WordPress.org

Ready to get started?Download WordPress

Forums

Site hacked by B0Y H4CK3R (23 posts)

  1. fog99uk
    Member
    Posted 2 years ago #

    I really hope someone can help with this one.

    My site, focusedfirepower.co.uk, has been hacked by someone calling themselves B0Y H4CK3R. The home page of my WordPress site has been changed by them, but the rest of the website can be accessed if you go to one of the other pages rather than the homepage. As far as I can tell it's just the homepage that's been changed.

    I cannot log in as the hacker has obviously changed the password, and I assume a password re-set attempt would be sent to an email address they have added, it certainly isn't being sent to me.

    I can log into my host and view the files for the site, but I have no idea what to do.

  2. esmi
    Forum Moderator
    Posted 2 years ago #

  3. fog99uk
    Member
    Posted 2 years ago #

    I looked at those. As far as I can make out. All they've done is logged in and replaced the home page, rather than adding any malicious code. I'm sure IF I could log in I'd be able to get rid of it, change my passwords, change the security code and change my password again.

    But I can't log in.

  4. MickeyRoush
    Member
    Posted 2 years ago #

  5. fog99uk
    Member
    Posted 2 years ago #

    Perfect. Thanks MickeyRoush. I've reset the login (and now I have the hacker's email address). Now to figure out how to fix the home page.

  6. fog99uk
    Member
    Posted 2 years ago #

    Ok. Seems they'd messed with the theme I had set. Changing the theme and deleting the altered one appears to have sorted it.

  7. MangoMM
    Member
    Posted 2 years ago #

    Check the following files in your wp-content folder:

    404.php
    archive.php
    index.php

    Does anybody know what security hole this takes advantage of? e.g. how without wordpress or server or ftp username/pw do they

    1. login as admin
    2. Change admin email
    3. Change admin password
    4. Overwrite theme files
  8. fog99uk
    Member
    Posted 2 years ago #

    Well it's been hacked again. By a similar hacker, this time named "Mr.Kro0oz.305".

  9. You've not successfully deloused your installation. Please review all of the links Esmi posted above.

    It's not enough for you to keep treating the symptoms, you've got to get rid of all the code and lock down your system. Until you do, this will keep happening to you.

  10. fog99uk
    Member
    Posted 2 years ago #

    As someone who does not know code, and I suspect the vast majority of WordPress users are the same, I have no idea what malicious code would look like.

    It would seem to be that all I can do is delete the whole thing and start from scratch. I don't think WordPress is worth the hassle of rebuilding the site from scratch if it gets hacked repeatedly.

  11. MickeyRoush
    Member
    Posted 2 years ago #

    @ fog99uk

    Are you sure WordPress is at fault here? It could be your server setup. For example, if a hacker can leverage symlink on your server it doesn't matter what you've done to harden your site from the HTTP protocol. Locking down a symlink attack is the responsibility of your host or whoever manages your server.

    Since there are hundreds if not thousands of ways a hacker could be accessing your site, I'm going to post quite a few links that may help you, some have already been mentioned, some have not. Also, the only thing YOU can do to prevent a symlink attack is set the wp-config.php file permission to 400, block access to it with .htaccess, and possibly utilize Options -FollowSymLinks +SymLinksIfOwnerMatch and maybe disable the functionality with php.ini (I'm not saying that's how they're attacking you, it's just an example that someone else could possibly benefit from).

