WordPress.org

Ready to get started?Download WordPress

Forums

Hacked site - Axe.php (4 posts)

  1. nortont
    Member
    Posted 2 years ago #

    I have a site hacked and it was reported to me as a DOSing attack.

    I found a file is several locations called axe.php that looks like it only shows up when a search comes from Google and the page is a 404.

    As I can not find any info on it, I do not know how they would have put the file in there.
    Can anyone offer any information?

    There were also several files labelled as .jpg

    malicious code removed - please use a pastebin in the future

  2. LeedsInk
    Member
    Posted 2 years ago #

    Hi NortonT, The file you've pasted is an automated script that looks for vulnerabilities in older wordpress versions, I don't think this is the only file that's been installed, this is usally the last. Have a look for other files you don't recognise, for a start you'll have one in your etc/ folder called passwd.dic, you may also find other php and html files.

    Do you by any chance have anything added to your footer on your home page? View the source code of your site and scroll to the bottom for anything you don't recognise.

    I'll assume now that you're not using the latest version of WordPress? Possibly prior to version 3? First thing I would do is change your FTP password to something more secure. As it appears that they managed to bruteforce it using the words contained within passwd.dic.

    I would then scan your home computer using Malware Bytes in Safe Mode. (Assuming you use Windows) as it's possible that they obtained your username and password from your PC.

    If you work at normal times of the day, look in your FTP for when the files were last modified, assuming you've not overwritten them. And try to find any other files around the same time. Make sure you view hidden files and folders, and check your htpasswd file and other admin files.

    Hope this helps. If you want more info then do a google search for Web Shell by Orb for other cases of the same attack.

    Not that it'll make any difference, but the md5 hash on line 6 is 'dasha'.

  3. MickeyRoush
    Member
    Posted 2 years ago #

    @nortont

    In addition to what LeedsInk said, I've compiled a list of links (so that you don't have to scour the web) that should help you.

    Check your site(s) here:
    1. http://sitecheck.sucuri.net/scanner/
    2. http://www.unmaskparasites.com/
    3. http://www.virustotal.com/
    4. http://www.phishtank.com/
    5. http://www.browserdefender.com/
    6. http://ismyblogworking.com/
    7. Google Safe Browsing (to access a site's google info, add their domain to the end of this):
    http://www.google.com/safebrowsing/diagnostic?site=
    example:
    http://www.google.com/safebrowsing/diagnostic?site=example.com

    Backup everything and put that backup somewhere safe. This is in case you have problems later on. Even though you could be backing up infected files, it is more important to have a backup up of your work, for if you make a mistake cleaning your site, you will still have the backup(s).
    1. http://codex.wordpress.org/WordPress_Backups
    2. http://codex.wordpress.org/Backing_Up_Your_Database
    3. http://codex.wordpress.org/Restoring_Your_Database_From_Backup

    Then read these:
    1. http://codex.wordpress.org/FAQ_My_site_was_hacked
    2. http://wordpress.org/support/topic/268083#post-1065779
    3. http://smackdown.blogsblogsblogs.com/2008/06/24/how-to-completely-clean-your-hacked-wordpress-installation/
    4. http://ottopress.com/2009/hacked-wordpress-backdoors/
    5. http://wpmu.org/why-you-should-never-search-for-free-wordpress-themes-in-google-or-anywhere-else/
    6. http://blog.sucuri.net/2012/03/wordpress-understanding-its-true-vulnerability.html

    If you have indications of possible timthumb hacking, please read these:
    1. http://blog.sucuri.net/2011/08/timthumb-php-security-vulnerability-just-the-tip-of-the-iceberg.html
    2. http://markmaunder.com/2011/08/02/technical-details-and-scripts-of-the-wordpress-timthumb-php-hack/
    3. http://www.wpbeginner.com/wp-tutorials/how-to-fix-and-cleanup-the-timthumb-hack-in-wordpress/
    4. http://wordpress.org/extend/plugins/timthumb-vulnerability-scanner/

    Once your site is clean, then read these:
    1. http://codex.wordpress.org/Hardening_WordPress
    2. http://codex.wordpress.org/htaccess_for_subdirectories
    3. http://www.studiopress.com/tips/wordpress-site-security.htm
    4. http://stopbadware.org/home/security

    Need more help?
    1. https://badwarebusters.org/

    If you believe your personal computer (not your host server) is infected please read these:
    1. MajorGeeks.com malware removal:
    http://forums.majorgeeks.com/showthread.php?t=35407
    2. MajorGeeks.com how to protect yourself from malware:
    http://forums.majorgeeks.com/showthread.php?t=44525

  4. nortont
    Member
    Posted 2 years ago #

    Thanks both for your help.

    For the record, this was build on WP3.1 or 3.2 but is a multi domain install using wordpress-mu-domain-mapping.

Topic Closed

This topic has been closed to new replies.

About this Topic