Portal Home > Knowledgebase > Articles Database > Deface site : where are potential holes on my site
Deface site : where are potential holes on my site
| Posted by applehost, 08-19-2012, 09:41 AM |
| Hi all,
i have a wordpress site deface hacked. The defacer replace my index.php with this script :
i wonder how this happen because all php files are locking to read only permission.
|
| Posted by Ricky-GWS, 08-19-2012, 12:40 PM |
| You will find its likely an exploit in word press its self or an exploit in a plugin or theme installed on the word press install.
Were you running the latest versions of word press AS WELL AS any plugins and themes you use?
Be sure to check the database to make sure no users have been added etc.
I would advise restoring from a backup and then ensuring everything is up to date as a starting point.
|
| Posted by Prosolusindo, 08-19-2012, 06:03 PM |
| Update your WordPress, Wordpress earlier have timhumb hole.
|
| Posted by Drxx, 08-19-2012, 10:22 PM |
| and consider that too : maybe the hole in the server and another accounts hacked and then they jump to you account via any way and replace your index .. sorry for you but try to ask your hoster for the way you hacked, they can get from the log ..
Good Luck
|
| Posted by foobic, 08-19-2012, 10:34 PM |
| If you're running suPHP or equivalent (advisable on a shared server) then read-only permissions do nothing for you. Any vulnerability in the website may allow an attacker to execute his own code running as your username, so the attacker gets full privileges to change permissions. If you changed file ownership and set read-only permissions that would prevent the file being changed but it would also block the user from doing anything with it.
|
| Posted by BestServerSupport, 08-20-2012, 01:20 AM |
| I would advise to do following to avoid such kind of issues in future:
1. Upgrade your WordPress version as well as plugins.
2. Scan your local system with third party anti-virus software. It may be possible that your local system is infected with any kind of trojan, keyloggers that can steal your passwords.
3. Always keep strong passwords which should contain at least two special characters like $,# etc. Should have combination of upper OR lower case letters, numbers etc.
|
| Posted by Master Bo, 08-20-2012, 06:06 AM |
| If Web root of the site or any part thereof is writable by Web server process *and* uploaded/modified scripts can be executed, it makes no difference whether files are marked read-only.
I try to keep all the directories, wherever possible, to be available to Web server in read-only mode, and do periodic paranoid checks to every place where Web server can write.
I would suggest contacting hosting provider (if on shared type of account) and notifying them of the incident, perhaps there are other sites affected.
|
| Posted by jimothy, 08-20-2012, 07:55 AM |
| There's a fairly useful WordPress plugin called Wordfence that can scan your site and point out vulnerabilities and security flaws. You can also try visiting www.sucuri.net which can also scan for possible exploits.
|
| Posted by Yujin, 08-20-2012, 09:36 AM |
| I just hope that who ever is the provider will help, most provider here are quick in blaming WP or the plugin and they will never admit that they are at fault, worse they cannot even provide logs.
|
| Posted by Yujin, 08-20-2012, 09:38 AM |
| OP try installing WP Better Security / Mute Screamer but I suggest you to have a fresh installation of WP.
|
| Posted by racknap1, 08-20-2012, 11:19 AM |
| Hi,
For once, after installing WP, make sure your .htaccess looks like :
Options +FollowSymLinks
Options +Indexes
RewriteEngine On
#RewriteBase /
# going to install folder
RewriteCond %{REQUEST_URI} (.*)/install/?$
RewriteRule ^(.*)$ %1/install/index.php [NE,R,L]
# going to Admin folder
RewriteCond %{REQUEST_URI} (.*)/admin/?$
RewriteRule ^(.*)$ %1/Admin/index.php [NE,R,L]
# working with client side
RewriteCond %{REQUEST_FILENAME} !-f
RewriteRule ^([^/]*)$ index.php?qstr=$1 [QSA,L]
RewriteRule ^coupons/(.*)$ index.php?qstr=coupons/$1 [QSA,L]
RewriteRule ^(.*)/$ index.php?qstr=$1 [QSA,L]
|
| Posted by Drxx, 08-20-2012, 11:32 PM |
| Hi,
can you explain please how your code will help on this case ?
are you read the post ? if yes please explain your idea ..
|
| Posted by Drxx, 08-20-2012, 11:36 PM |
| Yes i agree but if some not care, there are so many others care ... as i see applehost signature is vps & dedicated provider or reseller so he will can get the log .. i wish that
|
| Posted by Prosolusindo, 08-21-2012, 12:08 AM |
| Applehost can easily check the logs on the server if he manage the server. There's to many possibility for hacked sites, even upload feature can bring problem. Lucky the whole server is not hacked or cross site hacked
|
| Posted by pmabraham, 08-21-2012, 09:13 AM |
| Good day:
For WordPress, stick with the official hardening codex at http://codex.wordpress.org/Hardening_WordPress and file permission guide at http://codex.wordpress.org/Changing_File_Permissions for starters.
http://www.wpsecuritychecklist.com/ is a great external source.
For plugins, check out Better WP Security and WordFence Security (I recommend using both).
Thank you.
|
| Posted by Rickenrique, 08-22-2012, 09:25 AM |
| A better way is ask hoster to tighten the mod_security rule so that php backdoor are not executable
|
Add to Favourites 
Print this Article
Also Read
rsync (Views: 841)