WordPress 2.0.5.

Was I hacked again?

Erlier this evening the site messed up. I wasn’t sure why, I hadn’t changed any features or messed with any code.

I didn’t think much of it perhaps I just needed to upgrade, so I did the upgrade to the newest wordpress version 2.0.5. Since I was doing that, I also upgraded to the latest versions of all plugins and deleting unused garbage.

This required me to disable all plugins and test them each at a time to work the kinks out.

However, when I tried to reinstall my theme, I noticed something at the bottom of each page, that I had not put there.

I’m not sure how but i think someone hacked into the site. Each wordpress page had an ammendment to it. I removed them, but I have no idea what that script did, perhaps a password stealer. I just dont know. If anyone hasever seen anything like this before, please let me know so I can prevent it from happening again

Note: side blog does not function correctly due to the upgrade, so it has been turned off until the developer adds a compatibility patch.

6

Comments

  1. thewatchlist  November 1, 2006

    Looks fishy to me. I think it only gets you if you from IE though.

    Check to see if you have fiload.exe in the root of your C: drive…

    reply
  2. Kris  November 1, 2006

    I did a quick search and couldn’t find anything on a fiload.exe. it is very fishy though. I’m hoping the upgrade to wordpress 2.0.5 helps.

    reply
  3. thewatchlist  November 1, 2006

    well, out of boredom and for no other good reason, I intentionally downloaded the source of login.php mentioned in your post and the loader.dat mentioned in the source of that…

    It scans clean with symantec’s most recent defs and what not.

    so… ? I dunno

    reply
  4. Alden Bates  November 1, 2006

    According to Network Solutions, the IP address that skaska.biz resolves to is assigned to HopOne Internet Corporation. They appear to onsell their services, so you could try contacting them to find out which of their clients uses the IP address in question, then complain to them about the site…

    reply
  5. Lee  November 22, 2006

    Well it’s a little off topic but did you recently change the template on here because I really like it. Maybe I just didn’t notice it before!

    reply
  6. Collin  December 21, 2006

    Hello there, my name is collin.

    I can confirm that that URL downloads a virus to the PC of the person viewing the site — or the iFrame.

    http://skaska.biz/zara/get.php

    That is the file their iFrame links to. In firefox, you see it say “firefox. no work.”. In IE6, it downloads a backdoor program and a virus, as found by aVast! 4.7

    I advise you to tripple check all templates.

    reply

Add a Comment