    Check your site(s) here:
    1. http://sitecheck.sucuri.net/scanner/
    2. http://www.unmaskparasites.com/
    3. http://www.virustotal.com/
    4. http://www.phishtank.com/
    5. http://www.browserdefender.com/
    6. http://ismyblogworking.com/
    7. Google Safe Browsing (to access a site's google info, add their domain to the end of this):
    http://www.google.com/safebrowsing/diagnostic?site=
    example:
    http://www.google.com/safebrowsing/diagnostic?site=example.com
    8. Check your URL at scumware.org to see if your site has already been classified as malicious:
    http://www.scumware.org/search.scumware

    Backup everything and put that backup somewhere safe. This is in case you have problems later on. Even though you could be backing up infected files, it is more important to have a backup up of your work, for if you make a mistake cleaning your site, you will still have the backup(s).
    1. http://codex.wordpress.org/WordPress_Backups
    2. http://codex.wordpress.org/Backing_Up_Your_Database
    3. http://codex.wordpress.org/Restoring_Your_Database_From_Backup

    Then read these:
    1. http://codex.wordpress.org/FAQ_My_site_was_hacked
    2. http://wordpress.org/support/topic/268083#post-1065779
    3. http://smackdown.blogsblogsblogs.com/2008/06/24/how-to-completely-clean-your-hacked-wordpress-installation/
    4. http://ottopress.com/2009/hacked-wordpress-backdoors/
    5. http://wpmu.org/why-you-should-never-search-for-free-wordpress-themes-in-google-or-anywhere-else/
    6. http://blog.sucuri.net/2012/03/wordpress-understanding-its-true-vulnerability.html

    If you have indications of possible timthumb hacking, please read these:
    1. http://blog.sucuri.net/2011/08/timthumb-php-security-vulnerability-just-the-tip-of-the-iceberg.html
    2. http://markmaunder.com/2011/08/02/technical-details-and-scripts-of-the-wordpress-timthumb-php-hack/
    3. http://www.wpbeginner.com/wp-tutorials/how-to-fix-and-cleanup-the-timthumb-hack-in-wordpress/
    4. http://wordpress.org/extend/plugins/timthumb-vulnerability-scanner/

    Once your site is clean, then read these:
    1. http://codex.wordpress.org/Hardening_WordPress
    2. http://codex.wordpress.org/htaccess_for_subdirectories
    3. http://www.studiopress.com/tips/wordpress-site-security.htm
    4. http://stopbadware.org/home/security

    Need more help?
    1. https://badwarebusters.org/

    If you believe your personal computer (not your host server) is infected please read these:
    1. MajorGeeks.com malware removal:
    http://forums.majorgeeks.com/showthread.php?t=35407
    2. MajorGeeks.com how to protect yourself from malware:
    http://forums.majorgeeks.com/showthread.php?t=44525

  12. MangoMM
    Member
    Posted 2 years ago #

    Woah Woah Woah...

    Too much information for a noob - you are all scaring the guy with 1,000,000 links to resources which may or may not be useful.

    I know you are all trying to help, but I think that somebody who knows about this specific hack would be more useful to speak up.

    In the meantime follow this guide:

    1. http://codex.wordpress.org/Resetting_Your_Password#Through_phpMyAdmin
    2. Login and change your admin email address back
    3. Create a NEW administrator account, but have username something else - like your first name
    4. Use letters, numbers, capitals and hyphens in your password
    5. Login with your new admin account and delete your old admin account, associate new posts with your new account
    6. Upgrade wordpress and plugins to latest versions
    7. Check to see all plugins you are using are the ones that should be there, if not, delete them via FTP.
    8. Now the main problem is with your theme file. It appears to have taken over many of your pages. Zip up this folder, then delete the folder and re-install back up of your theme
    9. Install better WP Security Plugin - Follow the instructions. Take note that renaming the default wp-content folder is a good idea, but this may break images and you will have to fix this.
    10. Change your MD5 Hashes / Salts - There will be a guide to do this on web or linked to from one of the above posts.
  13. Johnb81
    Member
    Posted 2 years ago #

    Hi fog99uk,

    An easier solution would be to do the following:

    1. Make a backup of your website
    3. Re-install a new WordPress in a different location (test sub domain domain or so)
    4. Restore the database
    5. Change the passwords for the usernames
    6. start installing all the plugins
    7. Redownload a new version of the theme you are using and apply it
    8. If all is fine, backup this website and restore it on the live website.

  14. MangoMM
    Member
    Posted 2 years ago #

    Speak to your hosting provider.

