Hacked site...

lee.stanley3

Free Member
Feb 18, 2011
8
0
Nottingham
I run a wordpress website that has been hacked since August. Mainly fishing and over each month getting more and more folders and files in to my back end.
I have changed all log in details, tired to change htaccess codes, reinstalled clean themes and folders plugins etc. followed the wordpress hack guidance information.
Initially my host provider removed the folders, Yet this time they have said the site contained html hack landing page a few php shell scripts. They have also created a fake paypal fishing site was established. the files were uploaded via FTP after a successful login.
They also indicate that the IP address which they were uploaded from was in Great Britain. This is a different IP than most of the connections to my account, but there was also an upload of a number of images to a wp-content/uploads/gallery from it.
My host has taken my site down completely...which I need to get up and running.
Now my host is saying it is possible that there is a security problem on my local computer. I have run scans on my pc to make sure that it is free of malware. Malwarebytes, Super Antispyware (both free editions). I have a McAfee AV and scan frequently.
Is there any more I can do to detect if my computer has scripts, malware or anything on it.
I am even considering system restore. I run vista. I know its not as secure as Win7 is this something I should change?
If you need anymore information let me know.
 

fisicx

Moderator
Sep 12, 2006
46,953
9
15,514
Aldershot
www.aerin.co.uk
The problem is usually a script on the server. Your host needs to close down the site, delete the account and start again. Install wp then import the pages/posts once you have cleaned them up. Do not use FTP, do it all through the dashboard. Even better, don't use your computer, use a completely different machine.
 
Upvote 0
There are a few basic steps I would take before pressing the nuke button.

I would install a trial version of a new av then scan your machine fully with this. I use kaspersky but it is up to you but make sure it is NEW.

1. Take a back up of your site locally and scan it. I mean all of the stuff in your public folder.

2. Change ALL account passwords. Ftp web settings hosting etc.

3 Delete everything in your public html folder

4 fire up a holding html page saying site under maintenance or similar

5 report back with both scan results.

Out of interest how many devices connect to your network?

Hth
Daren

Sent from my GT-I9300 using UK Business Forums
 
Last edited by a moderator:
Upvote 0

fisicx

Moderator
Sep 12, 2006
46,953
9
15,514
Aldershot
www.aerin.co.uk
Good advice form ITsold. But you need to make sure you aren't using the existing folder on the server. You can delete everything but these hacks have a nasty habit of hiding away and reinfecting the folder as soon as you upload something.

Which means even if you do a fresh install of WP the scripts will still be there.
 
  • Like
Reactions: ITsoldUK
Upvote 0
I too would expect it to be a script on the server, or possibly even a server infection. If the host has checked and that's not the case I'd run through ITsoldUK's points first, making sure you use a fresh, up to date, Wordpress installation.

I would also, after that, do a comprehensive test on the site, for example go through a complete xss cheat sheets and other exploit pattern guides such, to see if there are any underlying hijacks going on that are giving an attacker there opening. Basically hack it to destruction to see if there is a hole.

I would also do a full check of your system with a few security products.


Eta:
What fisicx said above is true, you need to clean your server, including your database and make sure that the infection isn't there.
 
Last edited:
  • Like
Reactions: fisicx and ITsoldUK
Upvote 0
Good advice form ITsold. But you need to make sure you aren't using the existing folder on the server. You can delete everything but these hacks have a nasty habit of hiding away and reinfecting the folder as soon as you upload something.

Which means even if you do a fresh install of WP the scripts will still be there.

Spot on. When you have the public file locally...delete the server side one.

This is why I state upload a plain file preferably in php first. Let it soak for a day or two then if it gets reinfected again we can pin point the locale as outside the public file and then proceed to shout at the host.

If you do reinstall add a plugin called better security and set it to notify of file changes...

Worry not. Together the UKBF spam busters will help you smash it.

I advise for FREE. If I touch it, I charge.
 
Last edited by a moderator:
  • Like
Reactions: fisicx
Upvote 0

fisicx

Moderator
Sep 12, 2006
46,953
9
15,514
Aldershot
www.aerin.co.uk
Upvote 0

Websitehandyman

Free Member
Nov 25, 2011
2,166
535
Staffordshire
If you host is suggesting it's your PC the simple answer is get a new host. Unless they have checked the logs and found the insertion coming from your IP address.

A lot depends on what type of hosting it is. Your own server and it's your problem, shared and they might expect you to clean the data before they release the site.

With wordpress it's often a template exploite using the editor file. I would do a clean install and then add a plugin that records all file changes back to you. So you can kill it before it's started.
 
