About current front-page troubles on Irrlicht
About current front-page troubles on Irrlicht
Hi,
I guess some of you noticed by now that http://irrlicht.sourceforge.net/ is currently looking very strange most days. Like new themes or a tiny/puny static website replacement.
Reason is that we got hacked. Are still hacked actually. And every time we enable wordpress (invisible) spam-links are re-introduced to our homepage within 1-2 days. This has been going on since around September, but I only noticed it very recently (I had been lazy and only checked for the same hack we got last time with 0px fonts to hide their links, so I didn't notice they used a new trick for invisible links this time).
Still working on this. Unfortunately takes some time as I'm not very familiar with Wordpress, PHP, SQL-Databases or web-security in general. So all experiments to get rid of hacker for last 2 weeks constantly failed.
Will give more info once I figure out some clue what's going on...
I guess some of you noticed by now that http://irrlicht.sourceforge.net/ is currently looking very strange most days. Like new themes or a tiny/puny static website replacement.
Reason is that we got hacked. Are still hacked actually. And every time we enable wordpress (invisible) spam-links are re-introduced to our homepage within 1-2 days. This has been going on since around September, but I only noticed it very recently (I had been lazy and only checked for the same hack we got last time with 0px fonts to hide their links, so I didn't notice they used a new trick for invisible links this time).
Still working on this. Unfortunately takes some time as I'm not very familiar with Wordpress, PHP, SQL-Databases or web-security in general. So all experiments to get rid of hacker for last 2 weeks constantly failed.
Will give more info once I figure out some clue what's going on...
IRC: #irrlicht on irc.libera.chat
Code snippet repository: https://github.com/mzeilfelder/irr-playground-micha
Free racer made with Irrlicht: http://www.irrgheist.com/hcraftsource.htm
Code snippet repository: https://github.com/mzeilfelder/irr-playground-micha
Free racer made with Irrlicht: http://www.irrgheist.com/hcraftsource.htm
Re: About current front-page troubles on Irrlicht
I had the same problem a while back, and it turned out it was the theme that had an obfuscated line of code that did the injection. Not all themes are created (or distributed) with good intentions.
At the time, I remember looking at Stack Exchange's WordPress community site, and I found a very helpful question. I can't remember if it was exactly this one, but it seems to have very good advices. Be sure to read both answers.
Good luck with that!
At the time, I remember looking at Stack Exchange's WordPress community site, and I found a very helpful question. I can't remember if it was exactly this one, but it seems to have very good advices. Be sure to read both answers.
Good luck with that!
Re: About current front-page troubles on Irrlicht
Thanks. I've seen that post on StackExchange actually :-) Unfortunately replacing theme (and re-installing wordpress) didn't solve it. My current suspicion is that the hack might already be stored inside the database and re-loaded from there.
IRC: #irrlicht on irc.libera.chat
Code snippet repository: https://github.com/mzeilfelder/irr-playground-micha
Free racer made with Irrlicht: http://www.irrgheist.com/hcraftsource.htm
Code snippet repository: https://github.com/mzeilfelder/irr-playground-micha
Free racer made with Irrlicht: http://www.irrgheist.com/hcraftsource.htm
Re: About current front-page troubles on Irrlicht
In the dark like you, but did you try one of the tools from the second answer?
Re: About current front-page troubles on Irrlicht
Not yet. Only tried the manual hunting.
IRC: #irrlicht on irc.libera.chat
Code snippet repository: https://github.com/mzeilfelder/irr-playground-micha
Free racer made with Irrlicht: http://www.irrgheist.com/hcraftsource.htm
Code snippet repository: https://github.com/mzeilfelder/irr-playground-micha
Free racer made with Irrlicht: http://www.irrgheist.com/hcraftsource.htm
Re: About current front-page troubles on Irrlicht
Pfff.. hacks are a pain in the ass... Check every PHP file you can have access to, they might have an injector segment somewhere, in the begining, in the end... Check the image files, those might go inadvertent because you expect them to be an image and binary, but one of my sites once got hacked with a gif image that had some code in the end, it only had to call that image, as a file stored in the server and the whole effect reappeared. The database is unlikely though, as most files are stored as separate files outside the DB, but who knows... Check the boards as well, as many sites use PHPBB forums and Wordpress portals.
It is too bad that you can't update wordpress often, their devs address these vulnerabilities constantly, something you can't say from the PHPBB guys, but it is what we have... (if these boards could become SimpleMachinesForums boards, maybe things would improve, they keep constantly updated their forums engines as well) Good luck! :/
It is too bad that you can't update wordpress often, their devs address these vulnerabilities constantly, something you can't say from the PHPBB guys, but it is what we have... (if these boards could become SimpleMachinesForums boards, maybe things would improve, they keep constantly updated their forums engines as well) Good luck! :/
"There is nothing truly useless, it always serves as a bad example". Arthur A. Schmitt
Re: About current front-page troubles on Irrlicht
Yeah, forum is another potential candidate. Thought it should be separated somewhat from wordpress and there don't seem to be spam-links in the forum yet (unless I missed them). Update of forum also harder, but new phpBB just got releases last week - so might be a good time to update that as well anyway.
There shouldn't be any php file left which wasn't replaced already (new Wordpress install and new theme, but maybe I'm missing stuff as I don't really know exactly how wordpress works yet). Also did all the usual stuff like replacing all passwords. Got the idea with the database from someone who's a little more familiar with that stuff than me. Got also a few more hints, so guess I can still try a few things on the weekend. If all fails - I learned by now it's possible to create static pages from wordpress which would be sufficient for us (would lose "search" feature of old website, not much else probably). Thought that would basically mean ignoring the hack and not fixing the real problem - so not my favorite solution.
