WordPress.org

Ready to get started?Download WordPress

Forums

Latest WP but still hacked with RFI (4 posts)

  1. travellers
    Member
    Posted 2 years ago #

    Had a message from my host tonight saying that I've been hacked - the following files *at least* are compromised:

    ./MYDOMAIN/public_html/archive.php: PHP.C99-13 FOUND
    ./MYDOMAIN/public_html/admin.php: PHP.ShellExec FOUND
    ./MYDOMAIN/public_html/htdocs.php: PHP.Mailer-7 FOUND
    ./MYDOMAIN/public_html/wp-content/themes/MyCuisine/log.php: PHP.ShellExec FOUND
    ./MYDOMAIN/public_html/wp-content/themes/MyCuisine/cache/newfile.php: PHP.ShellExec FOUND

    Not clued up on this sort of stuff, but Googling PHP.99-13 took me to a Wikipedia page about Remote File Inclusion. Of course I can simply upload fresh copies of these files from a backup, but how have I been infected, and how do I ensure I've not left the door open for the files to be overwritten by the hack again?

    Any and all advice gratefully received - my host is threatening to remove the site unless I get it sorted. Damn hackers, I would genuinely support legislation to kill them on conviction of a first offence :(

  2. esmi
    Forum Moderator
    Posted 2 years ago #

    Of all of these reports, only public_html/wp-content/themes/MyCuisine/log.php is directly related to WordPress. Have a look at these resources:
    http://codex.wordpress.org/FAQ_My_site_was_hacked
    http://wordpress.org/support/topic/268083#post-1065779
    http://smackdown.blogsblogsblogs.com/2008/06/24/how-to-completely-clean-your-hacked-wordpress-installation/
    http://ottopress.com/2009/hacked-wordpress-backdoors/

    With the other files, I guess they were left behind by the hacker, so you can just delete them.

  3. travellers
    Member
    Posted 2 years ago #

    Well yes I can follow that. My machine comes back clean, and I'm guessing my host isn't responsible since it was him who discovered it and notified me. I've changed all my passwords across the board, cpanel, wp admin, etc. And I can restore backups of the files and the database.
    But none of that does anything about how they got in in the first place. They certainly didn't guess any passwords - none of those is less than a dozen characters that are all random symbols. I'm running the latest version of WP, all my plugins and theme are up to date. If I can't close the back door, all I'm doing is rearranging deckchairs on the Titanic - the hacked files will be back next time the hacker's bot stops by!

  4. esmi
    Forum Moderator
    Posted 2 years ago #

    But none of that does anything about how they got in in the first place.

    It could have been via an insecure plugin or theme. Or it could have been somewhere else on the server and nothing to do with WP at all. Another possibility is FTP. A lot of hackers are now sniffing insecure FTP connections, so use SFTP/encrypted FTP whenever possible.

    That last link in the list above gives a pretty good tutorial on hunting down hacker back doors.

Topic Closed

This topic has been closed to new replies.

About this Topic