Upvote 0

fisicx

Moderator
Sep 12, 2006
46,953
9
15,514
Aldershot
www.aerin.co.uk
Upvote 0

Websitehandyman

Free Member
Nov 25, 2011
2,166
535
Staffordshire
Won't work if the script/hack is hiding on the server.

Thats why I said a lot depends on the hosting. If he has accress to the server root he should check the logs. Still if he installs and tracks changes that will tell him.

Anyone running a DS or VPS without a firewall and security will get hacked, thats just a matter of time. More then likely it's just XSS.
 
Upvote 0
L

Lucky7CompSolutions

The virus will be on your host server not your computer but everyone who is going to the site will be infected also please get rid of mcafee it is the worse anti virus out there we get more computers with viruses on then by having mcafee installed, they are useless, buy bit defender or kaspersky
 
Upvote 0

Newchodge

Moderator
  • Business Listing
    Nov 8, 2012
    22,801
    8
    8,045
    Newcastle
    The virus will be on your host server not your computer but everyone who is going to the site will be infected also please get rid of mcafee it is the worse anti virus out there we get more computers with viruses on then by having mcafee installed, they are useless, buy bit defender or kaspersky

    I'm using Norman. Is that any good?
     
    Upvote 0

    fisicx

    Moderator
    Sep 12, 2006
    46,953
    9
    15,514
    Aldershot
    www.aerin.co.uk
    Upvote 0

    LCowles

    Free Member
    Dec 30, 2012
    35
    0
    Hi Lee,

    Sorry to hear about your predicament. The problem with wordpress is that some of the themes that come with wordpress have potential security holes in them. I have worked with many agencies that have encountered these issues and can honestly say there are no easy answers.

    Really you need someone to perform a full security scan of your site (not your PC, it probably has nothing wrong with it, they are probably using an exploit for a plugin or theme that you are using).

    I am available via Private Message for more details about what I think you should do (not a sales pitch, genuine advice)
     
    Upvote 0

    threenine

    Free Member
    Nov 30, 2012
    767
    174
    Swindon
    The problem with wordpress is that some of the themes that come with wordpress have potential security holes in them

    Absolutely correct. The only other solution is to actually scan the source code of the plugins and theme for any external references to websites? This is usually called XSS (Cross Site Scripting) or Script injection Attacks, where the script is actually not resident in the source files as such, but only a reference is placed in the source files, the real script then only executes when somebody accesses a page.

    Typically AV scanners won't pick this up when they are scanning files locally, but they will pick it up if you open the file in a browser.
     
    Upvote 0

    LCowles

    Free Member
    Dec 30, 2012
    35
    0
    XSS attacks on any website are examples of poor programming, period! There is no excuse for offering anyone a service that has amateur execution at any phase.

    In my business we only use wordpress for smaller projects or when specifically requested to, but we do use a lot of frameworks for web-apps etc, and one of our base requirements is for all POST data that we work with to be cleaned from CSRF and XSS attacks, and also, less common, but files to all have permissions checked and disable directory listing.

    people should also "clean" any data before it hits a database, preferably with a built-in or externally supported function, which PHP has several accessible through common modules.

    Just out of interest do you employ or have contacts with specialist "security consultants"? I spent years wading through people that just didn't meet my remit i.e. they were too academic and had no real-world knowledge or, not academic enough and made stupid, wide-ranging statements, I worried would come back to bite me! Eventually I just formed a relationship with an existing business, as it was less of a headache.
     
    Upvote 0

    andygambles

    Free Member
    Jun 17, 2009
    2,616
    687
    Scarborough
    Never use a free theme you found via a search engine on your wordpress site

    see: http://wpmu.org/why-you-should-never-search-for-free-wordpress-themes-in-google-or-anywhere-else/

    They can contain encrypted code and/or backdoors.

    Upload a fresh with the latest wordpress theme and then just use the default for a while and see if the problem re-occurs.

    Some other advise with wordpress:

    Rename the wp-admin folder to something else
    Restrict FTP access to just your IP (would do this for any website)
    Restrict access to wp-admin folder to just your IP (Can do this via htaccess)
    Use only themes and plugins from trusted sources
     
    • Like
    Reactions: lee.stanley3
    Upvote 0

    lee.stanley3

    Free Member
    Feb 18, 2011
    8
    0
    Nottingham
    Thank you all for the updates and guidance,

    So to get up to speed.

    I purchased a new machine (It was needed and has simply speeded up my decision to buy!)

    I have a completely new database, re-installed new clean word press core files, I need to re-install my content now.

    I am looking at XSS and checking the content is clean and hopefully they hacks have been via plugin and upload folders, of which I will re-install clean.

