Website hacked–no idea what do at this point

  • Sorry for the long post….
    I have been fighting this for a few weeks now. A few weeks ago, some twitter followers told me that when the clicked on Twitter links linking to my site (https://factionhub.net), they were redirected to adultfriendfinder -dot- com (or net or one of those). I never happened to me, but a couple weeks ago, I clicked on one of those links on my iPhone and it took me to the site. I can never get it to load on my own computer. I can never get it to load on my phone when I’m at home either–even on the 3G/4G network–only when I’m away from home.

    I’ve installed WordFence, Anti-Malware Removal, and sucuri. On the Sucuri site, my site loads as blacklisted. Looking through the actual plugin, it says it’s all fine (save the blacklist). The other plugins scan my files and say everything’s fine too. With several exceptions of eval codes in plugins, it doesn’t flag anything (I’ve compared those instances to the original plugin files and nothing’s been modified).

    Then it started spreading onto my other sites. I have a shared hosting package and each site is in a subdomain. https://saulmarquez.com (the main root of my shared pacage–the public_html), https://7thpage.com. Yesterday I found a file, cr.zip in my public_html folder. I think it’s been in there since Dec–according to what cpanel says. There were also a ton of other obviously fake files. Like a Configuration.php. I deleted all of these.

    Still nothing. I changed passwords and everything (on all the sites). Still nothing.

    I did an experiment. I set up a new wordpress site (https://5thwave.net). Clean installation. Within a day, I was getting the redirects.

    Today I’ve spent the entire day deleting the wordpress sites and reinstalling them with clean installations and everything. I scanned everything in the wp-content folder. Everything seems ok. I’ve re uploaded the images and I’ve installed fresh new copies of the plugins.

    I’ve changed passwords and everything again. I just barely reuploaded fresh installations… and I’m still getting reports of redirects. All of my sites have been wiped and reinstalled. I really don’t know how it’s still going. The only thing that’s constant are the SQL databases and images. But I don’t think it’s the images (is there anyway of knowing?)

    I had a phpBB and myBB sites in there as well. I thought it was possible that they could have come in through that. I’ve since deleted those–still doesn’t help.

    I’ve checked the .htaccess files… all of them I could find… multiple times… They haven’t been modified. They’re normal.

    I’ve scanned for evals… base64… I seriously don’t know what to do at this point.

    I even contacted my host, wondering if other sites on the server I’m sharing have been infected. According to them, they’ve scanned it and everything is OK. They say they also scanned my site and that everything is fine. Yes, even cPanel/FTP passwords have been changed multiple times during this whole process.

    I’ve looked at all the links that the mods post when people post these things and I’ve followed all those steps. Nothing is working.

    I’ve done everything I’ve read and know… I’m at a dead end at this point.

    Help? ??

Viewing 7 replies - 1 through 7 (of 7 total)

  • Ouch! Sounds like they may have back-door access directly through the server. If someone gets in with a brute force attack or something, there’s really nothing you can do unless you have direct access to the server and an insane amount of server administration experience. If you’re on a shared hosting plan, really your best bet is to contact the host and/or change servers and cross your fingers they care enough to do something.

    I could be completely wrong, but if you’ve updated everything, reinstalled everything, and have taken extra precautions by installing added security plugins and such, then yeah… it may have nothing to do with your WordPress installation at all. There’s absolutely nothing you can do from wp-admin to solve a server intrusion.

    Where are you hosting?

    First, you need check server logs.
    Second, worm/backdoor not always contain an explicit call eval or base64_decode functions.
    Sometimes this functions is used inside self encoded body.
    Somethimes backdoor is not encoded ….eg. simple file upload form.

    Thread Starter saulmarq

    (@saulmarq)

    Thanks for your responses.

    I’ve contacted my host again. I’m with Downtown Host. I’m asking them to check server logs and see if the redirects come up there.

    I know that there was a file uploaded at one point, but like I said, I found them and deleted them. Even after, I wiped everything and started new.

    Is it possible that they could hack a SQL database? I wouldn’t know where to start if that was true…

    If someone gains root access to your server, they can do anything they want. Whatever you can do… they can do more. They’d have access to your site and everyone else’s on the server – including databases. They could literally wipe the entire server clean with a single command. Sounds like these guys are just in it to piggyback off websites for the sake of injecting ads though. Not entirely malicious – just annoying. Still, if you’re storing sensitive client data in your database, I’d be for backing that site up and moving to a better host. Either SiteGround or WPEngine.

    Forgot to add – I recently moved from WPEngine over to SiteGround, and so far they’re my all-time favorite hosting company. They also have a malicious code scanning tool that checks your site weekly for injections.

    Thread Starter saulmarq

    (@saulmarq)

    Thanks again for the response.

    If I end up leaving my host, I may look into SiteGround. Their pricing is similar to what I’m paying now.

    I realized that the one place I didn’t look was in the main home directory (that contains the public_html directory). I looked in the hidden .cpanel directory and found some logs of FTP uploads. These are files I didn’t upload myself. Things like BOA.zip and even the cr.zip that I mentioned earlier. Some date back to last June! The latest is Jan 14. Here’s what those logs say:

    <fileupload size=”131640″>
    <file name=”boa.zip” tmpfile=”/home/******/tmp/Cpanel_Form_file.upload.MjdzlAXLdeh5qEtI”>
    <progress bytes=”130500″ bps=”45700.24″></progress>
    <progress filesize=”130498″ complete=”1″></progress>
    </file>
    </fileupload>

    I’m guessing these were done via FTP. I’m going to look more. If all of this happened through FTP and not WordPress. If this is the case, the hacked file could very well not be in my wordpress installations but maybe somewhere in the home directory. I know it’s not in public_html because, like I said, I’ve already cleared it. If I can’t find anything, I may just ask my host to reset my account and I’ll manually reinstall everything bit by bit.

    Problem is, how did they get into my site via FTP in the first place? How do I stop them from doing it again? I’ve changed my password already, but I don’t want this to happen again.

    There are many different ways an attacker can access your server besides FTP. In fact, if they tapped into the server, chances are they used SSH, which is like the Chuck Norris of connection protocols. It can do things that FTP can only dream of. So you can change that FTP password all stinking day but it won’t make a difference. I would ask your host to get all new name servers, and install a fresh copy of WP on your new hosting account – restoring only the database itself and wp-content directory – and see if it continues.

Viewing 7 replies - 1 through 7 (of 7 total)
  • The topic ‘Website hacked–no idea what do at this point’ is closed to new replies.

Tags