Website Hacked Help!

  • Hi All,

    Firstly thanks in advance for your help.

    So i got a random email from phishlabs saying that my website was replicating a wells fargo website. Sure enough we were doing that so i removed the page from the site.

    I then checked from my mobile phone and noticed that my website was redirecting visitors to random porn sites.

    First thing i did was to change all passwords with host, ftp, wordress and various plugins that required a password.

    I installed Anti-Malware from GOTMLS.net and ran a full scan 3 times and keeps finding malware. Latest log below….

    Also installed quttera, securi security and word fence all saying removed malware and clean on second scan.

    Installed miniorange 2 factor authentication as i have been getting a lot of password attempts on my site.

    I found via ftp that there were a lot of random folders with names like phky, avgd, ltsb and lplu, these i could tell were malware created folders so i removed them, the content looked iffy.

    Anti-Malware from GOTMLS.NET log of latest scan…

    Backdoor Scripts

    !…/html/wp-content/index.php
    !…/html/wp-includes/pomo/mo.php
    X
    Potential Threats

    * NOTE: These are probably not malicious scripts (but it’s a good place to start looking IF your site is infected and no Known Threats were found).

    ?…/html/wp-mamba.php
    ?…/html/wp-mamba2.php
    ?…/html/updated site broken/.htaccess.bak
    ?…/html/updated site broken/wp-content/plugins/jetpack/modules/stats.php
    ?…/html/updated site broken/wp-content/plugins/jetpack/modules/infinite-scroll/infinity.js
    ?…/html/updated site broken/wp-content/plugins/mailchimp/js/datepicker.js
    ?…/html/updated site broken/wp-content/themes/billydroid/js/carousel.js
    ?…/html/updated site broken/wp-content/themes/blueberry/functions.php
    ?…/html/updated site broken/wp-content/themes/d5-corporate-extend/js/jquery-ui.min.js
    ?…/html/updated site broken/wp-content/themes/d5-corporate-extend/js/jquery.skitter.min.js
    ?…/html/updated site broken/wp-content/themes/irresistible/functions/js/nicEdit.js
    ?…/html/updated site broken/wp-content/themes/irresistible/functions/js/ui.datepicker.js
    ?…/html/updated site broken/wp-content/themes/isis/js/other.js
    ?…/html/updated site broken/wp-includes/pomo/translations.php
    ?…/html/wp-content/wp-mamba.php
    ?…/html/wp-content/wp-mamba2.php
    ?…/html/wp-content/plugins/wp-mamba.php
    ?…/html/wp-content/plugins/wp-mamba2.php
    ?…/html/wp-content/plugins/delete-all-comments/wp-mamba.php
    ?…/html/wp-content/plugins/delete-all-comments/wp-mamba2.php
    ?…/html/wp-content/plugins/duplicator/installer/build/assets/inc.libs.js.php
    ?…/html/wp-content/plugins/mailchimp/datepicker.js
    ?…/html/wp-content/plugins/mailchimp/js/datepicker.js
    ?…/html/wp-content/plugins/miniorange-2-factor-authentication/includes/js/rba/js/miniorange-fp.js
    ?…/html/wp-content/plugins/ninja-forms/assets/js/lib/jBox.min.js
    ?…/html/wp-content/plugins/ninja-forms/assets/js/lib/math.min.js
    ?…/html/wp-content/plugins/ninja-forms/assets/js/min/lib/math.min.js
    ?…/html/wp-content/plugins/ninja-forms/assets/js/min/lib/math.min.js.map
    ?…/html/wp-content/plugins/ninja-forms/deprecated/js/dev/ninja-forms-display.js
    ?…/html/wp-content/plugins/ninja-forms/deprecated/js/min/ninja-forms-display.min.js
    ?…/html/wp-content/plugins/wassup/js/spia.js
    ?…/html/wp-content/plugins/wassup/js/spy.js
    ?…/html/wp-content/plugins/wordfence/js/jquery-ui-timepicker-addon.js
    ?…/html/wp-content/themes/billydroid/js/carousel.js
    ?…/html/wp-content/themes/blueberry/functions.php
    ?…/html/wp-content/themes/d5-corporate-extend/js/jquery-ui.min.js
    ?…/html/wp-content/themes/d5-corporate-extend/js/jquery.skitter.min.js
    ?…/html/wp-content/themes/irresistible/functions/js/nicEdit.js
    ?…/html/wp-content/themes/irresistible/functions/js/ui.datepicker.js
    ?…/html/wp-content/themes/isis/js/other.js
    ?…/html/wp-content/uploads/wp-mamba.php
    ?…/html/wp-content/uploads/wp-mamba2.php
    ?…/html/wp-includes/js/json2.js
    ?…/html/wp-includes/js/json2.min.js
    ?…/html/wp-includes/js/tw-sack.min.js
    ?…/html/wp-includes/js/swfupload/swfupload.js
    ?…/html/wp-includes/js/tinymce/tiny_mce_popup.js
    ?…/html/wp-includes/pomo/translations.php
    ?…/html/updated site broken/wp-includes/category-template.php
    ?…/html/wp-admin/includes/class-pclzip.php
    ?…/html/wp-content/plugins/delete-all-comments/backup/dbwp3.php
    ?…/html/wp-content/plugins/delete-all-comments/backup/wp-inde.php
    ?…/html/wp-content/plugins/delete-all-comments/backup/wp-mamba.php
    ?…/html/wp-content/plugins/delete-all-comments/backup/wp-mamba2.php
    ?…/html/wp-content/plugins/delete-all-comments/backup/wp-mamba3.php
    ?…/html/wp-content/plugins/delete-all-comments/backup/wp-zoo.php
    ?…/html/wp-content/plugins/delete-all-comments/backup/wso2.php
    ?…/html/wp-content/plugins/ninja-forms/assets/js/min/front-end–helptext.min.js
    ?…/html/wp-content/plugins/ninja-forms/assets/js/min/front-end-bundle.js
    ?…/html/wp-content/plugins/ninja-forms/assets/js/min/front-end-deps.js
    ?…/html/wp-content/plugins/ninja-forms/assets/js/min/front-end.js
    ?…/html/wp-content/plugins/ninja-forms/assets/js/min/front-end.js.map

