Comments on: WordPress Site Hacked With URL Encoded Javascript document.write http://i.nconspicuo.us/2010/02/04/wordpress-site-hacked-with-url-encoded-javascript-document-write/ Uncovering the hidden treasures of the internet, tech toys... and life. Fri, 10 Sep 2010 07:41:21 +0000 hourly 1 http://wordpress.org/?v=3.0.1 By: edelbug http://i.nconspicuo.us/2010/02/04/wordpress-site-hacked-with-url-encoded-javascript-document-write/comment-page-1/#comment-233770 edelbug Wed, 17 Feb 2010 04:54:52 +0000 http://i.nconspicuo.us/?p=435#comment-233770 Yeah guys I am hosted with godaddy and I had the same issue. My guess is that its either a wordpress hole or your passwords like mine were not as strong as they should have been. I had a whole slew of "users" that were clearly fakes and one of them was magically an administrator. I deleted all those accounts including the administrator one. Then I edited the header.php file and removed that encoded javascript junk. I am going to monitor it closely for a few days. spicuo.us what kind of site are you running getting $30+ a day in ad revenue. Man I would love to see that kind of income. I am lucky to see around $30 in a two week span! Yeah guys I am hosted with godaddy and I had the same issue. My guess is that its either a wordpress hole or your passwords like mine were not as strong as they should have been. I had a whole slew of “users” that were clearly fakes and one of them was magically an administrator. I deleted all those accounts including the administrator one. Then I edited the header.php file and removed that encoded javascript junk. I am going to monitor it closely for a few days.

spicuo.us what kind of site are you running getting $30+ a day in ad revenue. Man I would love to see that kind of income. I am lucky to see around $30 in a two week span!

]]> By: i.nconspicuo.us http://i.nconspicuo.us/2010/02/04/wordpress-site-hacked-with-url-encoded-javascript-document-write/comment-page-1/#comment-233710 i.nconspicuo.us Tue, 16 Feb 2010 17:03:53 +0000 http://i.nconspicuo.us/?p=435#comment-233710 I'm wondering how they got access too. According to Sam's comment above, it may have been from a 3rd party ad network. I'm wondering if the Kontera links that I was using were somehow compromised? Either way, I lost about $75 in revenue over the 2 days that this was happening. Not cool. I’m wondering how they got access too. According to Sam’s comment above, it may have been from a 3rd party ad network. I’m wondering if the Kontera links that I was using were somehow compromised?

Either way, I lost about $75 in revenue over the 2 days that this was happening. Not cool.

]]> By: Brian Lyssy http://i.nconspicuo.us/2010/02/04/wordpress-site-hacked-with-url-encoded-javascript-document-write/comment-page-1/#comment-233603 Brian Lyssy Mon, 15 Feb 2010 22:12:46 +0000 http://i.nconspicuo.us/?p=435#comment-233603 The same thing happened to me except it didn't take 15 seconds to redirect. It was more like right away. It seemed like each time the script would send to another .net site that was all about ads. I did capture two ip addresses. 89.207.130.72 and 208.94.233.33 seemed to show up quite consistently. I am wondering how these jerks got access to my site. There has to be some kind of security hole because I am the only one that knows my passwords. One more thing. My hosting is with hostgator and they reported that they removed the problem file. They reported that this file /2009/09/28788.php had gotten uploaded to my account. One thing they did not check was the associate database entries for wordpress. The hacker added themselves as an administrator to the site. You might not see it in the wp-admin area but you can look at the users entries in the database. I would suggest removing asap and keep checking to make sure they don't have a backdoor script running. The same thing happened to me except it didn’t take 15 seconds to redirect. It was more like right away. It seemed like each time the script would send to another .net site that was all about ads. I did capture two ip addresses. 89.207.130.72 and 208.94.233.33 seemed to show up quite consistently. I am wondering how these jerks got access to my site. There has to be some kind of security hole because I am the only one that knows my passwords.

One more thing. My hosting is with hostgator and they reported that they removed the problem file. They reported that this file /2009/09/28788.php had gotten uploaded to my account. One thing they did not check was the associate database entries for wordpress. The hacker added themselves as an administrator to the site. You might not see it in the wp-admin area but you can look at the users entries in the database. I would suggest removing asap and keep checking to make sure they don’t have a backdoor script running.

]]> By: sam http://i.nconspicuo.us/2010/02/04/wordpress-site-hacked-with-url-encoded-javascript-document-write/comment-page-1/#comment-232930 sam Wed, 10 Feb 2010 17:05:04 +0000 http://i.nconspicuo.us/?p=435#comment-232930 same here man. I think watch out of those banners servered with scripts. They may also have those too. same here man. I think watch out of those banners servered with scripts. They may also have those too.

]]>