WordPress.org

Ready to get started?Download WordPress

Forums

Hacked by Hmei7 (50 posts)

  1. Sam Lovett Motorcycle Tours
    Member
    Posted 1 year ago #

    My website has been hacked by Hmei7 on September 3rd. I have read the posts on this and other forums but still feeling confused. Can anyone help walk me through restoring access to my site? I don't wish to cause more damage through ignorance!

    My site is hosted by HostPapa.
    I can't access my wordpress admin.
    I can access my Cpanel.

    I have looked for the code outlined above, using phpMyAdmin but don't see it.

    Using file manager
    public_html/wp-content/themes/weaver I see the header.php was modified whilst I was away.... the text "hacked by Hmei7"

    Any help appreciated.

  2. Krishna
    Volunteer Moderator
    Posted 1 year ago #

    Edit: Sorry, posted to the wrong thread.

  3. Sam Lovett Motorcycle Tours
    Member
    Posted 1 year ago #

    Thanks, I'm working through that list: http://codex.wordpress.org/FAQ_My_site_was_hacked

    I have scanned my local machine.
    I have sent a support ticket to my hosting service but no response as yet.

    Change passwords for the blog users, your FTP and MySQL users.? I have 2 users accounts enabled, both with full admin rights. I am happy to delete one but not sure how. I have looked at users under phpMyAdmin but don't really understand what I am doing.

  4. Sam Lovett Motorcycle Tours
    Member
    Posted 1 year ago #

    Ok, I have accessed my themes header.php through file manager and replaced the hackers code with code from an original file. My site now loads.

    However when I try to access wp-admin I am told that I have entered an incorrect user name. The username field in the log on page keeps returning an email address that is not mine.

    I have tried to edit the user information in phpMyAmin without success.

    Desperate for help.

  5. esmi
    Forum Moderator
    Posted 1 year ago #

  6. Sam Lovett Motorcycle Tours
    Member
    Posted 1 year ago #

    Thanks for the resources Esmi, interesting and useful once I have regained access to my wp-admin.

    I have read all the content of this thread and I am still unclear about the process of securing my wordpress logon capability via Cpanel? I understand that this is only an initial step in cleaning up and securing my site.

    Can I use Cpanel to delete the 2 existing wp users and then create a new user name and password with full wp admin permisions?

    If so, which Cpanel tools do I use and how?

  7. esmi
    Forum Moderator
    Posted 1 year ago #

    I understand that this is only an initial step in cleaning up and securing my site.

    Correct. Once you are sure that you have completely removed the hack and all potential back doors from your site, your next step need to be locking your site down. To that end, I'd suggest reviewing Hardening_WordPress.

    Can I use Cpanel to delete the 2 existing wp users and then create a new user name and password with full wp admin permisions?

    Not easily, no. You'd be better off creating a new admin users via your WordPress dashboard, logging out, logging back in as the new user and deleting the other 2 admin accounts.

  8. Sam Lovett Motorcycle Tours
    Member
    Posted 1 year ago #

    Ok, that makes sense to me. How do I go about regaining wp-admin access from an existing account?

  9. esmi
    Forum Moderator
    Posted 1 year ago #

    You'd need to reset the main admin password via the database. see:
    http://codex.wordpress.org/Resetting_Your_Password
    http://www.tamba2.org.uk/wordpress/phpmyadmin/

  10. fredriley
    Blocked
    Posted 1 year ago #

    A friend of a friend's site has suffered this same hack. I want to guard against it for my sites, one of which is currently hidden behind a .htaccess. I've had PHP code hacked before and it's a real PITA to clear up, so prevention is better than cure IMO.

    I'm running the latest version of WP always, on standard commercial hosting accounts, using the Woothemes Canvas framework, and I'm picky about the plugins I use. Nevertheless, there's no way I've got time to look through the code of every theme and plugin.

    So, can anyone say what vulnerability/ies this hack exploits? Are there dodgy plugins or themes with weak code I should watch out for?

    Thanks for esmi for the various links, which will come in handy if I'm ever hacked, and which are useful reading anyway.

    Fred

  11. Sam Lovett Motorcycle Tours
    Member
    Posted 1 year ago #

    Fantastic, that was exactly what I needed. Thank you.

    I have managed to log in to my dashboard, do you recomend me to:

    You'd be better off creating a new admin users via your WordPress dashboard, logging out, logging back in as the new user and deleting the other 2 admin accounts.

    Before I set about cleaning and securing my site?

  12. esmi
    Forum Moderator
    Posted 1 year ago #

    Are there dodgy plugins or themes with weak code I should watch out for?

    Never download plugins or themes from anything other than a reputable source.

  13. fredriley
    Blocked
    Posted 1 year ago #

    "Never download plugins or themes from anything other than a reputable source. "

    Well, yes, that goes without saying. I always get plugins and themes from wordpress.org, or from established commercial providers. What I should have asked is: are there any plugins or themes with known security holes? Or maybe that's not a wise question to ask on a public forum, though I suspect that the cracker grapevines will know about holes before the WordPress community does.

    For example, I had a site hacked because I had a copy of phpMyAdmin on it which I'd not updated for a year or so, and a bot got in. Colpa mia, I should have updated it, but it's a well-known program used by millions so was by any definition "reputable".

    It would be really useful to know how the hack happened, rather than what measures to take after it's done its damage.

    Fred

  14. esmi
    Forum Moderator
    Posted 1 year ago #

    I always get plugins and themes from wordpress.org, or from established commercial providers.

