Hacked site – problem getting it back up again.

  • Resolved MonologueHQ

    (@monologuehq)


    9 years, 7 months ago

    We manage a number of WP sites for clients and one such site got hacked recently. I only noticed it by coincidence on Thursday but our hosting company thinks the attack might have taken place on the 24th March as they noticed some files were modified on that date and not by us.

    To make matters worse, we are currently without our web developer so I am trying to sort out the issue myself. I’m not a developer or coder, but have worked with WordPress for a while, albeit on a very basic level!

    The hack resulted in a white screen, nothing else. After some research (Google) I am guessing the intrusion was made through an out of date plug-in. The hosting company sent me an email with the following lines:

    “Our antiVirus scans have found the following suspicious files:

    – /web/wp-content/plugins/revslider/temp/update_extract/revslider.zip: PHP.Namesco.fileManager20140925.UNOFFICIAL FOUND
    – /web/wp-content/plugins/revslider/temp/update_extract/revslider/symlink.php: PHP.Namesco.typoAttemptedBypass.20150218.UNOFFICIAL FOUND
    – /web/wp-content/upgrade/.java.php: PHP.Namesco.wso220141104.UNOFFICIAL FOUND
    – /web/bypass-config.php: PHP.Namesco.dkShell20150126.UNOFFICIAL FOUND”

    They took the site down and placed a copy of the ‘compromised’ files in a zipped folder which I downloaded.

    I have since created a new MySQL database with new username and password. I downloaded WordPress directly from www.ads-software.com and installed it using FTP and PHP Admin. I uploaded the old ‘Uploads’ folder with all the images for the site and downloaded and installed new versions of all plug-ins.

    After a few hours I managed to get the site looking pretty good, with a few images missing here and there. But then I decided to make some changes in the backend (can’t remember exactly what) and now no images show up when I load the site or in the Image Library in WP and I am getting a lot of ‘403 (Forbidden) error codes.

    I have a feeling this could have something to do with permissions? I have checked the permissions on all relevant folders/directives (Uploads, 2014 and 2015) as well as individual image files and they’re all ‘0771’ which I think is what they should be?

    I would appreciate any assistance here as I’m in somewhat unfamiliar territory with all this! I can post links/screenshots if anyone wants more information.

    Thank you kindly!

Viewing 8 replies - 1 through 8 (of 8 total)
  • Bill

    (@chubbycrow)

    Commonly, permissions for directories (folders) get set to 0755 (or 0750 to disallow the public), and files to 0644. This will vary according to your hosting/server environment though, so read up on the details here to help figure out your specific needs:
    https://codex.www.ads-software.com/Changing_File_Permissions

    Looks like you were probably hit with the Revslider vulnerability. Be sure to use the most recent version of Revslider if you do want to use that plugin again.

    As for the images, try changing them to 644 permissions like Bill mentioned.

    You’ll also want to import your old database to get all your posts/pages/users back. Revslider infections do not tend to affect the database so I hunch that won’t be a problem.

    It would help the WP community if those offering help here were a bit more specific and included links here to their findings related to this issue.

    Without, all of the above is beyond speculation quite unconfirmed.

    Thread Starter MonologueHQ

    (@monologuehq)

    The Revslider plug-in seem a likely source of the ‘hack’. I have since updated all plugin’s to the latest versions and purchased new licences (not sure if the original versions had licences). However, the site is still getting the 403 error codes and images aren’t loading. I have checked all permissions and they’re set to 644 for individual image files and 755 for folders/directories. Would my best bet be to do a fresh install on a new database and import the content?

    I have been hacked in the time past. But all I did was to remove the codes of the hacker and change my permission. My ranking fell and some other stuffs. Though, some images got missing like yours, but after the removal of the hacker’s code, everything became normal.

    If you think you can do a fresh install and import the content without any error, it’s your take. But know that if the import content fails, you will have no choice than to start afresh with it.

    My Sincere Apology if I’m a bit harsh on you!

    Andrew Nevins

    (@anevins)

    WCLDN 2018 Contributor | Volunteer support

    @babsomotden, just note that the symptom of the hack, i.e. the spam code, is not the backdoor code.

    Thread Starter MonologueHQ

    (@monologuehq)

    Thanks everyone for your input. Yesterday I managed to get hold of the support team at my hosting company and they reset the Apache permissions on our server. That seem to have set everything right!

    Bill

    (@chubbycrow)

    Glad you got this worked out.

Viewing 8 replies - 1 through 8 (of 8 total)
  • The topic ‘Hacked site – problem getting it back up again.’ is closed to new replies.