    Visiting yoursite.com/wp-config.php should not return a blank page. Returning a blank page means that people on web can call the PHP script.

    It should return a 403 forbidden error. I think MickeyRoush touched on this earlier with relation to his comment about symlinks.

    File permissions of wp-config.php should be 600.

    http://codex.wordpress.org/Changing_File_Permissions

  15. MickeyRoush
    Member
    Posted 2 years ago #

    MangoMM wrote:

    Woah Woah Woah...

    Too much information for a noob - you are all scaring the guy with 1,000,000 links to resources which may or may not be useful.

    Sorry it's my normal response when someone says they've tried everything and only the people directly involved know everything that's going on, 'hence all the links. Maybe they'll find something that helps them, maybe not. So no matter what anyone posts, there will always be some info/resources which may or may not be useful (as a third outside party, there is no way to be sure). I may be different, but I like to have has much knowledge as I can and in one place. And it's nice when someone can organize it in an easy to follow structure as well.

  16. MangoMM
    Member
    Posted 2 years ago #

    I do agree with you. The links are very useful. But for somebody who is probably panicking and not experienced with internet security... Following 10 security guides could end up doing more harm than good.

    e.g. locking themselves out. Accidentally opening up another security hole etc.

    Thanks for advice though... The links are a useful resource.

  17. fog99uk
    Member
    Posted 2 years ago #

    Here's what I did.

    - Logged into my host site.
    - Used phpMyAdmin to reset the user details for WordPress (there's only one user, Admin).
    - Changed the keys in the config file using the generator.
    - Logged into my WordPress site.
    - Changed to a new theme.
    - Deleted the old theme.
    - Reinstalled the theme I wanted.
    - Changed to that theme.
    - Changed the user's password.

    This time I've also created a new administrator user and deleted the old one.

    The site has been kept fully up to date since I created it in March, and I've been using the Twenty Eleven theme. The only plugin that I am running is Jetpack.

  18. MangoMM
    Member
    Posted 2 years ago #

    Looks like u have been doing good so far.

    U missed out something important though.

    Visiting yoursite.com/wp-config.php should not return a blank page. Returning a blank page means that people on web can call the wp-config.php script.

    What you should get is a 403 forbidden page when you visit this page via a web browser.

    You need to change file permissions of this file.

    Not changing the permissions could open your site to a symlink attack. Basically putting your pw-config file into a txt file which would be available for reading.

  19. fog99uk
    Member
    Posted 2 years ago #

    403. So that's Read checked for User, plus Write and Execute checked for World?

    Done that now. Now when going to /wp-config.php it comes up with a 500 Internal Server Error.

  20. ClaytonJames
    Member
    Posted 2 years ago #

    @MangoMM

    Visiting yoursite.com/wp-config.php should not return a blank page. Returning a blank page means that people on web can call the wp-config.php script.

    That sure doesn't sound good. What could they do with the script once it renders the blank page in their browser? It should return a 403 you say?

  21. kmessinger
    Volunteer Moderator
    Posted 2 years ago #

    My wp-config is in the directory above wordpress and with permissions set to 400. Trying site/wp-config.php gives a 403 error.

  22. fog99uk
    Member
    Posted 2 years ago #

    Is it only the config file that should have permissions set to 403?

    The rest of the wordpress files are set to 644, except for the folders, which are set to 755.

  23. ClaytonJames
    Member
    Posted 2 years ago #

    @fog99uk

    The permissions aren't 403, what they're referring to is the error code you will get if you access the config file directly, from your browser. As kmessinger noted, his will return a 403 with permissions of 0400. He also noted that his config file is in a location outside of wordpress root. Your configuration and permissions may not be the same. File permissions can vary from host to host. The minimum permissions you can use in your environment may be different than someone else. Your host may have some advice for you on that. You can forbid browser access to the config file with .htaccess rules.

    You might try 644 or 640 on yours for starters, and see if that gets rid of the 500 error.

Topic Closed

This topic has been closed to new replies.

About this Topic