Hacked site

  • Hello all,

    The tech support company I work for was asked by one of our clients to provide assistance when their hosted WordPress site told them that their allotted disk space (100gb) was used up.

    Our support is mostly hardware so we are not WordPress experts, but when I saw a file structure like this I got a very bad feeling:

    www.oursite.com
  html/[All Things WordPress]
  tmp/x/x/x/[randomfilenames] *

*where x is a hex number between 0 and f

    This File structure held over 1,000,000 base64 files that turned out to be fully formed bogus webpages based on their real site’s look and feel

    I was able to un-incode some of it but have not been able to completely see what it does. But I suspect it is an attempt to hijack the site and show bad things to their viewers that arrive via a web search…

    I said all that to ask if anyone has seen this behavior before? I saw tmp files going back to 2015 so it has been in-place for some time. but googling is not turning up anything usable in this case.

    When I searched for worldfence-waf I saw a few more sites that may have this installed as well (on this site you see an error message that mentions worldfence-waf in the blue stripe at the top of the page: [ redacted ] You only see the error message if you get there from a search.), but no discussions on any forum…

    I used unPHP to see some of the code. Here are the first few lines of the worldfence file:

    [ REDACTED ]

    As you can see there are PHP functions but everything in the function is commented out. /*…*/

    Does anyone have any thoughts or pointers to where this topic might fit better?

    • This topic was modified 6 years, 6 months ago by roadware.
    • This topic was modified 6 years, 6 months ago by roadware.
    • This topic was modified 6 years, 6 months ago by Jan Dembowski.
    • This topic was modified 6 years, 6 months ago by Jan Dembowski.
Viewing 2 replies - 1 through 2 (of 2 total)
  • Moderator Jan Dembowski

    (@jdembowski)

    Forum Moderator and Brute Squad

    Does anyone have any thoughts or pointers to where this topic might fit better?

    Moved to Fixing WordPress, this is not an Everything else WordPress topic.

    Don’t post malware code on these forums again or links like that here. These aren’t forensic forums, these aren’t “what is that code doing?” forums. Just WordPress support and that’s out of the scope for here.

    Your site has been compromised and you need to delouse it.

    Please remain calm and give this a good read.

    https://codex.www.ads-software.com/FAQ_My_site_was_hacked

    When you have successfully deloused your site then consider giving this a read too.

    https://codex.www.ads-software.com/Hardening_WordPress

    Have you run a Grep scan on the server? If done right you may not see the virus and what it’s displaying, but others may.

    I would suggest first grepping the site with a search to see how many directories are infected. I don’t trust these plugins because they throw false positives. Nothing beats running a Grep and finding all the infections, backdoors need to be looked at.

    Do not change any passcodes until you have cleaned your infection.

Viewing 2 replies - 1 through 2 (of 2 total)
  • The topic ‘Hacked site’ is closed to new replies.