    Is this the right way to go? Or is there anything else I need to be aware of??

    I need a little guidance of which folders contain my post and page content.

    Is there anything else I can do to limit the impact on my seo where urls are concerned?

    Just want to say a massive thank you my host is Coolhandle. They have been very helpful but sometimes a little slow (Christmas period) so I will give them the benefit of the doubt.
     
    Upvote 0

    fisicx

    Moderator
    Sep 12, 2006
    46,953
    9
    15,514
    Aldershot
    www.aerin.co.uk
    You still need to get the server sorted. Until they delete your old account and set up a new one you cannot be 100% sure the hackers script isn't still there.

    You can do a fresh WP install as many times as you like, if the dodgy scripts is still on the server you will keep getting the same problem.

    The problem was probably not your PC at all, it was an infection on the server.
     
    Upvote 0

    lee.stanley3

    Free Member
    Feb 18, 2011
    8
    0
    Nottingham
    They have reset my whole account from scratch. They made a back up of my database etc and I am in the process of getting a specialist to scan and clean this code and look for any hidden extras. Hopefully this and a few new added security measures can put the site back up and running in the next 48 hours. Is there anything else I need to consider.

    PS Next time you look for a host... make sure they are based in the same timezone as you otherwise expect late night working if/when things go pear shaped!!

    Thanks for all your advise and comments here. UKBF is an excellent resource that has certainly helped me over the first two years of starting my business and thats thanks to you guys!!

    Lee.
     
    Upvote 0

    inhousedesigners

    Free Member
    Jan 9, 2013
    5
    0
    I run a wordpress website that has been hacked since August. Mainly fishing and over each month getting more and more folders and files in to my back end.
    I have changed all log in details, tired to change htaccess codes, reinstalled clean themes and folders plugins etc. followed the wordpress hack guidance information.
    Initially my host provider removed the folders, Yet this time they have said the site contained html hack landing page a few php shell scripts. They have also created a fake paypal fishing site was established. the files were uploaded via FTP after a successful login.
    They also indicate that the IP address which they were uploaded from was in Great Britain. This is a different IP than most of the connections to my account, but there was also an upload of a number of images to a wp-content/uploads/gallery from it.
    My host has taken my site down completely...which I need to get up and running.
    Now my host is saying it is possible that there is a security problem on my local computer. I have run scans on my pc to make sure that it is free of malware. Malwarebytes, Super Antispyware (both free editions). I have a McAfee AV and scan frequently.
    Is there any more I can do to detect if my computer has scripts, malware or anything on it.
    I am even considering system restore. I run vista. I know its not as secure as Win7 is this something I should change?
    If you need anymore information let me know.

    Same situation faced by me too a couple of weeks before a Krooz named hacker taken over my website and left message like hacked and blah blah. But the safe solution is:

    1) Download complete website and then scan entire folder with Anti virus.
    2) If anti virus shows any malware code find it manually through the file location and remove it.
    3) The malicious code if you see anywhere delete it at once. Also pick that code and via dreamweaver search that code on entire website and remove.
    4) Don't forget to check the rubbish links of pharmacy, casino they use to left on pages for their benefit. I found some on my website too.

    Well bottom line is all you have to do is to perform manual check campaign on your website because these silly hackers insert code in data base which again generates and infect website.
     
    Upvote 0

    astutiumRob

    Free Member
    May 5, 2004
    1,312
    241
    London
    If you host is suggesting it's your PC the simple answer is get a new host
    Over 90% of the "hacks" we investigate are the end-user having a virus/malware/keylogger, having fallen for a phishing scam and given out their password or used a ridiculously simple password

    So 9 times out of 10 the host would be right to suggest it's their PC (although they shoudl have checked first)

    Of the other 8-10% of hacks the fall into
    * the majority are exploited plugins
    * leftover themes
    * lack of sanitising of variables
    * generally sh!t code
    * end user negligence in managing access to their config files.
     
    Upvote 0

    metizsoft

    Free Member
    Dec 29, 2012
    13
    1
    Lee,

    First of all the major attack nowadays in wordpress site in one or different plugin we have used that providing the major loop hole.

    even you create new site but one of the plugins is entry point of malicious code then site will get hack again. I wish to follow bit process like go with latest wordpress and plugins compatible with that as I have getting similar complains every day for wordpress site.

    if you can share the detail about the plugins or customization you have used in your site I can guide you in better way.

    let me know if you need any more help

    Thanks
    Chetan Sheladiya
    Metizsoft Solutions
    Volusion | Magento | Joomla | Wordpress development service provider
     
    Last edited:
    Upvote 0

    Latest Articles