Hacked and Some Questions

  • Hi guys,

    Yesterday I spend the whole day on cleaning my sites and some details came to my attention:

    • There was an admin account made: demo (Role: Administrator).
    • A lo.php file was uploaded with the Media Uploader with the contents: phpinfo(); to check the server apparently.
    • Then there was (on the page which was set as homepage) a javascript file inserted. Linked to an external file: 188.***.**.***/x.js. For the Curious ones: https://pastebin.com/XkBm7yZM. Be careful with that though.

    We sell WordPress Themes and 70% of the themes was hacked. But no other site on the server so I guess they only had the chance on sites of which they had the URL of. All themes were updated to 3.5 but had some not up to date plugins (not very though).

    We did all we can to clean up all attacked installations, Google did a check and no more Malware was found this night. It said it does yesterday.

    A weird detail is that I got no email of that Admin account that was created. Normally I get an email about a new user on any of our installations.

    Now the question is: how did they access that WP Install?

    1. A bug in WordPress?
    2. Through a not updated plugin (i think not because some installs didn’t had any third party plugins)
    3. Database
    4. Or any other way?

    Maybe there is one of you who knows this kind of hacking and can inform me about their experience. Because it’s all one big question mark for me how they accessed the installs.

Viewing 5 replies - 1 through 5 (of 5 total)
  • Andrew Nevins

    (@anevins)

    WCLDN 2018 Contributor | Volunteer support

    You ought to ask your hosting providers their opinion, otherwise we’re just hypothesising.

    Thread Starter N33D

    (@n33d)

    Thanks for your response. I did, but they couldn’t get me any information about what happened. Maybe I’ll give it another shot today and get someone else on the phone who knows more then that other guy yesterday.

    It may be related to hosting. If you are on a shared host or some other person has access to the server, it can directly read the wp-config file and know your db info. Then the hacker can create a user directly (bypass wordpress).

    Check this out: https://www.rafayhackingarticles.net/2012/01/hack-website-on-shared-host-symlink.html

    I know this is a serious problem. I set up a lot of WordPress sites for my clients and rarely face this issue. Usually, I change the default prefix (wp_) to something more specific during the installation. Because it opens to many kinds of attacks.

    Combined with good hosting and updated WordPrss version, I can stay away from it.

    I spend most days helping people clear these types of situations and I can give you some statistics for the cause.

    About 60% out of last 100 turn out to be password related compromises (hacked computer, easy password used, etc., traveling abroad, et al).

    About 30% due to outdated plugins or WordPress version (“ah, you have WordPress 2.6 installed currently…” doh!).

    The rest being web host related or other unknown reasons.

Viewing 5 replies - 1 through 5 (of 5 total)
  • The topic ‘Hacked and Some Questions’ is closed to new replies.