WordPress hacked files to delete or update when you've been hacked

  • Just to make a record of it, I got hacked on Dreamhost last week and had persistent issues. It turns out it was a very extensive hack that might have been caused by outdated WordPress installations or an outdated timthumb.php script.

    So here’s a list of files from the different domains that were added to at least 10 different domains. If you ever see any of these in your WordPress installation, delete them. They are rogue files with malicious scripts.

    (You can tell these are rogue because they don’t follow the standard comment format you usually see at the top)
    /wp-includes/js/tinymce/plugins/tabfocus/wp-raze.php
    /wp-includes/images/smilies/wp-evz.php
    /wp-includes/class-https.php
    /wp-includes/post-template.php     (don’t delete this file, but look in the middle for a huge base64 injection. you can replace it with standard file from wordpress zip file)
    /wp-admin/network/options-foot.php
    /wp-admin/captcha-class.php
    /wp-yizoj.php
    /adeyauberta.php
    /wp-eto.php
    /wp-nqdz.php
    /anjanetteadriena.php
    /atheneshockley.php
    /audyalia.php
    /poll.php
    /wp-includes/js/tinymce/plugins/wpgallery/wp-mkao.php
    /wp-content/plugins/search-unleashed/modules/wp-utofv.php
    /wp-content/plugins/cforms/captcha-class.php
    /wp-content/plugins/cforms/ibinc.php
    /wp-hpfi.php
    /aliceahalley.php
    /wp-wyl.php
    /macgregorarleyne.php
    /wp-ogox.php
    /wp-includes/js/tinymce/plugins/spellchecker/classes/utils/wp-uui.php
    /wp-includes/js/tinymce/plugins/wpgallery/captcha-class.php
    /wp-includes/js/tinymce/plugins/wpgallery/img/corbettthor.php
    /wp-includes/js/tinymce/plugins/wpgallery/alejandraaura.php
    /wp-includes/js/tinymce/plugins/wp-ratit.php
    /wp-content/themes/twentyeleven/trackbacks.php
    /wpau-backup/anestassiajohansebastian.php
    /wp-includes/js/thickbox/wp-nue.php
    /wp-includes/js/tinymce/plugins/inlinepopups/skins/clearlooks2/img/ibinc.php
    /wp-admin/css/wp-anp.php

    Most or all of these files had a long string of base64 code at the top, and a few of them had a function script at the bottom.

    A good place to secure WordPress is here:
    https://codex.www.ads-software.com/Hardening_WordPress

Viewing 10 replies - 1 through 10 (of 10 total)

  • I would suggest you to change host. It shows vulnerability in their servers

    One of the better descriptions of this hack may be found here, along with some general advice as well:
    https://domesticenthusiast.blogspot.com/2012/03/dyslexic-mayans-want-to-sell-you-cialis.html

    I helped someone on Dreamhost not too long ago when they were hit by a vulnerability with Dreamhost. What really got me, is that I could traverse the directories from any browser.

    If you get your site back up, make sure you use something like:

    Options -Indexes

    In your .htaccess file if they support it.

    Thread Starter micasuh

    (@micasuh)

    I was able to solve the above problems with a little info from a Dreamhost tech support but it was frustrating for nearly a week trying to solve this problem. These files were literally all over the account sometimes buried deep into the plugins or even themes. It was well scripted to be hard to kill.

    @richardwpg – It’s just as likely that one of the outdated WP installs I had in my account on one of my domains was a way for these robots to get in. There was also an outdated timthumb.php script that I had to fix. I read recently that Websense was reporting a huge increase in attacks over the last few weeks. Dreamhost appears to be a common victim, possibly because of similar accounts like mine which have outdated files with possible holes.

    @tvcnet – Excellent info! Thanks!

    @mickeyroush – right, I do know about this and should look into adding it to all the .htaccess files. I have about 15 or so WP installs on various domains in my account so that’ll take a bit of work to do but it’s worth it.

    These so called unlimited hosting plans are disasters waiting to happen.

    I recommend to my client to never maintain more than three sites within one of these shared directory type hosting accounts.

