Website attacked again

[Robyn]

The attack is related to the following threads

support.proboards.com/index.cgi?action=display&board=pbgt&thread=406220&page=1#4680113

support.proboards.com/index.cgi?board=programming&action=display&thread=406123

Last time it was a zenphoto plugin that got attacked and because I was using it at the time, my whole website was flooded with bad code in my php files that redirected the whole website to a bad site.

It's happened again this month, only it was a bad month because I was busy with some videos and wisdom teeth surgery to work on my website. This week I plan on getting it back up. However, I discover that i can't even view the pages without getting warnings.

Looking in the php files I see that most of them got attacked the 22nd of March, last Thursday. It seems that everything that happened last time is happening again. The code is the same, the place is the same. It's only the php files and their own added files.

But the thing is... I'm not using zenphoto anymore, nor do I have any zenphoto service or file on my website anymore (just lingering) so there's no way that could happen (unless I'm missing some leftover file somewhere).

I use wordpress for many of my sites and apparently wordpress got attacked a month or two ago, however nothing points to my problem.

If you dare, can you access my website at robertcity.com and click on each menu item? The main website, the link above, is safe. It's the links that may not be, but I haven't tried them all out yet.

Upon looking at my visitor history, it seems that I got a bunch of hits from Russia the past week (an abnormal amount, as the chart showed, it was normal and then a sudden spike).

Can you help me debunk the mystery of the source of the problem so I can fix that first, instead of shoveling the sidewalks clear of snow while the blizzard is still here?

[Tylr]

What are the access points? How can someone modify something on your site? This includes all remotely hosted files and scripts, including images, all forms and inputs, whether or not they modify a database, FTP access and web-based file access.

[Robyn]

Mar 25, 2012 7:50:48 GMT -8 Tylr said:

What are the access points? How can someone modify something on your site? This includes all remotely hosted files and scripts, including images, all forms and inputs, whether or not they modify a database, FTP access and web-based file access.

First off, should I dare ask why it appears that I'm in your signature?


To your question, I don't know how they do it, but they DID attack my website, probably by injecting a code that duplicates and redirects, and since zenphoto had a security hole they used that hole to attack all websites (by searching for zenphoto sites) and that led to the mass attack on my website.

I'm guessing I still have some leftover zenphoto stuff somewhere hiding that didn't get deleted that caused it, however if that's not the case then I suspect wordpress since again, I use it a lot, and there was a mass attack a month or two ago with wordpress blogs.

[Tylr]

Mar 25, 2012 7:55:42 GMT -8 Robyn said:

First off, should I dare ask why it appears that I'm in your signature?

Clever programming.

Mar 25, 2012 7:55:42 GMT -8 Robyn said:

I'm guessing I still have some leftover zenphoto stuff somewhere hiding that didn't get deleted that caused it, however if that's not the case then I suspect wordpress since again, I use it a lot, and there was a mass attack a month or two ago with wordpress blogs.

Sounds like you've got your holes. Looking at your site, it seems like you'd be able to maintain it without any plugins, just on your own. You'd potentially have fewer security holes that way. Have you considered this?

[Robyn]

Mar 25, 2012 8:01:24 GMT -8 Tylr said:

Mar 25, 2012 7:55:42 GMT -8 Robyn said:

First off, should I dare ask why it appears that I'm in your signature?

Clever programming.

Mar 25, 2012 7:55:42 GMT -8 Robyn said:

I'm guessing I still have some leftover zenphoto stuff somewhere hiding that didn't get deleted that caused it, however if that's not the case then I suspect wordpress since again, I use it a lot, and there was a mass attack a month or two ago with wordpress blogs.

Sounds like you've got your holes. Looking at your site, it seems like you'd be able to maintain it without any plugins, just on your own. You'd potentially have fewer security holes that way. Have you considered this?

You're saying I'm a clever programmer?

The thing is, I don't have the time to program my own blog from scratch. The blogs work fine anyway, it's just some security hole somewhere, I just need help finding where so I can patch it up. Who knows, it could be as simple as a plugin I don't use on my blog which got attacked.

[Tylr]

Mar 25, 2012 8:08:17 GMT -8 Robyn said:

The thing is, I don't have the time to program my own blog from scratch. The blogs work fine anyway, it's just some security hole somewhere, I just need help finding where so I can patch it up. Who knows, it could be as simple as a plugin I don't use on my blog which got attacked.

Well, there's not much we'll be able to do from this end. If Wordpress has a patch or version that you don't have, that's somewhere to start.

[Robyn]

Mar 25, 2012 8:11:32 GMT -8 Tylr said:

Mar 25, 2012 8:08:17 GMT -8 Robyn said:

The thing is, I don't have the time to program my own blog from scratch. The blogs work fine anyway, it's just some security hole somewhere, I just need help finding where so I can patch it up. Who knows, it could be as simple as a plugin I don't use on my blog which got attacked.

Well, there's not much we'll be able to do from this end. If Wordpress has a patch or version that you don't have, that's somewhere to start.

The purpose of this thread was to make others aware, and since I won't work on my website just yet, I figure if there is somethign I'm not seeing that someone else sees before I get working on it, I can use that advanced knowledge to my advantage.

[Tylr]

Gotcha, makes sense. If I used Wordpress maybe I'd be more helpful.

[Robyn]

Yeah it's no problem

[Robyn]

I'm disappointed that no one seems to be able to help out.

[Renegade]

you haven't given much information for anyone to be able to help

I pointed out a month or so ago that at least one of the pages on your site still had issues, probably from the last time it was hacked, but it's not like I was gonna hang around and look at the rest of your site after seeing that.

If you have plugins installed that are inactive, then uninstall them. an insecure plugin doesn't need to be activated in order for security flaws to be exploited.

If you have updates that you haven't installed, whether they're WP patches or plugin updates, then install all those because they're probably security fixes. WP notifies you when there's patches that need installing, so there's no reason ever to skip them.

It's also possible that after the first attack they hid another file on your hosting somewhere that allowed them back into it again. I'm not so sure how you'd be able to detect that though.

[Robyn]

Well can you access my website again without trouble? I did a triple check and I check my files each day now to see if there's anything wrong and it appears to be clean.

[Violin - Soul Power]

OMG .. I am worried with the existence of my forum about this issue


however, that I know about web defacing by some converter html and javascript, they usually use it as a container or a primary means of taking care of the website unless they have a template or database backup clear !!!