myspace button Digg button Stumbleupon button Newsvine button Youtube button

© 2010-2017 She-Geeks.com All Rights Reserved