SItes hacked and keeps coming back .. Please help

  • Resolved Gary H

    (@axe6st)


    9 years ago

    I have a windows environment All my sites are up to date with the latest version of wordpress, version 5.6 of php and all the plugins are up to date.
    I have 6 sites with wordpress and all of them now have wordfence installed. I have followed the guidelines in the article about hardening up worpress. I run multiple scans on all sites. At this point, they all come up clean most of the time. But I still find the problems that I am listing next.
    2 or 3 times a day, at least one site or more gets between 8 and 14 new php files in the root dir. the names are sympathy.php, known.php, have.php, enjoy.php, effort.php, chemistry.php and more. Sometimes I will find php files in the uploads dir. of the affected site. (I can provide examples of these files.) Sometimes, that site will also start sending out spam mail. Cleaning up the new files stops the spam, but all of the new files seem to just be a few links in the files. Also, in live traffic, people are trying to access those urls.
    In addition to that, at one point a different hack took over many of my sites and added code to many existing pages. (I have that code as well.)
    That code had this “onfr64_qrpbqr” and from my searches that seemed to be the virus signature. I removed all that code and that issue has not returned.
    All of this started happening a week ago. Although I have checked for vulnerabilities and think I took care of all of them, the first one keeps recurring. I have fixed my php ini files to be secure, blocked my eternal ports that need to be blocked, and used wordfence to harden up the sites. All other sites on the server are just standard html sites, and I have completely turned off ftp. I have changed everyone’s passwords and also changed the secret keys in all the wordpress installs.

    Sorry if this is a lengthy post, but I tried to give as much info as possible so someone can help.

    https://www.ads-software.com/plugins/wordfence/

Viewing 13 replies - 1 through 13 (of 13 total)
  • WFBrian

    (@wfbrian)

    Hi,

    Are all of your themes and plug-ins up-to-date? That’s the most common entrance into a site. You’ll start seeing new database entries. Are your servers shared or dedicated?

    I’d recommend updating all themes and plug-ins and disable anything you are not using.

    -Brian

    Thread Starter Gary H

    (@axe6st)

    Brian,
    Thanks for the quick response. All my plugins are up to date, even the ones that are deactivated. I have done my best to remove unused plugins, but since some of the sites are managed by other designers I don’t know all of them. It is a dedicated server, running win server 2008.
    Gary

    raveon

    (@raveon)

    What about FTP? Change passwords to something VERY difficult on every FTP account on that server.

    Thread Starter Gary H

    (@axe6st)

    FTP has been completely turned off at this point for a week, and yet the new files keep appearing. And I have used a strong password generator to create all new passwords for ftp, (even though it is turned off) and for all wp users and databases.

    Plugin Author WFMattR

    (@wfmattr)

    @axe6st:

    Sorry to hear you’re still having trouble. We have a guide here, to help in cleaning hacked sites. Some of the more aggressive scan options within Wordfence may find additional files:
    How do I clean my hacked site using Wordfence?

    If this still doesn’t help, can you email me a copy of the site’s access log that covers any time period when a reinfection has occurred? If there is a combined access log for the whole server, that may be best — since there are multiple sites getting infected, the infection may be spreading from site to site. (Depending on how the file permissions and ownership are set, this can happen easily, from one bad file on only one of the sites.)

    -Matt R

    Thread Starter Gary H

    (@axe6st)

    Matt,
    At the moment it appears it is only happening on one site. I am trying to determine what the difference between that site and the rest. I have followed the recommendations in the article you listed before I posted this. I found on e username in the remaining affected site that has not had the password changed, so I changed that last night. Then I also noticed that another site is getting hit hard with a brute force attack that is using existing usernames and changing ip addresses for each hit, thereby circumventing the blocking. SO I changed all usernames on that site, and it was blocking each ip addresss as it happened. But the brute force attack just moved on to the next ip address. That stopped about an hour ago, but I am still investigating.
    At the same time, this morning I noticed the new files appear on the other site again, but this time it happened while I was on the server watching, so I was able to check the live traffic and block the ip address that I think it came from. An ip listed as yahoo attempted to hit a file that was not there at less than a minute after the new files appeared. I can e-mail you logs, but exactly which logs would you want? And I guess I can get your email from your profile?

    Plugin Author WFMattR

    (@wfmattr)

    The site’s “access log” would be the one I would need. If each site has a separate access log, the one from the most recent site that was hit would be good. Sorry, I forgot to include my email address in the last post:
    mattr (at) wordfence.com

    -Matt R

    Thread Starter Gary H

    (@axe6st)

    Thanks Matt, I’m sending it now. It should be coming from gary at gnrcomp.com

    Thread Starter Gary H

    (@axe6st)

    Matt, did you get my email?

    Thread Starter Gary H

    (@axe6st)

    Matt,
    Here’s an update. It happened again last night. I scoured the log files and found a point where someone accessed one of the new pages 4 minutes after it was added, and then accessed a bunch of css files after that. I blocked that ip address using my firewall. That was around midnight last night, and the usual morning files were not there. It’s still too early to tell for sure as it is kind of random, but at this point it has been 14 hours since it last happened. Fingers crossed. I’ll post here again if it happens again.

    Plugin Author WFMattR

    (@wfmattr)

    That’s good to hear — if you look back in the log file to the time when the files were added, you may find a hit on a file that caused them to be added. The visit might be from a different IP, and it may be a few seconds earlier than the date on the files.

    I didn’t get the email that you had sent earlier and it’s not in my spam either — if the problem comes back, you can try sending me a log again. If you have a different email account that you can send it from, that might be best too.

    -Matt R

    Thread Starter Gary H

    (@axe6st)

    Matt,
    The problem is still there, but I have other issues I have to take care of first. But a quick question. I found that port 2105 is open, could that have anything to do with it? (The issue I am trying to repair right now is the firewall broken. So I can’t block it until I get that figured out.)

    Plugin Author WFMattR

    (@wfmattr)

    Port 2105 being open might not be a bad sign on a Windows host, but if you don’t use anything that access it from outside the host, it might not hurt to block it.

    -Matt R

Viewing 13 replies - 1 through 13 (of 13 total)
  • The topic ‘SItes hacked and keeps coming back .. Please help’ is closed to new replies.

Tags