Recovering after a hack

  • I was hacked by the Moroccan Agent Secret recently. Copying over my htdocs seemed to take care of the problem. I am using the latest version of wordfence.

    However, I still cannot log in to the wp-admin side of my site. I get a Fatal error: Call to undefined function curl_init() in /htdocs/www/wp-content/plugins/wordfence/lib/wordfenceClass.php on line 922 message.

    Looking at line 922 I see this: $curl = curl_init(‘https://noc3.wordfence.com:9050/hackAttempt/?k=’ . wfConfig::get(‘apiKey’) . ‘&IP=’ . wfUtils::inet_aton($IP) . ‘&t=’ . $type );

    I’m not sure what to do next.

    I tried renaming the wordfence folder in the plugins folder via FTP but then I get ‘unrecognized username’ when I try to log in to wp-admin

    https://www.ads-software.com/plugins/wordfence/

Viewing 15 replies - 16 through 30 (of 30 total)

  • Hum, just to be sure, you went to the wp-users row then you clicked on browse? The browse is a link on the same row as wp-user and is not a tab.

    If you follow the directions, and don’t see the user log data, then try repairing the database. Go back to the first of phpmyadmin, you will see all the tables. Go to the bottom check all then Repair table from the dropdown.

    Retry the instructions. If you still don’t see what is in the instructions, then it’s time to talk to support.

    I’m going for coffee…let me know what you find ??

    Thread Starter lpelham

    (@lpelham)

    I certainly thank you for helping me through this. I’ve learned tons just today.
    Here are all the tables.. https://eickertrealty.com/wp-content/uploads/2015/03/tables.JPG and yes, I was clicking browse here (when it is available)Some don’t let me browse.

    Interesting..The storage engine for the table doesn’t support repair

    in the wp_wfReverseCache I see the IP’s of the likely intruders.. Ukraine and Russia .. grrr..

    Thread Starter lpelham

    (@lpelham)

    Is it odd that some of my tables are in latin1_swedish_ci format?

    My bad, I didn’t think to ask – THERE ARE NO USERS! Have you already opened a ticket or can you keep going?

    The diff in format is ok.

    Thread Starter lpelham

    (@lpelham)

    I opened a ticket with my provider. I see the same network in my wfCrawlers table..

    Wouldn’t I just be best to delete this database?

    Well, we know this DB is hacked, right?

    If you have a known good DB then yes, that’s the best plan. So is restoring all the files from backup too.

    Are there backups available?

    Thread Starter lpelham

    (@lpelham)

    yes, I have known good back ups of my db..

    I thank you for your time. I can handle it from here.. <I think>

    You did a great job! If you have a back up of your files also, that’s the best way to know your whole site is safe.

    Otherwise, carefully follow this guide. When you’re done, you may want to implement some (if not all) of the recommended security measures.

    If you don’t get all the malware, it just keeps coming back.

    Thread Starter lpelham

    (@lpelham)

    I’ve lost my confidence lately. I use Wordfence and have it cranked down really tight. But I have learned a whole new world now, thanks to you!

    Thank you for your kind comments. I enjoy working with someone who has your attitude. When someone asks “what’s a FTP? or who is my host?”, I know I’m in for a rough time.

    I don’t think you were ever ah, unhacked, if that’s a word. It only takes missing one back door and your site can be damaged again.

    Two last suggestions, you picked an excellent tool in Wordfence. When you can get back into your Dashboard, go to Wordfence > Options > Scans to include > check ALL the boxes and then scan.

    And I suggest an ice cream cone with sprinkles…

    Thread Starter lpelham

    (@lpelham)

    haha, thanks!

    I have a similar problem but I don’t think I was hacked. I’m locked down pretty tight but I’m getting the same blank screen when trying to access the admin page from outside the trusted network….and get this….only when using a PC based browser. I can access it with my iphone and I can access it inside my trusted network. I get the same error on line 922 curl script.
    hmmmmm

    Sorry…should start a new thread when asking for help. Just wasn’t sure if I was asking yet… ??

    I’m not happy to say it but by definition your site is hacked. A normal healthy WordPress installation doesn’t act as you describe yours acting.

    Do you have a complete backup from before you first noticed the unusual action. If not, maybe your host can provide a usable backup.

    Even though there are similarities between your symptoms and those of @lpelham, your damage could be very different. I do feel it’s important to find a backup of your database or be prepared to spend some time cleaning the database.

    Then carefully follow this guide. When you’re done, you may want to implement some (if not all) of the recommended security measures.

    wslade,

    I looked back through the error logs and found that the curl error started directly after the installation of wordfence. This may be a missing library or??? I reinstalled php5-curl yesterday and have not logged the error since….but still watching.

    I’m having a bit of a problem troubleshooting wordfence and I had followed the guide and implemented most of the security measures directly after installing wordpress.

    I host my own server and I do have a backup. I will check the database closely today.

    Strange how this works from my ios device (trusted or non-trusted networks) and from home via a PC browser but not from outside. I’ve been checking security to see if I created some other problem….

    Open to ideas and will post results as I learn…

Viewing 15 replies - 16 through 30 (of 30 total)
  • The topic ‘Recovering after a hack’ is closed to new replies.