I got hacked/malware

Hello, comcart, & welcome. I’m sorry this happened. I’m going to post some instructions. There are 2 objectives when fixing a compromised site. The first is to repair the damage. The 2nd is to lock the bad guys out & make sure they stay out. These instructions will assist w/both. They will require some work on your part, but they’re necessary.

Please ask us anything you don’t understand.

A resource you can go to is:
https://codex.www.ads-software.com/FAQ_My_site_was_hacked

When dealing w/a site compromise, the objectives are twofold:
1) Fix the site; &
2) Fix backdoors that the hacker used to gain entrance into your site, so this hopefully will not happen again.

Most people place great emphasis on objective #1, but, in truth, the 2nd one is actually the most important, as, without it, your site will continue to be reinfected.

Here are the steps to take.

First, notify your host, as this might be a serverside hack as opposed to simply a site compromise. Also, if you’re on shared hosting, the hack has the potential to compromise the entire server. Additionally, you may wish to take the site offline, & your host can help you do this. They might not help you–then again, they might. You won’t know unless you notify them. If they say it’s not their responsibility, (& it really may not be), then please continue reading.

Second, scan any devices you will use to log onto your website for malware. It does no good to change credentials, etc., which you will need to do, if malware phones them home to their command & control center. It’s actually better to do more than 1 scan, each using a different program, as no single malware scanner can detect everything.

Third, secure your network. Definitively use secure FTP as opposed to regular FTP. The port used for secure FTP varies from host to host. Many use port 22, some 2222, while others use different ports altogether. Check their knowledge base or call their support. You can ask this question when you notify them of the compromise in the first step.

Never log onto your site using a public hotspot, such as those in hotels, cafes, etc. Make sure you’ve changed the default password, Ssid, (&, if applicable) the username on your router/modem. If you don’t use wireless, turn it off in your router’s options.

All these steps are required to ensure that no one can snoop your credentials, etc.

Now that the device you’ll use to fix your site, as well as your network, is secure, it’s time to direct your attention to actually fixing your site.

Next, please log into your website control panel from a secure connection and change all passwords, including those to any databases you may have set up. This includes your control panel/FTP credentials & your WordPress database. Also, change your salt keys as per the instructions in wp-config.php to log out all users. Please make the passwords long, containing upper & lowercase letters, numbers, & punctuation.

Next, take a backup of your website’s files. Be certain to label it such that the label contains both the date you backed it up on, as well as the word “hacked”–we certainly don’t want you accidentally restoring this backup! This can be helpful, though, in terms of perhaps being able to determine how this occurred, though my feeling is that it likely did so because of an outdated site. Probably you should just back up your web root. Depending on your host, it might be called public_html, htdocs, www, or /. If you don’t wish to back up the entire root, then at least back up your uploads folder, as well as others that might contain content that can’t be replaced.

Please also back up your database as well. The article at
https://codex.www.ads-software.com/Backing_Up_Your_Database
shows you how to do that, in case you need it. The section regarding phpMyadmin is likely the most relevant to your case. It’s going to be necessary to search that database file to see if any evidence of the hack exists there. That can be done by opening the file in a text editor. To start off with, consider searching for the words:

<script
<? php;
base64;
eval 

preg_replace
strrev

This is not an exhaustive list, nor is the presence of any of these words conclusive proof of a site compromise, though some are more suggestive than others.

You might also wish at this point to backup your WordPress content. To do that:
* Log into your WordPress dashboard.
* Go to ‘Tools > Export’.
* Choose to export all content.

While in your dashboard, go to ‘Users > All Users’ and delete any users there that you don’t recognize, especially administrators. A WordPress account should never contain the username ‘admin’. If yours does, make an administrative account that does not contain the word (don’t forget to use a very strong password), then delete the old admin username account.

Also be advised that sometimes supposed image files can contain code, so open all your image files, particularly in your uploads folders, to ensure they really are images & don’t contain code. Better yet, if you have the images on your machine, replace files in the uploads folders with them.

If you find nothing, either in your database or in your /uploads folders, then the next step is to delete, then completely reinstall WordPress, as well as any plugins or themes you were using. I also advise creating an entirely new database w/a new user & password. You can then import your content into the newly reinstalled site.

Please also let someone knowledgeable look at your .htaccess file so they can make certain no backdoor code exists there.

In summary, here are the steps:
1) Back up your WordPress files, including core, themes, & plugins;
2) Back up your database using PhpMyadmin;
3) Look through the database to insure there is no evidence of the hack;
4) Search the uploads folders for image files that contain code;
5) Let someone knowledgeable look at your .htaccess file.
6) If you have doubts about your database, please have a professional take a look.

Hi Jackie,

thank you very much for your help!
But I had workout in all your steps, I had re install WP from the dashboard and all template files, I had export the DB and search for the words that you said to have a look, I had found some base64, but not eval on this context, no script, no PHP.
htaccess clean,images clean, I really don’t know what to do in my case, looks like ridiculous this situation, I work with WP from 2003 first version and that is my first time with this issue.

Any other suggestion to help me? I’m getting desperate!
Best regards,
Leandro

Leandro, please change all passwords. This includes your hosting provider control panel password, your WordPress database password, & your WordPress dashboard password. Make them long, strong, easy for you to remember & hard for others to guess.

Please also let us have a look at your .htaccess file. Remember these can be in multiple subfolders as well as in your WordPress root, so check them all. Make sure your uploads folder contains only images, documents, etc, & no executable code. If possible, delete everything in the uploads folder & reupload the files again, using known good copies. Obviously, you’ll need to put them in their original folders so as not to break links, which is a pain, I know.

