views:

81

answers:

3

Now I didn't do the website design but a couple of months ago I ported an existing website over to wordpress for a client of mine.

I got a call from a client today regarding their website, and some sort of a security problem.

The websites homepage loads up fine, but if you try to navigate to any other page it brings you to - http://secure.wheelerairservice.com/main.php.

The nav appears to still be linking to the appropriate page (when you rollover contact us, the link displays in the status bar as /contact-us) but it redirects to the above url.

Just wondering if anyone knows what the problem is, and who or what might have done this and how.

Any suggestions on how I could fix this?

thanks!

Ok I've looking into the problem some more and found that the .htaccess file had been replaced somehow. I'm just wondering how someone might have done this? via ftp access, wordpess admin account or some hole in wordpress, any thoughts?

A: 

If FTP has been used to access/modify the files in this wordpress site, then it could be more than possible that someone has got the username and password for FTP access and modified your .htaccess file. FTP is not secure at all. I would suggest using SFTP as a minimum.

Wordpress is not perfect (not many things are) but i highly doubt there would be a flaw like this, is possible but i very much doubt it.

I suggest you first, change your FTP username/password, upgrade wordpress to the latest version, change the default admin username to something else and change the password for the administrator user, ensuring that all passwords are at least 8-10 characters in length

Harry
A: 

Change your passwords. See Hardening WordPress « WordPress Codex and FAQ: My site was hacked « WordPress Codex and How to completely clean your hacked wordpress installation

songdogtech
my work computer did have a virus about 2 weeks ago and wouldn't even start up... I ended up doing a restore. Do you think its likely the virus got a hold of the password.
Adam
Could have been a keylogger. That's one vector I've seen and could happen with any type of website, really.
songdogtech
Thanks for the help.
Adam
+1  A: 

Typically when it's the .htaccess files that have been infected, it's usually the result of stolen (compromised) FTP credentials.

This usually happens by a virus on a PC that has FTP access to the infected website. The virus works in a variety of ways, but usually one of two.

First, the virus knows where the free FTP programs stores it's saved login credentials. For instance with FileZilla on a Windows XP PC, look in:

C:\Documents and Settings(current user)\Application Data\FileZilla\sitemanager.xml

in there you'll find, in plain text, all the websites, usernames and passwords that user has used FileZilla to access via FTP.

The virus finds these files, reads the information and sends it to a server which then uses them to login to the website(s) with valid credentials, downloads specific files, in this case the .htacces files, infects them and then uploads back to the website. Often times we've see where the server will also copy backdoors (shell scripts) to the website as well. This gives the hacker remote access to the website even after the FTP passwords have been changed.

Second, the virus works by sniffing the outgoing FTP traffic. Since FTP transmits all data, including username and password, in plain text, it's easy for the virus to see and steal the login information that way as well.

  1. Change all FTP passwords immediately
  2. Remove the the infection from the .htaccess files
  3. Perform a full virus scan on all PCs used to FTP files to the infected website
  4. If the website has been listed as suspicious by Google, request a review from Google's webmaster tools.

If the hosting provider supports it, switch to SFTP which encrypts the traffic making it more difficult to sniff.

Also, look at all files for anything that doesn't belong there. It's difficult to find backdoors, because there's so many different ones. You can't go by the datetime stamp either because these backdoors modify the datetime stamp of files. We've seen infected files with the exact same datetime as other files in the same folder. Sometimes the hackers will set the datetime stamp to some random earlier date.

You can search files for the following strings:

  • base64_decode
  • exec
  • fopen
  • fsock
  • passthru (for .php files)
  • socket

These are somewhat common strings in backdoors.

WeWatchYourWebsite