Possible Hack Alert

  • I am pretty sure my website has been hacked. Luckly I have installed a security plugin that (among other things) scans my files for any changed files. I has located 3 files which were added at a time that I was not modifying code in my website.

    Upon investigation these file seem highly suspicious. The code in them seems like hacker code (confusing and not normal code), and also, the files added are named extremely similar to the standard WordPress core files.

    I am looking for help form the community and also to alert the community if this is truly a hack.

    Files added that are suspicious are:
    /wp-logon.php
    /wp-radmin.php
    /wp-content/plugins/tinymce-advanced/mce/code/wp-comments-blog.php

    There were added in the order listed above, seconds apart from one another.

    I am running wordpress version 4.1.1
    I am running Elegant Themes Divi Theme version 2.2 (I will also post on the Elegant Theme support site just in case)

    Plugins running are:
    Admin Menu Editor – Version 1.4.3
    All In One WP Security – Version v3.9.0
    CMS Tree Page View – Version 1.2.31
    Contact Form 7 – Version 4.1.1
    Custom Facebook Feed – Version 2.3.4
    Duplicate Post – Version 2.6
    Enable Media Replace – Version 3.0.3
    Envira Gallery Lite – Version 1.2.1
    Global Content Blocks – Version 2.0.1
    Google Analytics by Yoast – Version 5.3.3
    Google Places Reviews – Version 1.1.3
    Google XML Sitemaps – Version 4.0.8
    Imsanity – Version 2.3.5
    Jetpack by WordPress.com – Version 3.4.3
    Media File Sizes – Version 1.8
    TinyMCE Advanced – Version 4.1.7
    Under Construction – Version 1.12
    User Role Editor – Version 4.18.3
    WordPress SEO – Version 2.0.1
    WP-Optimize – Version 1.8.9.10

    Of course I have no idea what plugin might have been vulnerable, of maybe the theme?? I am a very experienced developer, but the honest truth is that I don’t even know where to begin digging through these plugins to determine the breach. Or, maybe it was a breach through FTP or through my hosting provider (godaddy).

    For now, I have deleted the files, I desperately hope they do not return, but if the security hole is still there then they likely will.

    I will go and update wordpress, every plugin, and change FTP passwords.

    If anyone can suggest other items to look at, please let me know!!

Viewing 11 replies - 1 through 11 (of 11 total)

  • I am sorry to hear your site is damaged. Do you or your hosting company have a full backup of your site? The fastest and most sure way to repair your site is to restore from a backup made before the hack.

    Without a backup your only solution is to repair the site. Follow this guide.

    When you’re done, you may want to implement some (if not all) of the recommended security measures.

    Thread Starter dcrosbie

    (@dcrosbie)

    Yes I have backups and I have followed as many of the hardening wordpress guidelines as I can. I am aware of all these precautions, I am a website developer who builds wordpress websites for a living.

    What I am needing help with is to see if anyone else knows about these specific files, and what if they have heard of this, then what plugins/theme etc might be the culprit.

    Simply rebuilding my site to pre-hack will fix nothing if I can’t plug the hole.

    Good! I’m glad you are a professional developer. You will likely have a very easy time of repairing this site, if you listen to reason. I repair hacked websites for a living.

    Did you read the guide? If you follow the steps there your hack will not come back. Every hack is different because very few site have exactly the same themes, plugins and server set up.

    I understand that the logical process would be to start from the hacked files and work backward to find the point of attack. However, most hacks are an automated process that scans for vulnerabilities and there are often multiple points of entry.

    Thread Starter dcrosbie

    (@dcrosbie)

    I am looking at this from all angles, working back from the hacked files is just one method that I am using to solve this mystery. I thought I might as well ask the community if they have seen these files used in a hack. Your answer it no. I am wondering now if anyone else has.

    In the meantime, while I am waiting to hear back form others, certainly I will continue to investigate the other angles such as the items listed in Site Hack FAQ.

    Haven’t see that particular report – but that doesn’t mean much. And FWIW, @wslade answers a LOT of threads on these forums about hacked sites.

    Thread Starter dcrosbie

    (@dcrosbie)

    Great Thanks, I will carry on working through the other hacked todo items.

    Are you sure it wasn’t one of your security plugins that renamed them so they were not easy to find with a bot. I have one that changes the names of those items so they can not be used by spammer…. just an idea.

    Thread Starter dcrosbie

    (@dcrosbie)

    Interesting thought @webpixie, dug into it a bit an no my security plugin does not rename, check some other websites that use the same plugin and none of them have this problem.

    Your suggestion led me to check my .htaccess file though, to see if anything was being redirected to these new files and indeed there were!!

    Here is what I found in my .htaccess:

    RewriteCond %{ENV:REDIRECT_STATUS} 200
    RewriteRule ^ – [L]
    RewriteCond %{HTTP_USER_AGENT} (google|yahoo|msn|aol|bing) [OR]
    RewriteCond %{HTTP_REFERER} (google|yahoo|msn|aol|bing)
    RewriteRule ^([^/]*)/$ /wp-radmin.php?$1 [L]

    I removed this from my .htaccess for now. And I will look into this a bit more and post back.

    Thread Starter dcrosbie

    (@dcrosbie)

    So I don’t know tons about htaccess rewrites, but to me this look like it is trying to take all search engines to wp-radmin.php which is setup to be a 404 error page.

    Two of my clients’ sites on GoDaddy have been hacked with a variant of this. So far, out of all my clients, ONLY sites on GoDaddy have been infected.

    The reversed engineered files point to a backdoor / malware download and shell install from: v-fish-ka.ru

    It doesn’t appear that the curl download and shell install executed. So I’m doubtful the backdoor was actually installed. However, it’s still unnerving that the hacker was able to edit the .htaccess and add the malware install script to the site’s root.

    One of the infected sites is pretty buttoned up security-wise. I’m leaning towards believing this attack is systemic on GoDaddy’s servers rather than being a WordPress related vulnerability.

    Any vulnerable code in your web site may be exploited. Some time in 2014, I started receiving bounced e-mail messages saying that the recipient was not found. I found out that my website was being used as a spambot through a vulnerability in phpMyadmin:

    Exploiting phpMyadmin: How to Get root in 15 Easy Steps
    https://www.informit.com/articles/article.aspx?p=1407358&seqNum=2

    Since my web site is mostly HTML, I removed all the PHP code, including WP. I then reinstalled WP, but I have never re-installed phpMyadmin.

Viewing 11 replies - 1 through 11 (of 11 total)
  • The topic ‘Possible Hack Alert’ is closed to new replies.