You say you reinstalled WordPress, as well as theme files, but did you actually delete them prior to reinstallation?

You may also wish to run a plugin like Sucuri
https://www.ads-software.com/plugins/sucuri-scanner/
or WordFence
https://www.ads-software.com/plugins/wordfence

You may wish to have a professional look at your database. There is a way to post a job for help, ie. https://jobs.wordpress.net. Maybe the categories of ‘general’ or ‘performance’ would be good candidates, if that is of interest.

Keep us informed, please.

Hi Jackie,

I had used online PHP decoder, and I got this about the code I had post on my first post, maybe that helps you to help me.

[code removed]

Please let me know.

Many thanks,

Leandro

• This reply was modified 6 years, 5 months ago by Jose Castaneda. Reason: removed code

Leandro, it looks like you’re using a child theme of Flatsome, & this is where the hack seems to reside.

Leandro, reinstalling WP from the dashboard is ineffective. You’ve got to delete all the files on your website, then reinstall w/known good copies. & I mean *all* of them, unless you’re prepared to check each 1 for bad code. Some plugins, like those I’ve mentioned above, can be helpful in detecting modified core, plugin, & theme files, but only those on the www.ads-software.com repository, & not those purchased via 3rd-party vendors. Obviously, back up your site before you do this, especially your user-generated content, such as images, documents, videos, audio files, etc.

This appears to be a monitization hack.

Hi Jackie,

I just want to say THANKK VERY MUCH, to open my eyes and give me the right path to find a solution and I had found it!!!

I start to compare the core code and I found a file with a sweet and not dangerous name under wp-content, at the end last Mother F**Ker file:

wpcontapp.php

and inside we can find:

[code redacted]

And that is the code that ignite the malware again and again after I cleaning everything!

So the case is closed and thank you very much for your support!

Cheers,

Leandro

• This reply was modified 6 years, 5 months ago by Jose Castaneda. Reason: removed code

Leandro, that’s great! However, we need to find the reason you got hacked initially. Generally, the reasons have to do w/weak or reused passwords, especially those that have been reused & then stolen in a data breech, failure to update &/or use of vulnerable code, malware on a device that phones home credentials to a command center, & poor hosting configuration that allows compromised sites to infect other websites, to name a few.

When I looked at mxtoolbox.com for some information regarding your domain, it showed quite a few problems, including blacklisting of the hosting provider’s email server, bad glue re: your DNS, & others. You may wish to go there & check these things for yourself. This was nightmare enough. I’m pretty sure you don’t want this happening again. Please check all your plugins to ensure that all have been maintained within a year. If not, then please try to find other plugins w/similar functionality. Please also review my instructions regarding changing passwords, checking for unknown administrative users, etc.

At any rate, I wish you well, & please don’t hesitate to ask for help again, though hopefully not for this. BTW, in case it’s of interest, there is an active Italian support forum at https://it.www.ads-software.com . I know the gentleman who moderates it (there may be more than 1), & he comes to our forum meetings. I believe his name is Christiano.zonca. Seems very nice.

Get some sleep, please. It’s gotta be close to 3 AM there.

So the case is closed and thank you very much for your support!

Not quite, do you understand how it was that an attacker was able to add files and code into your website in the first place?

Dear Jackie,

yes was a nightmare!!! But is solved!
I think is a question of not proper password and a lack of attention from my side about security.

Thanks for all support, I keep dealing with you guys instead of Italian support as I believe in English we have much more content to study.

Have a great day.
Cheers,
Leandro

Leandro, I do recommend security plugins, both to do malware scans & to remind you to update, prevent brute-force logins, stop exploit scanning, etc. There are several good 1’s which I mentioned in my previous posts to you.

You’re always welcome here, of course. I only said what I did because I know Christiano & think he’s a nice man. +, I can only imagine how difficult it must be to read & understand complex instructions that aren’t in your native tongue–shoot–I have a hard enough time understanding some of them written in mine, for goodness’ sakes! Your English is great! If you ever need help, don’t hesitate to return here. Although fixing malware is my specialty, what I really like is preventing folks from getting hacked again, so I hope you’ll put some of the measures I suggested in place, and, that if you do return here for help, it won’t be for this. I do also advise that you consider going up to mxtoolbox.com & having a look at some of the problems they’re reporting. I can pretty well assure you that if you try to send email through your host’s servers, it won’t be delivered to many many inboxes. I understand that’s not why you came, & I understand it’s probably none of my business, but, as I told you earlier, sometimes host misconfigurations can actually cause site compromises, so this might be something for you to look at. I’m not saying that was the case w/yours, because I don’t know, but it’s worth examining nonetheless.

All the best & much success to you, Leandro.

Dear Jackie,

thank you very much again!
I’m trying to catch up with all these news things ??

Yes I will get with the guys of the hosting company or use Sendgrid/Mailchimp to delivery the emails.

All the best for you as well.

Looking forward to have a great chat with you again ( Please God not about malware :))))

Cheers,

Leandro

I’m on Slack, my profile also contains my website url, so if you just wanna say hello, those are a couple methods you could use. I would recommend a 3rd-party email provider. Hosting companies tend not to be the best at that, as they normally severely limit the amount of email you can send. The downside, of course, is the price.

It was truly a pleasure working w/you, Leandro.

Thanks Jackie!
I will follow your advices.
Was a big pleasure for me as well.
Take care.