WordPress.org

Ready to get started?Download WordPress

Forums

[closed] Hack? Please help me, don't know what to do (18 posts)

  1. Helptourists
    Member
    Posted 1 month ago #

    Hi,

    two days ago all my plugins disappered from my backend, but not on the server. I tried to reactivate the plugins, but wordpress don't show them at all. There is the same problem report for all plugins: "there is no valid header".

    I found a mysterious new user, that I didn't add on my own. This user has administration rights. What is really weird is that this unknown user has no user name and no email address. Could this be a hacker attack?

    I'm really afraid, could someboby please help me asap?
    Thanks a lot, Denise.

    PS: I immediately changed the rights of the new user from admin to subscriber.

  2. BonJecker
    Member
    Posted 1 month ago #

    Yes Helptourists... It appears your site may have been hacked.

    We had this same problem on one of our client sites on June 30th, 2014. What appeared to be malicious code was added to the top of every php file within the client root directory on our live server. I would like to reiterate: this code was even added to .php files that were outside of the WordPress directory (WordPress is installed in /blog/ and PHP files in the root client folder (index.php) were also modified).

    We have not been able to figure out what the code does exactly because the site appears to function normally until you log in to wp-admin and visit the Plugins page. After WordPress kicks out the error no valid header and plugin deactivated, the site no longer functions correctly due to the missing plugins.

    We have analyzed the code added to the top of the pages but have not figured out what it does as of yet. There is no base64 encoding. A random string is generated and then a php function is created. One of our other developers here analyzed this and said the result that he arrived at was a number... like 120 or something which doesn't make sense.

    I restored the site files from backup but retained the SQL database because it didn't appear that it was compromised with the exception of the blank Administrator user which had an ID of 1001001 which I deleted.

    I changed our Administration login password, the MySQL password, I reset the Salt key in wp-config.php, updated WordPress to 3.9.1 and updated all plugins, and added iTheme Security (formerly Better WP security) and enabled most security including removing the admin user, changing the database prefix, etc.

    Just the other day, I enabled the function in iThemes to monitor files for changes and a few days ago I received an email notifying me that many php files were changed on July 1st, 2014 (the day after I cleaned everything up). I downloaded a few .php files from the live site and see they have all been compromised again.

    The only password that wasn't changed was the web server password for the client site, so I suspect they either got in using the same SiteWorx password, or one of the other Admin User's local computers was compromised and not cleaned.

    I can provide the code if anyone wants to take a stab at this.

    Unfortunately, we manage about 20 - 30 WordPress sites for our clients and late Friday when I found that this one site had been compromised again, I went through to check some of the other client sites and so far have found five other sites that are infected with this same issue.

    Trying to find some commonality by adding to the original post so hopefully we can find a solution. Unfortunately, I have a feeling we are in the early stages of a new WordPress vulnerability that has been found and exploited, but not yet patched.

  3. wclune
    Member
    Posted 1 month ago #

    I house 6 wp sites on a single server, it is not a collocation or a VM. I noticed the other day one of my plugins a calendar plugin was missing from the site. when i logged into the admin panel i was presented with a message about Weaver II plugin package should be added. Normally I install all of the updates automatically and deal with issues after. When i went to the plugin control page it said all of the plugins had corrupt headers. using FTP i cleaned every plugins "pluginname.php" and viola all was well for 1 day. I now see every page in every folder has a large amount of data in the header.

    Thankfully this is only happening in 1 of 5, strange because most sites have the same plugin but this is the only one running weaver II

  4. wclune
    Member
    Posted 1 month ago #

    Would a piece of sample header help out in this?

  5. wclune
    Member
    Posted 1 month ago #

    I also just noticed something VERY disturbing the creation of a administrator with no username or description. This is out of hand!
    when i clean the damaged files it takes very little time for the code to reappear.

  6. BonJecker
    Member
    Posted 1 month ago #

    Yes. The blank user Administrator with ID 1001001 is consistent with all of the sites that have the code added to the top of each PHP page. We are cleaning up all of the code from the files and trying to figure out some commonality between the affected sites. If anyone can help us decipher what this code actually does, we would be happy to provide it. We have found several variations of the code which generally looks like garbage... but it must be doing something... just not sure what.

  7. UseShots
    Member
    Posted 1 month ago #

    Many sites have been similarly hacked http://blog.sucuri.net/2014/07/malware-infection-breaking-wordpress-sites.html

    I guess hackers use a vulnerability in some plugin to create that admin user.

    By the way, do any of your blogs have open user registration?

  8. BonJecker
    Member
    Posted 1 month ago #

    None of the sites have open user registration and almost every site of ours was hit by this. Thanks for the feedback. I hope this isn't a widespread issue...

  9. BonJecker
    Member
    Posted 1 month ago #

    After reviewing the link you provided and how about 80% of our sites were compromised, I see this is a pretty wide - spread issue. However, so far I disagree with the thought that they are coming in through a vulnerable plugin as I have not found a common plugin to all of the affected sites.

    One common aspect found so far is that all of the sites compromised were not on version 3.9.1 when they were first compromised. The one site I mentioned that was infected again a day later was not hardened immediately after it was cleaned and updated to v3.9.1 I have since been hardening WordPress v3.9.1 using iTheme (formerly better WP security) and so far the sites have remained clean (keeping my fingers crossed).

    Will post more details and updates regarding the cleaning process once I feel confident the hole has been patched properly.

  10. UseShots
    Member
    Posted 1 month ago #

    Yes it's wide spread and on many sites we saw that hackers checked for vulnerable plugins (e.g. MailPoet or WPTouch) before trying to access their backdoors or logging into web sites.

    By the way,are all those sites share the same server account? If yes, one vulnerable site is enough to compromise all the sites.

  11. Helptourists
    Member
    Posted 1 month ago #

    Hi to all of you,

    we found out that like some of you said a plugin was responsible for that mess. In my case we are pretty sure that is was mailpoet which recently had some security problems!

  12. dainism
    Member
    Posted 1 month ago #

    We have the exact same problem.
    What is the best way to fix/solve this problem?

  13. Helptourists
    Member
    Posted 1 month ago #

    I am unfortunately not responsible for the technical details on my page, but i guess we used a backup, installed all plugins again and deleated the new admin. We also updated mailpoet and wordpress to the last version.

  14. BonJecker
    Member
    Posted 1 month ago #

    Each of our sites is hosted within its own account with its own security credentials so infection was on a site by site basis. None of our sites use MailPost or WPTouch plugins. All infected sites use different themes and plugins and there is no common plugin used on all sites, so I would rule out the source of the infection from an outdated plugin.

    The only thing I have found common is that all sites were not on v3.9.1

    Is anyone able to confirm their existing v3.9.1 site was infected?

  15. dainism
    Member
    Posted 1 month ago #

    We have auto updates set up and we are running v3.9.1 and the website is infected.
    If the infection happened before the update it is hard to tell.

  16. UseShots
    Member
    Posted 1 month ago #

    Sucuri has an update about the MailPoet http://blog.sucuri.net/2014/07/mailpoet-vulnerability-exploited-in-the-wild-breaking-thousands-of-wordpress-sites.html

    but I agree that it's not the only penetration vector. I also saw infected sites that didn't have MailPoet. Still investigating...

  17. dainism
    Member
    Posted 1 month ago #

    Would there be any reason to think the database files would be effected?

  18. Andrew
    Forum Moderator
    Posted 1 month ago #

Topic Closed

This topic has been closed to new replies.

About this Topic