Latest WP but still hacked with RFI

  • Had a message from my host tonight saying that I’ve been hacked – the following files *at least* are compromised:

    ./MYDOMAIN/public_html/archive.php: PHP.C99-13 FOUND
    ./MYDOMAIN/public_html/admin.php: PHP.ShellExec FOUND
    ./MYDOMAIN/public_html/htdocs.php: PHP.Mailer-7 FOUND
    ./MYDOMAIN/public_html/wp-content/themes/MyCuisine/log.php: PHP.ShellExec FOUND
    ./MYDOMAIN/public_html/wp-content/themes/MyCuisine/cache/newfile.php: PHP.ShellExec FOUND

    Not clued up on this sort of stuff, but Googling PHP.99-13 took me to a Wikipedia page about Remote File Inclusion. Of course I can simply upload fresh copies of these files from a backup, but how have I been infected, and how do I ensure I’ve not left the door open for the files to be overwritten by the hack again?

    Any and all advice gratefully received – my host is threatening to remove the site unless I get it sorted. Damn hackers, I would genuinely support legislation to kill them on conviction of a first offence ??

Viewing 3 replies - 1 through 3 (of 3 total)

  • Of all of these reports, only public_html/wp-content/themes/MyCuisine/log.php is directly related to WordPress. Have a look at these resources:
    https://codex.www.ads-software.com/FAQ_My_site_was_hacked
    https://www.ads-software.com/support/topic/268083#post-1065779
    https://smackdown.blogsblogsblogs.com/2008/06/24/how-to-completely-clean-your-hacked-wordpress-installation/
    https://ottopress.com/2009/hacked-wordpress-backdoors/

    With the other files, I guess they were left behind by the hacker, so you can just delete them.

    Thread Starter travellers

    (@travellers)

    Well yes I can follow that. My machine comes back clean, and I’m guessing my host isn’t responsible since it was him who discovered it and notified me. I’ve changed all my passwords across the board, cpanel, wp admin, etc. And I can restore backups of the files and the database.
    But none of that does anything about how they got in in the first place. They certainly didn’t guess any passwords – none of those is less than a dozen characters that are all random symbols. I’m running the latest version of WP, all my plugins and theme are up to date. If I can’t close the back door, all I’m doing is rearranging deckchairs on the Titanic – the hacked files will be back next time the hacker’s bot stops by!

    But none of that does anything about how they got in in the first place.

    It could have been via an insecure plugin or theme. Or it could have been somewhere else on the server and nothing to do with WP at all. Another possibility is FTP. A lot of hackers are now sniffing insecure FTP connections, so use SFTP/encrypted FTP whenever possible.

    That last link in the list above gives a pretty good tutorial on hunting down hacker back doors.

Viewing 3 replies - 1 through 3 (of 3 total)
  • The topic ‘Latest WP but still hacked with RFI’ is closed to new replies.