Our website was hacked – login came from server itself

  • Hi,

    We are web developers and had one of our sites hacked today. The frontpage was replaced with a with “Hacked by Aktif” and a lot of text etc. We have restored a full backup, but I kept a copy of the hacked site for investigation.

    Through logs we have been able to determine the exact time and what happened, but how it happened I cannot figure out.

    The really strange thing is there is a successful admin user login logged in the raw server logs just before the hack is done. The hack seemed to have hacked the database and also replaced index.php in the twentyfifteen theme.

    Question: We can see the IP of the hacker doing all the mods to the files in the raw server logs. But The raw server logs has the successful admin login coming from the IP of the webserver itself – how can this be ?

    Wordfence obviously did not cut it so I am switching to Bulletproof Security and getting the PRO package in the hopes that it is better.

    Anyone have any idea, how can this login succeed?

    Thanks

    Flemming Bo Jensen

Viewing 2 replies - 1 through 2 (of 2 total)
Viewing 2 replies - 1 through 2 (of 2 total)
  • The topic ‘Our website was hacked – login came from server itself’ is closed to new replies.