    That's an excellent start.

    are there any plugins or themes with known security holes?

    None that are available from WPORG, no. If a security issue is found in a WPORG hosted theme or plugin (and, lets face it, that does happen sometimes), the developer in question is immediately notified and, if necessary, the resource withdrawn until an updated, patched, version has been submitted by the developer. A standard upgrade notice then goes out to all sites that have used the plugin or theme.

    If you do come across an issue with a plugin where you can prove that there is a security issue, please contact plugins [at] wordpress.org with all of the necessary details and they'll look into it asap. Never, ever, post about it here - for exactly the reasons you state above. We don't want to publicise security holes to the wrong people.

    There are theme sites that we would never recommend because we have grave misgivings about the themes that they do offer - including issues like encoded scripts that could be doing almost anything on your site. When we come across people using themes from these sites, we do our best to persuade them to use another theme but, beyond that, there is very little we can do.

    I had a site hacked because I had a copy of phpMyAdmin on it which I'd not updated for a year or so

    That's a very common situation. This is why we keep pushing people to keep everything updated - WordPress core, plugins & themes. Even on sites that you feel aren't being actively used. A server is often only as secure as its weakest installed application.

    When investigating a hack on your own site, try to enlist the support of your hosts to see if, between you, you can figure out where the the hacker got in and, therefore, where the security hole might be. It does vary, so there's not a lot we can offer in terms of general advice - other than the fact that paranoia & suspicion are often very useful traits. :-/

  15. fredriley
    Blocked
    Posted 1 year ago #

    Thanks, esmi. Very sound advice :)

  16. cigs
    Member
    Posted 1 year ago #

    #LolDig thanks a lot, can resolve one of our sites with this

  17. yoo-cht
    Member
    Posted 1 year ago #

    Hi All

    I have been hacked too but i can't even log in it doesn't recoginse my e-mail address or password. How do I solve the problem now?

    Thanks

  18. esmi
    Forum Moderator
    Posted 1 year ago #

  19. yoo-cht
    Member
    Posted 1 year ago #

    Thanks alot esmi I'll try looking through and see how far i get.

    Regards

    Isabella

  20. m6mdr
    Member
    Posted 1 year ago #

    This hmei7 guys has been pretty much everywhere. Just Google the name and you'll see he's apparently Indonesian and recently it is claimed the he has hacked a large data centre resulting in the defacement of over 5000 sites.

    The Amateur Radio Club site I help maintain has been done over by this guy and upon deep investigation I found index.old files in pretty much every directory, I also found randomly named PHP files containing large strings and missing closing tags which I presume was some kind of injection / shell exploit attempts and also his calling card file x.txt.

    My friend who hosts the site for our club also had 3 other domains under his hosting which were also defaced / penetrated / violated.

    The first time it happened it "appeared" as if the club site had been attacked by a group called wild clique and we didn't really understand the nature of the attack so we fixed it up as best we could but
    the site has since been attacked several times by various hacker groups and individuals.

    Today, I've been with my friend and we've completely ripped out the club's site and upon going through the files we've found no end of files that shouldn't be present as I described at the start of this reply.

    The site was so badly affected we couldn't risk using any of it as such and so had to go through quite a complicated procedure of installing a clean but newer version of web software and slowly and systematically "merging" the content after sanitizing what we could.

    I'm actually about half way through restoring the old data on the newer platform and now the penny has begun to drop on what's happened.

    My friend's other sites under his hosting comprise of two joomla 2.5 sites, a custom HTML site and our club site formerly running Joomla 1.5.

    I think this guy initially penetrated the club site with a shell script or some other injection / RFI and then went on to take over the rest of the domains under my friends account from there. Or at least Mr hmei7 opened the door for others to do it. We certainly found the same files on the other domains too and the only thing they all share in common is they are all under the one user hosting account.

    Without waffling on needlessly, the point I am trying to make is, if this guy's been at your site, I wouldn't trust a SINGLE file or directory and I'd be looking at all my other sites closely too.

    Just because your sites aren't defaced or whatever doesn't mean there isn't something nasty sitting and waiting!

    I suggest everyone wanting to secure their sites familiarise themselves with the following hacking techniques so as to understand how these attacks work and how to counter them in the future.

    RFI (Remote File Inclusion)
    LFI (Local File Inclusion)
    SQL Injection
    XSS (Cross Site Scripting)

    It is also important to keep every aspect of your site's up to date; from core to plugins! You should also make sure you follow all steps listed by the creators of any scripts or software you are using to keep them secured.

    I'm only aware of this after the fact of course, but if this info can help others and prevent them from falling foul to this hmei7 and others then it was worth posting.

    I should add that since we have been attacked, I have spent countless hours researching, reading about and trying out the attacks listed above and more besides and I am now better prepared to protect my sites now I know how some of these attacks work and have seen them in action with my own eyes.

    I will admit that during my research I have actually been on Google and have dorked a few vulnerable sites and I've penetrated them using various freely available penetration techniques BUT I am not a malicious person and I have not and will not use any of the data I managed to exploit. I did it purely for educational purposes to see how it was done and if it could still be done on a live site and in most cases, there are PLENTY of sites vulnerable to these attacks still out there.

    In my case, I have of course notified the sites I have penetrated and hopefully they will act on my information.

    So take my advice folks - keep up to date with your software, keep up to date with your knowledge and if you suspect you've been hacked, don't trust a single file - Check every file and folder under your account!

    Peace and stay safe!

Topic Closed

This topic has been closed to new replies.

About this Topic