WordPress.org

Ready to get started?Download WordPress

Forums

Site hacked (32 posts)

  1. friendlygiraffe
    Member
    Posted 2 years ago #

    Hi,

    My site has been hacked and i'm wondering the best place to start fixing it.

    It keeps redirecting to inoa-seishell.ru

    It's intermittent (like every 3 or 4 refreshes) and usually occurs within the wp-admin section

    I've upgraded to the latest wordpress, and tried to update most of my plug-ins but the inoa-seishell.ru url keeps stopping me

    Any help appreciated

  2. pete_398
    Member
    Posted 2 years ago #

    Do you have a recent backup ?

    I would also search through all your files and the database for 'inoa-seishell.ru' string, to see how they did it.

    Then backup the site into a seperate file for later examination, and restore back to the last 'good' backup.

  3. friendlygiraffe
    Member
    Posted 2 years ago #

    Of the SQL database? yes

  4. tigtog
    Member
    Posted 2 years ago #

    This sounds like something you're going to need to address via FTP and maybe php-MyAdmin rather than through the WordPress admin interface.

    In particular, I'd take a look at the .htaccess files in your root and if there are any in your subfolders, and check whether there are suspicious strings in there.

  5. pete_398
    Member
    Posted 2 years ago #

    Good that you have the database backed up.

    I think from other posters here, the recommendation for doing a site restore is to disable plugins. Anyway, here is a suggested 'path' to take

    1. Stop people from using your site whilst you do the restore and maintenance. I do this with modifying .htaccess as follows (e.g. if your IP address is 72.233.56.139 for example)

    At the top of your .htaccess file, add these lines

    Options +FollowSymLinks
    RewriteEngine on
    #
    RewriteCond %{REMOTE_ADDR} !^72\.233\.56\.139$
    RewriteCond %{REQUEST_URI} !/maintenance_page\.html$
    RewriteRule ^([^/]*/)*(([^.]+\.)+(php|s?html?))?$ http://www.example.com/maintenance_page.html [R=302,L]

    This assumes you have a file called maintenance_page.html in the public path of your site, with a message like "Sorry, we are closed for maintenance at present".

    2. Do a full backup of the database and every file.

    3. Search through the database backup from step 2 for that inoa-seishell.ru' string (without single quotes of course). There doesn't seem to be an IP associated with that domain. Record anything you find, etc.

    4. Copy all of WP 3.1.3 to your local machine. Copy all of the plugins, etc also, to your local machine. Use a tool like beyond compare to then compare what was on your website, to what is on your local machine. They may have been able to modify some of the files, so this step 'should' show up, if there are any modified files.

    By the sounds of what is happening, they have added a 'redirect' somehow. Hopefully that is all.

    5. Let us know if you find anything.

    Pete

  6. friendlygiraffe
    Member
    Posted 2 years ago #

    That's great Pete, thanks I'll try that

    They have also hacked another wordpress site on the same server, so it could be a case that they have access to the root directory of my server

    I've changed the ftp username & password (same for all my sites) so hopefully that should stop them for now

  7. pete_398
    Member
    Posted 2 years ago #

    Hmm, if they have hacked into another site on the same server, then server security may not be as tight as it should be, or they have found a back door from one site on the server, 'into' another site on the same sever.

    For example, I have SSH/shell access to the server I use, but server security stops any attempt to 'get' to another site on the same server.

    That said, they simply may have used the same 'dirty tricks" on 2 sites on the same server.

    Step 2 in my instructions should have been step 1 , otherwise .htaccess is not backed up, if you do modify that.

    The basis of your investigation is "what have they changed" ? So, runing a good file comparison tool like beyond compare will show up any changes, as long as you download WP 3.1.3 again, and use that as a basis for your compare.

    Some of the plugins may have 'holes' in them, but if they are popular and lots of downloads, then there would hopefully be less chance of an open door there. Do the compare bit by bit. Beyond compare can even do compares from local to remote (no, I don't get a commission, lol).

    You can also compare your 'last good db backup' with the db backup 'now', and pickup anything there that sticks out.

    pete

  8. tigtog
    Member
    Posted 2 years ago #

    You might find the Exploit Scanner plugin useful - that's what helped me find the culprit files the last time a site got hacked:

    http://wordpress.org/extend/plugins/exploit-scanner/

  9. friendlygiraffe
    Member
    Posted 2 years ago #

    I have downloaded the database and search through it for the inoa-seishell.ru domain and it is not there. I did an online search with phpmyadmin also.

    The exploit plug in looks really promising, although when I run it it comes up with: 'An error occurred. Please try again later.'

    The only thing left for me to try to do is download and compare the current site as Pete suggests - would I compare that with a fresh version? They don't have beyond compare for mac but will try to find an

  10. friendlygiraffe
    Member
    Posted 2 years ago #

    I have also used the 'Inactive users deleter' plug in to delete hundreds of fake registrations

  11. tigtog
    Member
    Posted 2 years ago #

    I hope you've turned registrations off until you get this sorted.

  12. friendlygiraffe
    Member
    Posted 2 years ago #

    I have now

  13. tigtog
    Member
    Posted 2 years ago #

    :)

  14. pete_398
    Member
    Posted 2 years ago #

    have downloaded the database and search through it for the inoa-seishell.ru domain and it is not there. I did an online search with phpmyadmin also.

    The domain name exists, but has no IP, so I'm wondering how the redirect worked ? Did it actually go to that site ? You can force a browser to go to another site, but the user 'sees' something else in the url address bar in the browser. Possibly don't discount some garbage in your database, just yet.

