garethlawson

Thanks for confirming my suspicion @davidanderson.

Is there any way to try out the migration tool or Premium features before purchasing. If they work well for me I am quite keen to purchase a license for UpdraftPlus Premium for at least 10 sites.

Thanks,
Gareth

Thanks for adding your experience @chowned. Fortunately for me, these attacks stopped shortly after my last post. It seemed to coincide with the release of WordPress 4.7.1, but I am not at all sure, and don’t really believe the change in WordPress version is the thing that did the trick.

Personally, I believe the hosting provider quietly patched an OS vulnerability without saying anything, but cannot prove anything either way. When you say, “recoding the entire site”, what do you mean by that?

Sorry to hear about the ongoing attacks on your site. Hope you can get to the bottom of it and please let us know here if you do.

Yes, what you’re saying is exactly what I’m thinking. I know that the database connection uses “localhost”, and all the other sites that have databases probably also do, so if they’re able to get elevated access to the database through the server or another website on the server, or if they’re able to get to and read the wp-config.php file via the same, then they’re in.

Hopefully we can convince the client to either get Wordfence in to investigate and either find the hole or confirm my conclusion, or to move to a different provider.

If we do move to another provider, I plan to install WordPress, the theme and all plugins from scratch and then import the content and configuration to make sure I don’t transfer a backdoor that I may have missed somehow.

Cheers,
Gareth

• This reply was modified 8 years, 1 month ago by garethlawson.

I understand that, and thanks for the response and advice on what to check. I do appreciate it.

Earlier in December there are two references to wp-config.php in the access logs, but both resulted in a 404 and the IP address is 178.137.83.166 which is owned by Kyivstar GSM a Ukrainian mobile phone operator. Both where an attempt at directory traversal which clearly failed: GET /wp-admin/admin-ajax.php?action=revslider_show_image&img=../wp-config.php HTTP/1.1

Slider Revolution is not installed on this site and I believe Wordfence blocks this attack anyway as I’ve seen it in the attack reports often on most of the sites I maintain.

Every time the site was hacked, there are logs related to the relevant IP address. The first time, the relevant IP address visited the home page, then /wp-login.php, then POSTed to /wp-login.php and was authenticated. Once authenticated they accessed /wp-admin/theme-editor.php and POSTed to it, probably to deface the site. There are no other logs related to that IP address.

The most recent time it was hacked, seemingly by a different hacker (different signature was left on the site) was similar: straight to /wp-login.php, POSTed to it, was authenticated and then went to /wp-admin/options-general.php and POSTed to /wp-admin/options.php modifying the website title. Then went to the home page, no doubt to enjoy his victory ??

All of this, in my opinion, continues to strengthen the case that the hackers gained direct access to the database via some other channel and not the website. The hosting company says that they have taken all necessary security precautions and won’t offer any further assistance, in spite of my having provided all this information and having found two other websites on the same shared server that have been compromised in the same way. I am consider asking for permission to run a vulnerability scanner on the IP address, but I doubt they’d consent anyway.

We are trying to convince the website owner to move their site to a different hosting provider who we trust.

Thanks again for trying to help!

Thanks for the advice @bluebearmedia.

I am an experienced PHP developer (since 2003) and have manually compared the files on the compromised server with the files of a clean installation with all the same extensions. No unexpected differences. I have also analysed the apache access logs and there are only entries related to valid WordPress ULRs.

I am as sure as I can be that there are no file-based backdoors on the hosting account. The only backdoor I think they may have is if they have compromised the entire hosting server. I have requested that the hosting company do an analysis of the entire server, but they are not very cooperative.

I am waiting for the website owner to decide if they want to get Wordfence involved. Would be happy to hand this over to them, but it’s in the website owner’s hands.

Thanks again,
Gareth

Same problem here Alberto. A site I developed using WP Ecommerce takes between 5 and 35 seconds to load with WP Ecommerce activated and between 682 and 800 milliseconds to load when the plugin is deactivated. This applies specifically to tests done on the homepage where very few images are loaded and very little WP Ecommerce functionality is needed (apart from the shopping cart). There are however, an extremely large number of products captured in the database, 8000+.

* WordPress 3.6.1
* WP Ecommerce 3.8.12.1

Any advise would be much appreciated!
Gareth