• Resolved atlcr

    (@atlcr)


    One of my sites has been hacked. When the site is accessed from the search results in Internet Explorer, the user is redirected to rxcanada-247.com. This does not happen in Firefox or Chrome.

    I have Wordfence installed and each time I notice this happening I run a scan and clean up the mess with Wordfence but it keeps occuring every other day or so. The WordPress core file affected is wp-includes/class-wp-error.php. The hacker is adding a line to include another php file that is created called wp-includes/database.sql.php which has the base64 code that supposedly causes the redirect.

    I have disabled all 3rd party plugins that seem like they could be vulnerable. The only plugins installed right now are very trustworthy and popular plugins like WordPress SEO, Jetpack, Metaslider, etc.

    What steps are recommended for preventing this from happening again?
    At this point I’m even willing to hire someone to find the vulnerability and patch it.

    BTW, I’m using 4.1 and everything is up to date.

Viewing 8 replies - 1 through 8 (of 8 total)
  • I’m sorry to hear your site was damaged. Wordfence is good at finding damaged files but it does not always find all the malware.

    Do you have a back up from a date before the hacking began? Restoring is much easier than finding every piece of bad code.

    Thread Starter atlcr

    (@atlcr)

    I do have backups, but my host has already restored all core WordPress files and nothing has been added to the site in months so I don’t think restoring will help. I’m thinking it might be some sort of SQL injection hack or something database related so that would not help anyway. I am the only admin for the site and I use a 16 character password that has been changed. It is unlikely that the hacker has FTP or cpanel access as they could do a lot worse things, like lock me out.

    I’ll check out that link martcol.

    Restore all the files, directories and the database wherever possible. If you have such a complete backup, then delete all the existing files and directories first, rather than overwriting them As @wslade points out, this is by far the easiest solution. Otherwise, work your way carefully through the codex list linked to by @martcol. Also worth doing is changing all your usernames and passwords (WordPress/cPanel/database/FTP), checking in your database for any rogue users that don’t show up in the dashboard, and update your salt keys in wp-config.php to log out any currently logged in users.

    Thread Starter atlcr

    (@atlcr)

    Thanks. The problem with restoring from backup is that the backed up version is what got hacked in the first place. What is to stop them from exploiting the same vulnerability again?

    I think I need a more elaborate solution that involves a way to check for backdoors and such. If I restore from backup, is there a program that can do a security audit to find weaknesses?

    Yes you are correct. The backup must be from a time before the hack.

    It’s quite possible to hunt down every piece of malware but it’s difficult to know when you have found all of the malicious code. As an example the site may seem to be functioning as it should be but if there is one backdoor or enough malware left, the site is likely to be reinfected. The malware laced file can be hiding in the WordPress core, the theme, any plugin and the database.

    You said you were already using Wordfence. I suggest you try other server side scanners. There nothing wrong with loading up every plugin that will do server side scans. One of the plugins you try might find something all the others have missed. Good luck.

    You’re right of course. If your backup does not pre-date your initial hack then it is a pointless exercise. Besides my advice on passwords/usernames/salt keys, I would check files such as your wp-config.php, .htaccess, index.php, header.php and footer.php files for rogue code. You can also try installing and running the Anti-Malware and Brute-Force Security plugin which seems to have good success in rooting out hacks. Another clue is to check the timestamps of sll files to see which have been recently modified, although this can’t be done if you’ve recently restored all your files. If you’re lucky, and it’s not a sophisticated hack, then you may resolve things through these steps, but if there are backdoors which keep recycling the hack then you’ve no choice but to work methodically through the codex linked to by @martcol. Then, once you’re back up and running again, tighten up your security measures by following:
    https://codex.www.ads-software.com/Hardening_WordPress

    Good luck!

    Thread Starter atlcr

    (@atlcr)

    Barnez, thanks so much for the link! I did a scan with that plugin and it found a backdoor named “/wp-admin/network/licenze.php”. I deleted it and fingers crossed that it solves the problem once and for all. Now it’s time to make a fresh backup.

Viewing 8 replies - 1 through 8 (of 8 total)
  • The topic ‘rxcanada-247 pharmacy hack’ is closed to new replies.