WordPress.org

Ready to get started?Download WordPress

Forums

Clean up of one hacked site (7 posts)

  1. mort3n
    Member
    Posted 1 year ago #

    I've just had the annoying task of cleaning up a WP site after it had been hacked. To aid others I thought I would share a brief description.

    Disclaimer : This is not the way to go, but just a way I followed.

    Setup : WP 3.3.2. The site had been live, but not updated since March 2012.
    Perpetrator : Haxorsistz
    Morale : Do remember to update both WP and plugins regularly

    The site was defaced on all pages with a death note for the admin (it's a kindergarten site, so that was really inappropriate). This included the admin login page, so the site was inaccessible.

    Here's what I did to recover the site:
    - Access site by FTP and PHPAdmin
    - Backup to separate location
    - Check the errorlog
    - Search the server for recently changed files
    - Update WP (I did it through a one-click installer in cPanel)
    - Upload a clean twentyeleven theme
    - Sift through the _options table in the database.
    - Deface code was in fields blogname and widget_text
    - Set new password for DB and change wp-config accordingly
    - Set new salt in wp-config according to inline instructions in that file
    - Reset the encoding, it had been changed to UTF-7

    Resources :
    http://codex.wordpress.org/FAQ_My_site_was_hacked

  2. Viscosity
    Member
    Posted 1 year ago #

    To clean up is uninstall and install back all the wordpress in order to perform a clean wipe out in which may contain backdoor left behind.

  3. stabiasport
    Member
    Posted 1 year ago #

    Even my website was hacked two days ago from this team and I noticed that I changed the encoding to UTF-7 and changed the name of the title. I changed everything. Now I am sure? What I occore not to suffer more attacks?

  4. mort3n
    Member
    Posted 1 year ago #

    @viscosity
    A fresh install of WP is one way to go. I checked for recent file modifications. After that, as noted above, I updated WP.

    The attack appears to have been an SQL-injection.

    @stabiasport
    Do also check widget_text in your _options table.

    To prevent it from happening you could use the advice about
    http://codex.wordpress.org/Hardening_WordPress
    and perhaps install a security plugin such as (just one example)
    http://wordpress.org/extend/plugins/bulletproof-security/
    or
    http://wordpress.org/extend/plugins/wordfence/

    Cheers
    Mort3n

  5. Viscosity
    Member
    Posted 1 year ago #

    There are several things in which you have to look into.

    For application, fresh clean up and re installed help to clear up those mess. Re-installed and update all your required plugins,then do a full backup. Used security plugins like bulletproof security, wordfence, Timthumb Vulnerability Scanner, Theme Authenticity Checker (TAC),etc does not grant u that your sites is not hackable.

    For network, disable all your ftp and ssh when you are not using it connected to your panel.Use strong password with a minimum 15 characters length contain, upper & lower letter, number and including special character to prevent any dictionary attack on your password.

    The attack appears to have been an SQL-injection.
    What make you so sure it is SQL attack? If so, then your gonna look into your SQL updates and version used.

    http://codex.wordpress.org/Hardening_WordPress
    It did mention clearly the steps to take to harden your wordpress.

    External Service
    Cloudflare * Incapsula help to reduce your chance getting hack even though your are using their free service.

  6. stabiasport
    Member
    Posted 1 year ago #

    @mort3n
    Thank you.
    Can you provide the exact path? widget_text in your _options table.

  7. mort3n
    Member
    Posted 1 year ago #

    @stabiasport

    In your database you have a table called yourprefix_options. That is the table I refer to.

    In the table there is a field called widget_text. Apart from the blogname field, that is where I found altered content.

    Cheers
    Mort3n.

Topic Closed

This topic has been closed to new replies.

About this Topic

Tags