SItes hacked and keeps coming back .. Please help

Hi,

Are all of your themes and plug-ins up-to-date? That’s the most common entrance into a site. You’ll start seeing new database entries. Are your servers shared or dedicated?

I’d recommend updating all themes and plug-ins and disable anything you are not using.

-Brian

Brian,
Thanks for the quick response. All my plugins are up to date, even the ones that are deactivated. I have done my best to remove unused plugins, but since some of the sites are managed by other designers I don’t know all of them. It is a dedicated server, running win server 2008.
Gary

What about FTP? Change passwords to something VERY difficult on every FTP account on that server.

FTP has been completely turned off at this point for a week, and yet the new files keep appearing. And I have used a strong password generator to create all new passwords for ftp, (even though it is turned off) and for all wp users and databases.

@axe6st:

Sorry to hear you’re still having trouble. We have a guide here, to help in cleaning hacked sites. Some of the more aggressive scan options within Wordfence may find additional files:
How do I clean my hacked site using Wordfence?

If this still doesn’t help, can you email me a copy of the site’s access log that covers any time period when a reinfection has occurred? If there is a combined access log for the whole server, that may be best — since there are multiple sites getting infected, the infection may be spreading from site to site. (Depending on how the file permissions and ownership are set, this can happen easily, from one bad file on only one of the sites.)

-Matt R

Matt,
At the moment it appears it is only happening on one site. I am trying to determine what the difference between that site and the rest. I have followed the recommendations in the article you listed before I posted this. I found on e username in the remaining affected site that has not had the password changed, so I changed that last night. Then I also noticed that another site is getting hit hard with a brute force attack that is using existing usernames and changing ip addresses for each hit, thereby circumventing the blocking. SO I changed all usernames on that site, and it was blocking each ip addresss as it happened. But the brute force attack just moved on to the next ip address. That stopped about an hour ago, but I am still investigating.
At the same time, this morning I noticed the new files appear on the other site again, but this time it happened while I was on the server watching, so I was able to check the live traffic and block the ip address that I think it came from. An ip listed as yahoo attempted to hit a file that was not there at less than a minute after the new files appeared. I can e-mail you logs, but exactly which logs would you want? And I guess I can get your email from your profile?

The site’s “access log” would be the one I would need. If each site has a separate access log, the one from the most recent site that was hit would be good. Sorry, I forgot to include my email address in the last post:
mattr (at) wordfence.com

-Matt R

Thanks Matt, I’m sending it now. It should be coming from gary at gnrcomp.com

Matt, did you get my email?

Matt,
Here’s an update. It happened again last night. I scoured the log files and found a point where someone accessed one of the new pages 4 minutes after it was added, and then accessed a bunch of css files after that. I blocked that ip address using my firewall. That was around midnight last night, and the usual morning files were not there. It’s still too early to tell for sure as it is kind of random, but at this point it has been 14 hours since it last happened. Fingers crossed. I’ll post here again if it happens again.

That’s good to hear — if you look back in the log file to the time when the files were added, you may find a hit on a file that caused them to be added. The visit might be from a different IP, and it may be a few seconds earlier than the date on the files.

I didn’t get the email that you had sent earlier and it’s not in my spam either — if the problem comes back, you can try sending me a log again. If you have a different email account that you can send it from, that might be best too.

-Matt R

Matt,
The problem is still there, but I have other issues I have to take care of first. But a quick question. I found that port 2105 is open, could that have anything to do with it? (The issue I am trying to repair right now is the firewall broken. So I can’t block it until I get that figured out.)

Port 2105 being open might not be a bad sign on a Windows host, but if you don’t use anything that access it from outside the host, it might not hurt to block it.

-Matt R