Security – beeing hacked

Hi @goenz25

I haven’t had a look yet at cause of 500 error. Need to look at how stale my backups are as that was plan A. I just got my website guy to shut the site down until we both have a time to look. At least my sites are not commercial.

Also note – I had 3 sites on same server – 2 without GPDR plugin also were effected.

Regards
Nick

@reca26

I deleted this files so fast, I can’t say something about the name or the kind of file – there where the only ones uploaded yesterday …

Also note – I had 3 sites on same server – 2 without GPDR plugin also were effected.

Oh wow – sounds not good ??

Hi @goenz25 –
Thanks for your reply.
In the meanwhile, I’ve found 3 uploaded files
//fotos.bilder-speicher.de/wp/pic-uploads/uploads-von-trollherten-18110907957398.jpg

Similar to @nickm37 I have about 12 sites on the same server – ONLY ONE with the GPDR plugin, BUT ALL class-oembed.php are changed.

This is really alarming.

According to the participant “rivmedia” in another WP-Thread
https://www.ads-software.com/support/topic/new-user-created-blog-got-hacked/, they are also injecting a backdoor/file into the uploads folder. He advices to check the databases for hidden admin users which do not show up in the WP admin.

Did you got aware of something similar, or did you only deleted the uploads and the user?

Grüsse aus Hamburg
Reca

• This reply was modified 6 years ago by reca26.

Hello –

Update for those who might be interested:
Though I’ve installed the WP GDPR compliance-plugin only on 1 WP-Installation, the hacker affects the WP-core files on about 11 other WP-installations. According to my hoster (webgo) my whole webspace is affected. As a result NONE of my websites is viewable due to many “Parse error ….” warnings because of altered wp-includes or wp-content files.

For a life-view of my misery, please see https://www.black.kitchen/

IF SOMEBODY IS ABLE TO HELP, OR HAS A REAL GOOD ADVICE, I WOULD BE THANKFUL TILL THE END OF TIME !!!?

regards reca

@reca26, just reinstall wordpress (reupload files and folders) and do the same for all installed plugins, this helped for me. strangely it was also n installation without WP GDPR

This is how the access logs look like if the Admin User uploaded a backdoor:
https://website-bereinigung.de/blog/wp-gdpr-compliance-sicherheitsluecke

Watch out for wp-upd.php Requests.

All of my websites on the same hosting have also been effected, even those that didn’t use the WP-GDPR plug in. I get the parse error above and 500 errors. I can’t log into any of my wordpress admins and can’t seem to find any information on how to do solve this. I did go to PHPADMIN and deleted a few users that had been set up but what do I do now? I see that lots of files on my websites have been altered with a timestamp of 1:43 this morning.

That’s the reason why you should have seperate hosting accounts or sub-accounts.

Maybe your hoster can restore a filesystem and databases backup from yesterday (without the old gdpr plugin directories)?

• This reply was modified 6 years ago by Pascal.

In order to prevent this from happening in future, I recommend just securing wp-admin and wp-login.php to certain IP addresses only and, additionally, activate basic authentication for both. There are plenty of blog articles in the Web that explain how basic authentication can be activated (e.g. for Apache and Nginx users). Some Web hosters also provide a web interface through which basic auth can be activated for certain directories.

If the entire wp-admin directory is additionally protected, the hacker would have been unable to access admin-ajax.php and take advantage of the vulnerability.

Further to the above I have contacted my hosting company and for $50 they are going to restore everything back to 7th November. I hope this works.

My Hoster give me a backup a few days ago – and the database backup will coming soon – i found in the injected database a lot of scripts like this:

https://blog.sucuri.net/2018/10/saskmade-net-redirects.html

Please make sure to update the WP GDPR Compliance plugin immediately after the backup was restored! Otherwise you will likely get hacked again within minutes. I’m observing my Web server logs and see constant attacks coming in – all now bouncing back with an error 401 due to the lockdown of /wp-admin.

I wouldn’t be able even to login to my site. My hosting support (Cloudways) helped me

[wp-config.php]
Replace this URLs with your web application and clear up cache.

define(‘WP_HOME’,’https://probinarybot.com’);
define(‘WP_SITEURL’,’https://probinarybot.com’);

Hope this help anyone as well!
Good luck!

Hi all, once you have removed the fake admin account and updated the WP GDPR check your siteurl in the database, some had been changed to a site in Morocco. We have not found any malware coding so far.