Site hacked

  • Resolved ande1352

    (@ande1352)


    2 years, 5 months ago

    I had noticed today that there were some weird things happening on my website including my login not working and having to reset it. After resetting my password I noticed that my anti-spam plugin and my sucuri security plugin for my site had both been deactivated. I reactivated those, but then I also noticed that a couple of posts on my site had been updated and when I checked it appears that spam casino links had been inserted.

    I also noticed that a plugin that I hadn’t updated myself, Tablepress, was showing in FTP to have been updated today. I removed the plugin until I could check further.

    Then, checking my email I saw that my web host had scanned my server and found some suspicious stuff.

    ‘public_html/wp-content/plugins/tablepress/x.php’
    Suspicious image file (hidden script file)

    ‘public_html/wp-content/plugins/tablepress/get-images/adminer.php’
    Regular expression match = [Adminer – Compact database management]

    ‘public_html/wp-content/plugins/tablepress/get-images/cmd.php’
    Regular expression match = [\b(system|exec|passthru|shell_exec)\s*\(\s*\$_(GET|POST|GLOBALS|SERVER|REQUEST|SESSION|ENV|COOKIE)\[]

    ‘public_html/wp-content/plugins/tablepress/get-images/adminer.php’
    Regular expression match = [Adminer – Compact database management]

    ‘/home/quick42/public_html/wp-content/plugins/tablepress/get-images/adminer.php’
    Regular expression match = [Adminer – Compact database management]

    It appears that maybe the files in that Tablepress directory may have been part of the problem. Have you heard of anyone hacking sites due to the Tablepress plugin – and/or do any of the files mentioned above by my host belong in the Tablepress directory?

    • This topic was modified 2 years, 5 months ago by ande1352.
Viewing 1 replies (of 1 total)
  • Plugin Author Tobias B?thge

    (@tobiasbg)

    Hi,

    thanks for your post, and sorry for the trouble.

    I’m really sorry to hear that you site has been hacked. For some help (in case you haven’t seen that yet), I also recommend https://www.ads-software.com/support/article/faq-my-site-was-hacked/

    Regarding those findings in TablePress:

    I do not know of any instances, past or present, where a site was hacked through TablePress.

    These files (x.php, adminer.php, cmd.php, etc.) are not part of TablePress (you can verify that in the official repository, from which the official download version is built, at https://plugins.trac.www.ads-software.com/browser/tablepress/tags/1.14 ).
    Instead, my assumption is that the attacker (or his automatic script) placed these files in the tablepress folder, as a backdoor. Then, should his other entry points to the site/server be closed, he can get in again. This probably happened randomly, i.e. a random folder was chosen, and tablepress happened to be it. You might also want to check other folders of the site (in fact, it’s probably wise to start fresh, with a fresh copy of WordPress and all plugin files, to rule out that any other PHP files have been modified/placed secretly).

    Regards,
    Tobias

Viewing 1 replies (of 1 total)
  • The topic ‘Site hacked’ is closed to new replies.