shells.dl.am hack?

Portal Home > Knowledgebase > Articles Database > shells.dl.am hack?

Posted by wizcom, 03-22-2010, 06:02 PM
Greetings all, Although this is my first post, I've been a lurker for a great while and greatly appreciate some of the HowTo's as they've helped me immensely. That being said, I have an issue since last week that I've tried to solve it myself and finally thrown in the towel and decided to ask the experts. Plus, using that subject will get it Googled so other idiots like me can possibly solve it themselves. We have a dedicated server with approximately 50 different account. On one we're getting this: ____ _ ____ _ _ _ | _ \ ___ ___ | |_ / ___|| |__ ___| | | | |_) / _ \ / _ \| __| \___ \| '_ \ / _ \ | | | _ < (_) | (_) | |_ _ ___) | | | | __/ | | |_| \_\___/ \___/ \__| (_) |____/|_| |_|\___|_|_| This server has been infected by shells.dl.am Rootshell v2.0.0 © 2006 by SR-Crew Plus more info and stuff that you can see below URL is europetraveltips DOT info This is a fairly simple WordPress Autoblog that worked fine. WP admin functions are OK too. I've run multiple security items (almost all of the ones on the How To secure FAQs) and they all show nothing. I've looked in folders that have been suggested and found nothing. All of the settings are changed according to the FAQs. Again, I've done searches for this and basically only come up with 11 results all sites (including this) that have this error. Hopefully this will improve once it's solved. Thanks in advance. H. J. Brubaker
Posted by activelobby4u, 03-23-2010, 12:01 AM
Its a deface attack , probably using sql injection. There are two cases, Case 1 : If you db is hacked. 1. Restore the website from a previous backup 2. Upgrade your wordpress to the latest version Case 2 : If the db is not hacked. 1. Restore the website files alone from your backup 2. Upgrade your wordpress to the latest version
Posted by WebHostingNeeds, 03-23-2010, 01:09 AM
Check the FTP log, see if the file is uploaded with FTP. If with FTP, abuser have your passwords. make sure your PC is secure from keyloggers and malware. Or it should be some insecure wordpress plugin, need to check apache log to find if there any hack attempt though wordpress.
Posted by madaboutlinux, 03-23-2010, 03:35 AM
Looking at the message on your website, it's definitely the database that has been hacked. I would have re-created the account, installed the latest version of WordPress and would have restored the database from the backup.
Posted by wizcom, 03-23-2010, 11:12 AM
Followup - Fixed. Just a quick followup so that Google indexes the fix. activelobby4u, did both previously, no difference. I think the backup may have from before the hack. WP is the latest version. flashwebhost, nothing in the ftp log that looks suspicious. Searched for multiple names but found nothing. No attack through WP in Apache log madaboutlinux, I was about to do your suggestion of re-creating the account but I saw a hack on the version 3.0 of this shell mentioning WP themes so I checked the theme. Voila, it was reset to the WP default theme instead of the one we're using. Changed the theme back and it's working again. So they must have hacked the WP default theme. I want to than everyone for the suggestions and clues. I've learned a bunch again. Howard
Posted by sharmaine1111, 03-24-2010, 12:11 AM
If it's the wordpress default theme that is hacked then it needs to be reported to wordpress developers as it's definitely a security risk.