WordPress cOmpromised

  • I don’t know how this happened, but I’m trying to figure it out.

    Long story short, I tried logging into my wordpres admin area and god an error similar to this.

    Warning: include(./wp-includes/ms-bookmark.php) [function.include]: failed to open stream: No such file or directory in /home/*******/public_html/wp-config.php on line 81

Warning: include(./wp-includes/ms-bookmark.php) [function.include]: failed to open stream: No such file or directory in /home/******/public_html/wp-config.php on line 81

Warning: include() [function.include]: Failed opening './wp-includes/ms-bookmark.php' for inclusion (include_path='.:/usr/lib/php:/usr/local/lib/php') in /home/******/public_html/wp-config.php on line 81

Warning: Cannot modify header information - headers already sent by (output started at /home/*****/public_html/wp-config.php:81) in /home/*****/public_html/wp-includes/pluggable.php on line 1196

    I did some digging and learnt the site has been compromised with some sort of javascript malware. I was able to remove the line of code that prevented me from logging into the admin area -include(‘./wp-includes/ms-bookmark.php’); (which was initially in the wp-settings.php file). This morning, that line of code is back but is now found in the wp-config.php file.

    I’m thinking what this hack is now doing is deferring people to other websites. I’ve noticed there area a lot of outbound links found in my cpanel “latest visitors log” which show people visiting pages within my wordpress site that do not actually exist. When you go to that link within my site you are forwarded to something else – and there hard hundreds of these links within my site that dont exist.

    Any ideas on how I can deal with this without having to completely destroy the site? I keep it up to date very regularly. I have Wordfence installed and every time an update is out for a plugin or WordPress, its updated on the same day.

Viewing 8 replies - 1 through 8 (of 8 total)

  • I have Wordfence installed

    I also use Wordfence and would not want to be without it for doing the things it can do, but I first have BulletProof Security writing htaccess to stop certain malicious traffic in ways Wordfence cannot. In your case, I would install BPS to guard the gates and all service doors, then use its suggested file permissions, then use it to also change my table-prefix, then change at least the password for the MySQL user noted in wp-config.php, and then take a look at these:
    https://www.ads-software.com/support/topic/warning-this-is-an-attack-site?replies=3#post-6346621

    Thread Starter sapper6fd

    (@sapper6fd)

    Well I’ve found a backdoor install within my themes folder, and a few php scripts within the themes folder which have been edited (although I’m not sure which ones, but the java code that’s found within the site is appearing within certain sections of the sites code that’s associated with the theme….

    Fantastic……

    I guess i’m off to find a new theme as this one is up to date and it looks like that’s how the site was compromised.

    I guess i’m off to find a new theme

    I highly doubt your theme is the problem since themes do not exist for the sake of site security. Redecorating even with impervious paint will never take the place of “hardening WordPress” such as how well BPS can do that.
    https://www.google.com/search?q=hardening+wordpress

    Thread Starter sapper6fd

    (@sapper6fd)

    The reason I think its the theme is because it comes with a number of plugins – quite a few of them. One of which is the Revolution Slider. There have a updates for each of the plugins it comes with over the past year, except for the revolution slider. When I mentioned above that had found files that had been edited, each one of them was in relation to the revolution slider.

    If it walks like a duck, quacks like a duck, looks like a duck, I tend to call it a duck until I can prove otherwise. While it may not be the point of entry, disabling that theme (removing it entirely) and replacing it with something else will be a good starting point. There are only two other plugins that I use on this site. One of which is Wordfence and the other is Google Analytic’s by YOAST. Chances are the site was compromised via a plugin. I have a suspicion it wasn’t Wordfence or Google Analytic’s by YOAST unless this is a zero day attack.

    I did quite a bit of wordpress hardening when the site was first setup. Deleting unused themes and plug-ins, removing version references, hardening the directories via htaccess, changing the name of the /wp-admin folder and so on…. I guess I’ll have to look into a number of additional hardening techniques as well.

    I did quite a bit of wordpress hardening when the site was first setup.

    That was my concern, and I do see a lot of hits targeting specific themes or plugins I would not want to be using.

    Thread Starter sapper6fd

    (@sapper6fd)

    I’ve found the malware. Its: spam-seo-suspicious15?web.html.spam-seo.hidden-style.001

    Now to find out how to remove it

    Thread Starter sapper6fd

    (@sapper6fd)

    I was able to figure out how they got access to the account.

    A plugin by the name of N-Media Contact Form with File Upload seems to have been the entry point. It was locked down so only PDF and ZIP files can be submitted (or so I thought). It turns out the plugin is ignoring the settings that determine which file types can be uploaded. I was able to upload a phpinfo script and execute it without any resistance at all.

    Two .php scripts were found in the folder where uploaded files are stored. Those files then allowed access and the ability for an attacker to upload a backdoor giving them root access and full control over the hosting account.

    Thanks for following up with the hack entry point. This has happened to me twice but I was not able to narrow it down like you did. Now I just live in fear.

Viewing 8 replies - 1 through 8 (of 8 total)
  • The topic ‘WordPress cOmpromised’ is closed to new replies.