Hacked (ad.php ?)

  • Resolved Timvg

    (@timvangorp)


    7 years, 2 months ago

    Hi

    I noticed I’ve been hacked today within 5 visits. Out of the blue he managed to create a new admin account:

    Pakistan left https://xxx.com/wp-login.php?redirect_to=https%3A%2F%2Fxxxx.com%2Fwp-admin%2F&reauth=1 and logged in successfully as “newadmin”. https://xxx.com/wp-login.php
    8-9-2017 17:44:58 (10 hours 49 mins ago) IP: 202.69.11.205 [unblock] Hostname: 202.69.11.205
    Browser: Chrome version 60.0 running on Win7
    Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36

    Pakistan Pakistan left https://xxx.com/wp-login.php?redirect_to=https%3A%2F%2Fxxx.com%2Fwp-admin%2F&reauth=1 and visited https://xxx.com/?wordfence_logHuman=1&hid=EE69B014B31E375D862D5587C7EC6B84&r=0.7237531057894755
    8-9-2017 17:44:55 (10 hours 49 mins ago) IP: 202.69.11.205 [unblock] Hostname: 202.69.11.205
    Browser: Chrome version 60.0 running on Win7
    Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36

    Pakistan Pakistan visited https://xxx.com/wp-login.php?redirect_to=https%3A%2F%2Fxxx.com%2Fwp-admin%2F&reauth=1
    8-9-2017 17:44:50 (10 hours 49 mins ago) IP: 202.69.11.205 [unblock] Hostname: 202.69.11.205
    Browser: Chrome version 60.0 running on Win7
    Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36

    Pakistan Pakistan visited https://xxx.com/wp-login.php?redirect_to=https%3A%2F%2Fxxx.com%2Fwp-admin%2F&reauth=1
    8-9-2017 17:44:47 (10 hours 49 mins ago) IP: 202.69.11.205 [unblock] Hostname: 202.69.11.205
    Browser: Chrome version 60.0 running on Win7
    Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36

    Pakistan Pakistan visited https://xxx.com/ad.php
    8-9-2017 17:37:55 (10 hours 56 mins ago) IP: 202.69.11.205 [unblock] Hostname: 202.69.11.205
    Browser: Chrome version 60.0 running on Win7

    It looks like he managed this through ad.php? (I have no idea what that file does, it’s not in my public_html either.) My Firewall was still in learning mode and it added this file to the whitelist. I’ve completely cleared the whitelist after and changed it from Learning to Enabled…

    (PS: I’ve got all the latest versions and took extra steps securing ftp permissions, htaccess, wp-config,… my host confirmed that no files were changed after his visit.)

    In order to learn from it and prevent this in the future: Am I right thinking this could’ve been the weak spot? Also, if I were to have a premium account, I assume the two-step login wouldn’t have kept me safe in this case either. Right?

    Thank you for your insight.

    Have a nice day,
    Tim

Viewing 3 replies - 1 through 3 (of 3 total)

  • Hi @timvangorp,

    That file was most likely a PHP backdoor previously placed in your site main folder by the attacker and which was deleted after the intrusion.

    This could’ve been done using a vulnerability in another plugin or a theme, prior to or right after the installation of Wordfence (I assume that your Firewall was still in learning mode because the installation of Wordfence was recent enough).

    The “Two Factor Authentication” will only prevent logging in with compromised credentials.

    However, we do have a feature that watches for admin user accounts not created through the normal WordPress user creation form, which can help with some vulnerabilities though not all.

    These types of PHP file upload compromises are typically the result of a plugin or theme allowing file uploads but not validating the type, content, or permission level needed to do so.

    What I strongly advise at this stage, is that you follow our site cleaning guide in order to ensure your site’s integrity.

    Thread Starter Timvg

    (@timvangorp)

    Thank you for your kind and clear reply @wfyann

    Does that feature actually disable admin user accounts created outside of WordPress, or does it simply just send a notification?

    I assume the same. I’ve been working on that site daily to launch it soon, and I’ve never seen an ad.php in public_html though. Is there any way to trace how he did it?

    And thank you for the cleanup advice link. I’ve asked my host to reset to a backup of previous day – no ad.php file anywhere to be found btw – and set only my IP to log in for now. I’ll do a manual cleanup by deleting and uploading all of the WP files as well.

    I was just about to go Premium before the hack. Ironic…

    Have a nice day.

    Hi @timvangorp,

    The “Scan for admin users created outside of WordPress” feature is a scanning option, so it will only report the presence of such account(s).

    As for tracing how it was done, at this stage it amounts to finding a needle in a haystack; you’d have to check if any of the themes or plugins on your site have a known (or suspected) vulnerability and also check the web server logs to try and find anything related to the attacker IP address.

    Then again, the request used to upload that PHP backdoor file might not (or no longer) appear anywhere in the logs.

Viewing 3 replies - 1 through 3 (of 3 total)
  • The topic ‘Hacked (ad.php ?)’ is closed to new replies.