    In regards to turning off registrations. Good idea, but people can still access your site, hence the suggestion to mod .htacees to only allow you to access the site, everyone else will get redirected to the maint. page.

    The exploit plug in looks really promising, although when I run it it comes up with: 'An error occurred. Please try again later.'

    If you look at the bottom right hand corner of this page , you may find some answers to that.

    The only thing left for me to try to do is download and compare the current site as Pete suggests - would I compare that with a fresh version? They don't have beyond compare for mac but will try to find an

    There is a note about Mac's here

    Yes, I would compare with a fresh version, and then compare the fresh version to your (previous) local version of WP. You may see something there, maybe.

    pete

  15. pete_398
    Member
    Posted 2 years ago #

  16. friendlygiraffe
    Member
    Posted 2 years ago #

    Thanks I had a look through those

    I have replaced the .htaccess file with your suggested code, the site is still redirecting, so I assume it is not the htaccess file?

    i will try beyond compare tonight

  17. esmi
    Theme Diva & Forum Moderator
    Posted 2 years ago #

  18. pete_398
    Member
    Posted 2 years ago #

    I have replaced the .htaccess file with your suggested code, the site is still redirecting, so I assume it is not the htaccess file?

    The mod to the .htaccess file was to stop everyone using your site, except yourself, if you added your IP address to it.

    The site will still redirect as there is either 'code' in the database, or some of one of your files have been modified. At least with the .htaccess file modified, no further 'damage' can be done, and you get to fix things without other traffic.

  19. friendlygiraffe
    Member
    Posted 2 years ago #

    Ok I have removed the htaccess completely and it's still redirecting. must be a database hack then. I might delete everything and start from scratch

  20. pete_398
    Member
    Posted 2 years ago #

    Try the Exploit Scanner plugin if you can. But if you want to start from scratch, make sure you have at least a full backup (all files and the database).

    It would be interesting to compare the files and database, before and after your reload.

  21. friendlygiraffe
    Member
    Posted 2 years ago #

    Hi Pete - I did a 'beyond Compare' last night, and pretty much all the files came up as red (not matching) though I could have missed something

    Exploit Scanner still not working, but will give it another try

    thanks!

  22. pete_398
    Member
    Posted 2 years ago #

    Hmm, are you sure the versions of wordpress were the same ? They might show red if the eof (end of file) markers are different, like I use Linux and eof's are different to windows. That said, Beyond Compare shoud automatically sort that out.

    I just ran a small test, and red is only when the content is different. Click in the middle of the 2 windows in BC, on a file shown in red. The colour showing across both should now be green. use right mouse button , and 'open with text compare'. It will show you the line/s that are different.

  23. friendlygiraffe
    Member
    Posted 2 years ago #

    Ok I'll give Compare another go

    I just ran Exploit Scanner (which worked this time) and it's come up with so many errors I don't know where you start

    base64_decode is flagged a lot

    Contacted my server provider who said it was a htaccess file, but I've not seen any changes on it, in face I've deleted it completely

  24. pete_398
    Member
    Posted 2 years ago #

    If you try this Google ..

    wordpress base64_decode

    lots there, but seems it is an sql injection of sorts. If you have a look at step 1 in this one, notice a redirect. Also, if you can search all your php files for 'eval(base64_decode', possibly a few there.

    this post is helpful

    Most service providers will not admit that their server is not as secure as it can be, and a common ploy is to direct attention to files on your site (like .htaccess).

  25. friendlygiraffe
    Member
    Posted 2 years ago #

    Had a bit of progress

    It seems the key to this is the Exploit Scanner plug-in, when I finally got it to work (the site kept redirecting during scans) it showed the most severe notifications inside the plug-ins folder, mainly the phpMyAdmin plug in.

    I have deleted the phpMyAdmin plug-in and so far so good

  26. pete_398
    Member
    Posted 2 years ago #

    Possibly a good idea to drop a post in the plug-ins forum, to let people know there is a security risk with the phpMyAdmin plug-in. Doesn't your web hosting give you phpMyAdmin access ?

  27. friendlygiraffe
    Member
    Posted 2 years ago #

    i'm not convinced it's that plug-in yet. I think I found the culprit, a rogue htaccess file in the servers root

  28. pete_398
    Member
    Posted 2 years ago #

    Didn't Exploit Scanner show notifications in the phpMyAdmin plug in ?

    When you say the .htaccess file is in the servers root, do you actually mean the root path of your website, or the root path of the server ? (Quite a difference usually).

  29. friendlygiraffe
    Member
    Posted 2 years ago #

    root path of my server. So it is above all my website's directories

    The .htaccess files they have modified have a load of line-returns, so I didn't bother noticing the scrollbar.

    I've deleted the rouge code off the htaccess files, but they get edited again the next day, so the spammers have access to the server, despite me changing the ftp passwords

    The 'WordPress File Monitor' plug-in has been really handy in notifying me of this, I would highly recommend getting it

    As for the exploit scanner, I guess it isn't as good as I thought. It's picking up possible threats in the plu-ins that aren't as severe as I thought. I've compared the old plug-in with fresh ones and they match

  30. but they get edited again the next day, so the spammers have access to the server, despite me changing the ftp passwords

    You're getting hacked via other, insecure accounts at the webhost. Nothing will change until that is fixed. Who is your host? What have they said?

    See FAQ: My site was hacked « WordPress Codex and How to completely clean your hacked wordpress installation and How to find a backdoor in a hacked WordPress and Hardening WordPress « WordPress Codex and tell your host.

Topic Closed

This topic has been closed to new replies.

About this Topic