    So many people have been burned due to not being educated as to how severe a security risk this type of “open bay,” hack-one-to-hack-them-all” type hosting accounts can be.

    If you are a professional web designer and think you are saving money by using “open bay” hosting plans, hopefully you’ve just learned your lesson (that saving a few bucks on web hosting can literally destroy ones web design business overnight).

    Hackers love “dorm room” type hosting accounts because it’s so easy to tell their friends, “hey, look I just hacked 40 websites,” when all the script kiddy did was hack a person’s website who thought he was being smart in placing all of his 40 clients websites on a 5 buck a month hosting account.

    If you are hosting through a Mc’Hosting open bay style hosting company you are basically placing your site in the cross hairs of hackers looking for an easy target.

    @tvcnet I am exactly what you are referring to: “dorm room” (and am on Dh). All of my little and big WP sites are all infected to some degree and it’s time for me to move to a better solution. Can you please recommend a host?

    Thanks.

    Hi,
    If I recommend a host the staff here at WordPress will yell a me.
    You could Google my username. ??

    Recommended WordPress Web Hosting

    @tvcnet

    Haha! Sweet! A little shameless self promotion never hurts!!!

    @prosperityone

    Research and comparison, my friend. Weigh the balance between the practicality/ROI associated with a VPS -vs- continuing in a shared hosting environment. If you don’t yet have a need for, or can’t justify dedicated/managed/VPS hosting, then don’t do it. Either way, take a week or so and just peruse/review the published history of some of the more popular services. The web is just ripe and ready to pop with info on competing service providers. They all want your money. The best you can hope for is to make an informed decision based on your own research. Good luck to you!

    Thread Starter micasuh

    (@micasuh)

    I think after completely sweeping through all the WordPress installations and with some feedback from Dreamhost, I’ve hopefully crushed the trojan horse so that it stays out of my account. This particular attack was extensive with lots of various malicious files in so many different places. It’s been a few days since anything has happened but I’m monitoring it for the rest of the month on a daily basis to make sure nothing new happens.

    @tvcnet – I hear what you’re saying but I think with automated servces like ManageWP, it’s not so bad to be on shared hosting. That said, I think it takes a dedicated person to maintain everything.

    I inherited this account from a now deceased family member who was doing this for a side business so I have tried to maintain but of course there was outdated scripts or installs that I didn’t catch.

    I do believe it’s possible to maintain a relatively secure account as long as the account holder is diligent about maintaining the code and keeping it up to date. I also keep up with other client accounts who also use Dreamhost and none of them were affected by this thankfully. Sadly, however, I also think Dreamhost was particularly targeted for this type of attack but I think other shared hosting and even VPS hosting can fall victim to similar attacks just as easily under similar circumstances as I had.

    @prosperityone – If you were infected similarly to what I was, I can give you a few hints on how to crush the bugs and get some peace back.

    One of the most used methods to monitor changed files is by logging into my account using SSH and running a few commands. The find command really helped me monitor what’s going on and what had changed in a certain period of time. For example:

    find . -type f -mtime -1 | grep -v "/Maildir/" | grep -v "/logs"

    The above line searches through your account for changed files within the last 1 day (change the 1 to 2 or 3 if you want to view multiple days) but it doesn’t search through the Mail directory or the access logs (for Dreamhost only, change for your shared hosting provider if different). I run this code once or twice a day right now just to see what’s going on.

    Here’s another one I used:

    find . -name xxx.php

    In the above code, replace xxx with the name of an infected file (look at my original list of files). It will then look for all files in your account which have the name of xxx. I found many malicious files using this method.

    Finally, if you know about grep, it’s a good way to find any files that contain injected base64 code. Look it up and you’ll see the different options on how to look for these files.

    Before I wrap up, I’ll add a few more file names which I found that had been infected.

    class-wp-theme-edit.php
    class-ziplibs.php
    wp-raze.php
    wp-ajax-gadget.php
    /wp-includes/https.php

    They look real but are completely fake.

    I hope my experience and examples help someone else in a similar situation.

Viewing 10 replies - 1 through 10 (of 10 total)
  • The topic ‘WordPress hacked files to delete or update when you've been hacked’ is closed to new replies.