    Any Ideas as to what i should do next.

    Regards,

    Darren

Viewing 4 replies - 1 through 4 (of 4 total)
  • Moderator Steven Stern (sterndata)

    (@sterndata)

    Volunteer Forum Moderator

    Remain calm and carefully follow this guide. When you’re done, you may want to implement some (if not all) of the recommended security measures.

    If you’re unable to clean your site(s) successfully, there are reputable organizations that can clean your sites for you. Sucuri and Wordfence are two.

    Thread Starter adssmart123

    (@adssmart123)

    Thanks for this. I followed the instructions and seem to have a clean system. I have now changed the passwords of the accounts again now that the system is clean. Going forward I’m going to keep a close eye on it and if i notice anything untoward i will be back with symptoms.

    I am currently getting emails from Securi Alert stating that im getting failed log in attempts every 5 or ten minutes. How do i stop this? or will they get bored in the end? Even if they get in by Brute force they will have to get through the 2 factor auth. So i think I’m safe.

    Any ideas how to stop the failed log in attempts?

    Moderator Steven Stern (sterndata)

    (@sterndata)

    Volunteer Forum Moderator

    Basically, turn off the option to be emailed about them.

    I have a client who’s website was recently hacked…turns out that the “delete all comments” plugin was a factor!:

    https://blog.nintechnet.com/arbitrary-file-upload-vulnerability-in-wordpress-delete-all-comments-plugin/

    Those “mamba” files aren’t regular files and should be deleted as well.

Viewing 4 replies - 1 through 4 (of 4 total)
  • The topic ‘Website Hacked Help!’ is closed to new replies.