There shouldn't be any php file left which wasn't replaced already (new Wordpress install and new theme, but maybe I'm missing stuff as I don't really know exactly how wordpress works yet). Also did all the usual stuff like replacing all passwords. Got the idea with the database from someone who's a little more familiar with that stuff than me. Got also a few more hints, so guess I can still try a few things on the weekend. If all fails - I learned by now it's possible to create static pages from wordpress which would be sufficient for us (would lose "search" feature of old website, not much else probably). Thought that would basically mean ignoring the hack and not fixing the real problem - so not my favorite solution.
IRC: #irrlicht on irc.libera.chat
Code snippet repository: https://github.com/mzeilfelder/irr-playground-micha
Free racer made with Irrlicht: http://www.irrgheist.com/hcraftsource.htm
Code snippet repository: https://github.com/mzeilfelder/irr-playground-micha
Free racer made with Irrlicht: http://www.irrgheist.com/hcraftsource.htm
Re: About current front-page troubles on Irrlicht
Try a query to search for something that look like links/ HTML/ PHP/JS code in all the tables. Probably better dumping the DB as SQL dump and then use a text editor with advanced search functionality. Usually the hack begins where there is something that isn't escaped properly or if there's a SQL injection... It could be possible thatGot the idea with the database from someone who's a little more familiar with that stuff than me
actually the hack is inside the forum and loaded only to word press from there (I don't know if you are actually using 2 different WWW folders or not, if not, phpBB should be checked too.
Junior Irrlicht Developer.
Real value in social networks is not about "increasing" number of followers, but about getting in touch with Amazing people.
- by Me
Real value in social networks is not about "increasing" number of followers, but about getting in touch with Amazing people.
- by Me
Re: About current front-page troubles on Irrlicht
@REDDemon: Yeah, I dumped DB as XML to make searching easier. But... turned out the DB is pretty huge. I tried a few simply searches (mainly with grep), but found nothing obvious. And if the hack is slightly encoded it is pretty impossible to find by hand that way.
But did change some other stuff, like new wordpress just came out last week, so I installed that. So far spam-links not yet back. Not sure if spammer just becomes lazy or if I maybe blocked his access.
But did change some other stuff, like new wordpress just came out last week, so I installed that. So far spam-links not yet back. Not sure if spammer just becomes lazy or if I maybe blocked his access.
IRC: #irrlicht on irc.libera.chat
Code snippet repository: https://github.com/mzeilfelder/irr-playground-micha
Free racer made with Irrlicht: http://www.irrgheist.com/hcraftsource.htm
Code snippet repository: https://github.com/mzeilfelder/irr-playground-micha
Free racer made with Irrlicht: http://www.irrgheist.com/hcraftsource.htm
Re: About current front-page troubles on Irrlicht
There is no HTTPS /SSL on the forum, if you use the same user and password for the page administration..... passwords go over without strong encryption....
Also Cloudflare had a massive heartbleed-like bug, I dont know if sourceforge sits behind cloudflare but anything over the past few years could have gotten leaked
Also Cloudflare had a massive heartbleed-like bug, I dont know if sourceforge sits behind cloudflare but anything over the past few years could have gotten leaked
Re: About current front-page troubles on Irrlicht
I never use same password for different services. But since we updated to newer wordpress hacks seem to have stopped.
IRC: #irrlicht on irc.libera.chat
Code snippet repository: https://github.com/mzeilfelder/irr-playground-micha
Free racer made with Irrlicht: http://www.irrgheist.com/hcraftsource.htm
Code snippet repository: https://github.com/mzeilfelder/irr-playground-micha
Free racer made with Irrlicht: http://www.irrgheist.com/hcraftsource.htm
-
- Posts: 1010
- Joined: Mon Oct 24, 2011 10:03 pm
- Location: 0x45 61 72 74 68 2c 20 69 6e 20 74 68 65 20 73 6f 6c 20 73 79 73 74 65 6d
Re: About current front-page troubles on Irrlicht
how outdated was the old version? I have a cron job to auto-update wordpress with new patches and my website hasn't been hacked (but then again my website is extremely low traffic and for all intents and purposes dead)
"this is not the bottleneck you are looking for"
Re: About current front-page troubles on Irrlicht
At one point we were actually up-to-date with Wordpress versions and still hacked. But a few weeks ago a new Wordpress version came out and after updating to that one it stopped. Thought I changed also a bunch of other stuff additionally.
IRC: #irrlicht on irc.libera.chat
Code snippet repository: https://github.com/mzeilfelder/irr-playground-micha
Free racer made with Irrlicht: http://www.irrgheist.com/hcraftsource.htm
Code snippet repository: https://github.com/mzeilfelder/irr-playground-micha
Free racer made with Irrlicht: http://www.irrgheist.com/hcraftsource.htm
-
- Posts: 1010
- Joined: Mon Oct 24, 2011 10:03 pm
- Location: 0x45 61 72 74 68 2c 20 69 6e 20 74 68 65 20 73 6f 6c 20 73 79 73 74 65 6d
Re: About current front-page troubles on Irrlicht
hmm, if you were up to date it probably wasn't a security hole with the install itself - maybe some addon or theme or whatnot.
Oh well, since you're no longer hacked that's a good start.
Oh well, since you're no longer hacked that's a good start.
"this is not the bottleneck you are looking for"