Hacked; what to do next

Scury SiteCheck indicates your site to be free of malware: https://sitecheck.sucuri.net/results/www.peterwade.com

Try implementing some (if not all) of the recommended security measures.

Posword, I have the same problem — two “invisible” spurious users, one an admin. Can you point me to a reference showing how to locate and remove them from the database? Thanks for any help. Bob

@boblawler,

as per the Forum Welcome, please post your own topic.

Hi @posword and @tara

What is being described isn’t something that SiteCheck would detect. SiteCheck works to identify security issues that display on a users browser. Think things like malware distribution, malicious redirects, SEO spam.. etc..

So just because it’s green, doesn’t mean that your environment hasn’t been hacked. It could be being leveraged for some other nefarious act.

Unfortunately, changing the passwords on FTP / WP-ADMIN are only the first of many steps that need to be taken. In fact, here is a list we’ve put together that we share with our own customers, but would be just as valuable for you: https://sucuri.net/website-security/what-to-do-after-a-website-hack.php

Here is also a document we put together a few years ago, but still applicable today of things you could do specifically with your local WordPress install: https://blog.sucuri.net/2012/11/website-malware-removal-ftp-tips-tricks.html

Lastly, don’t forget to spend some time looking at this page on the codex: https://codex.www.ads-software.com/Hardening_WordPress it’ll help you think through the various hardening steps you should consider.

Yes, this can all be a bit overwhelming, but such is the world with Security. The biggest thing you need to be asking yourself is how they are getting in, how are new users being added. If it’s in fact related to something an admin is doing, then great. But if it’s something no one on your team is doing, then that’s a problem. And the thing you need to be most aware of is the addition of things like backdoors and the sort that allow bad actors to circumvent any existing controls placed on your access nodes.

Hope this helps.

Thanks

In order to help me decide which monthly backup to reinstall, can anyone decode the date [usersettingstime] in the first line of this entry for the “invisible administrator” from user_meta table:

(71, 8, ‘dbnameusersettingstime’, ‘1267752775’),
(70, 8, ‘dbnameusersettings’, ‘m4=c&m3=c&m2=c&m8=c&m5=o&m6=c&m9=c&editor=html&imgsize=full’),
(68, 8, ‘dbnameuser_level’, ‘0’),
(66, 8, ‘admin_color’, ‘fresh’),
(67, 8, ‘dbnamecapabilities’, ‘a:1:{s:13:”administrator”;b:1;}’),
(65, 8, ‘comment_shortcuts’, ‘false’),
(64, 8, ‘rich_editing’, ‘true’),
(63, 8, ‘nickname’, ‘removed‘),
(62, 8, ‘last_name’, ‘removed‘),
(61, 8, ‘first_name’, ‘removed‘),
(73, 8, ‘screen_layout_page’, ‘2’),
(74, 8, ‘dbnameautosave_draft_ids’, ‘a:1:{i:-1267752318;i:414;}’),
(75, 8, ‘closedpostboxes_page’, ‘a:2:{i:0;s:10:”postcustom”;i:1;s:16:”commentstatusdiv”;}’),
(76, 8, ‘metaboxhidden_page’, ‘a:1:{i:0;s:7:”slugdiv”;}’),

Assuming this was the hacker, is there anything else that can be learnt from these entries?

Thanks,
Peter

I’ve got someone working on restoring and hardening the site. They have already found two other admin users who had not been added in the correct way and were not showing in the Dashboard but were in the database.

Thanks to everyone for your help and advice.