WordPress.org

1. mort3n
   Member
   Posted 5 months ago #
   

   I've just had the annoying task of cleaning up a WP site after it had been hacked. To aid others I thought I would share a brief description.

   Disclaimer : This is not the way to go, but just a way I followed.

   Setup : WP 3.3.2. The site had been live, but not updated since March 2012.
   Perpetrator : Haxorsistz
   Morale : Do remember to update both WP and plugins regularly

   The site was defaced on all pages with a death note for the admin (it's a kindergarten site, so that was really inappropriate). This included the admin login page, so the site was inaccessible.

   Here's what I did to recover the site:
   - Access site by FTP and PHPAdmin
   - Backup to separate location
   - Check the errorlog
   - Search the server for recently changed files
   - Update WP (I did it through a one-click installer in cPanel)
   - Upload a clean twentyeleven theme
   - Sift through the _options table in the database.
   - Deface code was in fields blogname and widget_text
   - Set new password for DB and change wp-config accordingly
   - Set new salt in wp-config according to inline instructions in that file
   - Reset the encoding, it had been changed to UTF-7

   Resources :
   http://codex.wordpress.org/FAQ_My_site_was_hacked

2. Viscosity
   Member
   Posted 5 months ago #
   

   To clean up is uninstall and install back all the wordpress in order to perform a clean wipe out in which may contain backdoor left behind.

3. stabiasport
   Member
   Posted 5 months ago #
   

   Even my website was hacked two days ago from this team and I noticed that I changed the encoding to UTF-7 and changed the name of the title. I changed everything. Now I am sure? What I occore not to suffer more attacks?

4. mort3n
   Member
   Posted 5 months ago #
   

   @viscosity
   A fresh install of WP is one way to go. I checked for recent file modifications. After that, as noted above, I updated WP.

   The attack appears to have been an SQL-injection.

   @stabiasport
   Do also check widget_text in your _options table.

   To prevent it from happening you could use the advice about
   http://codex.wordpress.org/Hardening_WordPress
   and perhaps install a security plugin such as (just one example)
   http://wordpress.org/extend/plugins/bulletproof-security/
   or
   http://wordpress.org/extend/plugins/wordfence/

   Cheers
   Mort3n

5. Viscosity
   Member
   Posted 5 months ago #
   

   There are several things in which you have to look into.

   For application, fresh clean up and re installed help to clear up those mess. Re-installed and update all your required plugins,then do a full backup. Used security plugins like bulletproof security, wordfence, Timthumb Vulnerability Scanner, Theme Authenticity Checker (TAC),etc does not grant u that your sites is not hackable.

   For network, disable all your ftp and ssh when you are not using it connected to your panel.Use strong password with a minimum 15 characters length contain, upper & lower letter, number and including special character to prevent any dictionary attack on your password.

   The attack appears to have been an SQL-injection.
   What make you so sure it is SQL attack? If so, then your gonna look into your SQL updates and version used.

   http://codex.wordpress.org/Hardening_WordPress
   It did mention clearly the steps to take to harden your wordpress.

   External Service
   Cloudflare * Incapsula help to reduce your chance getting hack even though your are using their free service.

6. stabiasport
   Member
   Posted 5 months ago #
   

   @mort3n
   Thank you.
   Can you provide the exact path? widget_text in your _options table.

7. mort3n
   Member
   Posted 5 months ago #
   

   @stabiasport

   In your database you have a table called yourprefix_options. That is the table I refer to.

   In the table there is a field called widget_text. Apart from the blogname field, that is where I found altered content.

   Cheers
   Mort3n.

Reply

You must log in to post.