Irrlicht Engine

Hi,

I guess some of you noticed by now that http://irrlicht.sourceforge.net/ is currently looking very strange most days. Like new themes or a tiny/puny static website replacement.

Reason is that we got hacked. Are still hacked actually. And every time we enable wordpress (invisible) spam-links are re-introduced to our homepage within 1-2 days. This has been going on since around September, but I only noticed it very recently (I had been lazy and only checked for the same hack we got last time with 0px fonts to hide their links, so I didn't notice they used a new trick for invisible links this time).

Still working on this. Unfortunately takes some time as I'm not very familiar with Wordpress, PHP, SQL-Databases or web-security in general. So all experiments to get rid of hacker for last 2 weeks constantly failed.

Will give more info once I figure out some clue what's going on...

I had the same problem a while back, and it turned out it was the theme that had an obfuscated line of code that did the injection. Not all themes are created (or distributed) with good intentions.

At the time, I remember looking at Stack Exchange's WordPress community site, and I found a very helpful question. I can't remember if it was exactly this one, but it seems to have very good advices. Be sure to read both answers.

Good luck with that!

Thanks. I've seen that post on StackExchange actually :-) Unfortunately replacing theme (and re-installing wordpress) didn't solve it. My current suspicion is that the hack might already be stored inside the database and re-loaded from there.

In the dark like you, but did you try one of the tools from the second answer?

Not yet. Only tried the manual hunting.

Pfff.. hacks are a pain in the ass... Check every PHP file you can have access to, they might have an injector segment somewhere, in the begining, in the end... Check the image files, those might go inadvertent because you expect them to be an image and binary, but one of my sites once got hacked with a gif image that had some code in the end, it only had to call that image, as a file stored in the server and the whole effect reappeared. The database is unlikely though, as most files are stored as separate files outside the DB, but who knows... Check the boards as well, as many sites use PHPBB forums and Wordpress portals.

It is too bad that you can't update wordpress often, their devs address these vulnerabilities constantly, something you can't say from the PHPBB guys, but it is what we have... (if these boards could become SimpleMachinesForums boards, maybe things would improve, they keep constantly updated their forums engines as well) Good luck! :/

Yeah, forum is another potential candidate. Thought it should be separated somewhat from wordpress and there don't seem to be spam-links in the forum yet (unless I missed them). Update of forum also harder, but new phpBB just got releases last week - so might be a good time to update that as well anyway.

There shouldn't be any php file left which wasn't replaced already (new Wordpress install and new theme, but maybe I'm missing stuff as I don't really know exactly how wordpress works yet). Also did all the usual stuff like replacing all passwords. Got the idea with the database from someone who's a little more familiar with that stuff than me. Got also a few more hints, so guess I can still try a few things on the weekend. If all fails - I learned by now it's possible to create static pages from wordpress which would be sufficient for us (would lose "search" feature of old website, not much else probably). Thought that would basically mean ignoring the hack and not fixing the real problem - so not my favorite solution.

The Saints are sorting it..

Got the idea with the database from someone who's a little more familiar with that stuff than me

Try a query to search for something that look like links/ HTML/ PHP/JS code in all the tables. Probably better dumping the DB as SQL dump and then use a text editor with advanced search functionality. Usually the hack begins where there is something that isn't escaped properly or if there's a SQL injection... It could be possible that
actually the hack is inside the forum and loaded only to word press from there (I don't know if you are actually using 2 different WWW folders or not, if not, phpBB should be checked too.

@REDDemon: Yeah, I dumped DB as XML to make searching easier. But... turned out the DB is pretty huge. I tried a few simply searches (mainly with grep), but found nothing obvious. And if the hack is slightly encoded it is pretty impossible to find by hand that way.

But did change some other stuff, like new wordpress just came out last week, so I installed that. So far spam-links not yet back. Not sure if spammer just becomes lazy or if I maybe blocked his access.

There is no HTTPS /SSL on the forum, if you use the same user and password for the page administration..... passwords go over without strong encryption....

Also Cloudflare had a massive heartbleed-like bug, I dont know if sourceforge sits behind cloudflare but anything over the past few years could have gotten leaked

I never use same password for different services. But since we updated to newer wordpress hacks seem to have stopped.

how outdated was the old version? I have a cron job to auto-update wordpress with new patches and my website hasn't been hacked (but then again my website is extremely low traffic and for all intents and purposes dead)

At one point we were actually up-to-date with Wordpress versions and still hacked. But a few weeks ago a new Wordpress version came out and after updating to that one it stopped. Thought I changed also a bunch of other stuff additionally.

hmm, if you were up to date it probably wasn't a security hole with the install itself - maybe some addon or theme or whatnot.
Oh well, since you're no longer hacked that's a good start.