Warning - Blog Hackers Active

Forum Rules

Helios_Multi TPoxygen11final

[squadron]

I've had 2 blogs today defaced. The title becomes hacked by p@3t_b@y and they put some redirect script into the main page.

Any ideas how to stop this?  The redirect takes you to:

Code:

http://www.poet-boy.webs.com/index.htm

I am running WordPress 2.7.1

Modified by Gem so that link is not clickable - if they are hacking blogs we don't want them to get extra hits because of it

[goatlady]

What plugins do you have that are common to these two blogs?

[goatlady]

Also, what kind of hosting do you have? What permissions do you have set on your wp-content directories? Do you allow user signups on the site?

[squadron]

It's cpanel hosting on some server overseas. The permissions were set to 777 which I have changed to 755.

I can remember setting them to 777 when I was trying to get some confounded plug-in to work (lesson learned).

I have also set IP deny to the  address: 77.88.30.* from which the hacking came from. Somewhere in the Russian Federation.

Thanks for pointing me to the right spot.

I did a Google search on some unusual text they defaced my page with. I don't feel too bad now, there are 56,000 other sites that have been hacked by these guys !  I now suspect a mysql exploit rather than a Wordpress exploit.

[goatlady]

It's cpanel hosting on some server overseas. The permissions were set to 777 which I have changed to 755.

I can remember setting them to 777 when I was trying to get some confounded plug-in to work (lesson learned).

Ah, that's a bugger, that one. We host now with Hostgator and they have this awesome security modification which lets WordPress write files itself even when they're set to 755 (it lets PHP temporarily change the permissions to 777 and then sets it back again automatically) - makes life so much easier and more secure. But I've been caught out by the 777 thing more times than I care to remember

[squadron]

I've found the source of the hacking. A group of Turkish hackers having a competition. Below is the e-mail I sent off to the Turkish Telco. I don't know if will do any good, but it's worth a shot. I stuck the url listed below in Google translator (Turkish to English), to work out what was going on.

=================

Subject: Hacking from address 88.248.49.157

A user on IP address 88.248.49.157 has been defacing web sites around the world.

You can see evidence of these activities at   http:// mirror.darkedition.com /

I had several web sites defaced over the last few days. The IP address was 88.248.49.157.

One of the attacks happened at 13th June 2009 00:51:22 GMT

I hope you can do something about these people.