Andrew Nevins
(@anevins)
WCLDN 2018 Contributor | Volunteer support
I’m afraid to say that you’re already hacked. You need to start working your way through these resources:
Additional Resources:
I sort of get that and I am doing all that stuff – maybe not with the panicky standard WP approach to any issue; reinstall everything with your wonderfull default theme etc.
I am going by the information Sucuri provides and what I can see myself on the server, but want to make sure I am not missing anything.
What are they targeting? Which weakness are they trying to exploit? What are they trying to achieve? Where should I expect damage?
Have other people seen this same pest? What are their experiences?
The major points of entry tend to be from plugins. Outdated versions of Slider Revolution (revslider), Gravity Forms as well as any plugin or theme that had an outdated version of Tim Thumb (image resizer) all have known security loopholes. (I think those are the top 3 security loopholes I’ve seen for WordPress.) Also, there’s an xmlrpc.php vulnerability.
The best thing you can do after you get your site back together is to install and set up Sucuri (I see you already have) as well as Wordfence, and to update all user passwords and keep your software updated going forward.
If you’re using a WordPress default theme, or a free or premium theme, be sure to also keep the theme updated. If the theme author stops supporting the theme, find another one that is supported and will be updated.
It’s also a good move to remove all unused plugins and themes. That way you don’t have to continually keep those extra things updated if they’re not in use.
Hope this is helpful! Best wishes to you 🙂
@jeeni said
…there’s an xmlrpc.php vulnerability
xmlrpc is not a vulnerability; it is core WordPress functionality for ping-backs, APIs, etc.
True, it can and has been abused by hackers to probe WordPress sites, and for attacks that flood a server with requests and slow it down (DDoS). But xmlrpc is not a vulnerability in the sense that it is exploitable to gain privileges on a site or server.
If one doesn’t need xmlrpc, it is easy to disable; many security plugins give this option, and there are many stand-alone plugins: https://wordpress.org/plugins/search.php?q=xmlrpc
Thank you for the feedback @jeeni! I’ve added Wordfence – looks solid/helpful.
The damage seems limited. They are still trying to get in via login, although some files were modified/added. How does that work?
Some of the modified files were related to widgets. I never use widgets; any way to disable/shut down those?
Didn’t see anything targeting xmlrpc.php
@modifiedcontent said
The damage seems limited. They are still trying to get in via login, although some files were modified/added.
I doubt the damage is limited; carefully follow https://codex.wordpress.org/FAQ_My_site_was_hacked or you will get hacked again.
Then take a look at the recommended security measures in Hardening WordPress – WordPress Codex and Brute Force Attacks – WordPress Codex.
Glad to help!
If they’re still hammering your login page, I’d also recommend loading the “Rename wp-login.php” plugin – and name your login page something not default. (The plugin default is yoursite.com/login) You can name it whatever you want yoursite.com/lamp-post/ (hehe!) but be sure to bookmark it and don’t lose track of what it is, as the yoursite.com/wp-admin/ will no longer redirect you to the wp-login.php page. If your site has a “log in” link on the front end of your website, that will tend to be updated, so you and any other users can find it without much fuss.
Here’s a link to that plugin:
https://wordpress.org/plugins/rename-wp-login/
After you’ve moved your login away from the default wp-login.php page, you can go to the Wordfence -> Options and add /wp-login.php to the “Immediately block IP’s that access these URLs:” field. Just be sure to tell other valid users about the update so they don’t inadvertently get themselves locked out.
It’s also very worth checking through the settings on Wordfence’s options page. For instance, I’ve found the following 2 options very helpful!
- Scan files outside your WordPress installation
- Scan images and binary files as if they were executable
Set other options as you see fit. I tend to do the same for all sites I administer and will export/import settings from the bottom of that page to make my job easier. Best wishes!!
If Wordfence and Sucuri tests come up clean, you may be safe – but you will want to follow what Mark shared to be sure. Hopefully they didn’t get into your database.
(Thanks for clarifying my comment, Mark.)
Oh! To answer your question regarding dealing with added and modified files:
For any files added that Wordfence found, remove them if you didn’t add them to your site.
For any files that Wordfence found are modified, you can compare the two to see what the update was. For instance: Minor plugin version numbers or documentation may have been updated without the plugin requiring an official update, so the files on your site may be different than the files on the WordPress repository.
Some plugins have additional files that are site-specific, but you should be able to see what are legitimate files and what are added by a hacker.
> To answer your question regarding dealing with added and modified files …
I understand that. What I don’t understand is how they can change/add files on the server when they are still failing to log in – I am still seeing failed login attempts in Sucuri, blocking the IP addresses via .htaccess.
What can and can’t they do? If they can add/modify files, does that necessarily mean they have access to the database?
After removing a few more files, Wordfence now says my sites are clean. I haven’t seen signs that they have reached the database – any way to check that for sure?
Thanks again!
Hackers can add/change files without necessarily having admin access by using known exploits in older plugins – Revslider, Gravity Forms, etc. From this access, they can potentially gain admin access to your website as well as access to your database.
Google “arbitrary file upload vulnerability” if you want to see an example on how this can happen.
I’ve seen hacked sites with additional admin users that the site owners did not create. When I deleted those users, I also made sure that every other user had updated passwords, that the database password was updated and that the wp-config.php page was moved/secured.
~~~
I have no experience with databases that have been exploited. I’ve only experienced and have helped clear up hacks in WP files/directories. Learning more about finding and removing inserted malicious code within a database is something I’m interested in learning more about but haven’t had time or cause to dig in to that area.
If I suspected one of my client sites had malicious code inserted into their database, I would immediately update my database password and do a database dump so I could search through the database for some known phrases and any suspicious text. I would also probably search for differences between a backed up version of the database that was backed up before the exploit.
Hope you get piece of mind soon!
^ Peace of mind, hehe! Whoops 🙂
According to the Wordfence scan one of my hacked sites is clean, but in the live traffic there appear “pages” (?) like this:
http://mywebsite.com/Bernhard-Hirschvelders-Briefrhetorik–Cgm-3607—Untersuchung-und-Edition–Deutsche-Literatur-von-den-Anfaengen-bis-170
And then the link redirects to some usenet download page, where you can probably download more fun viruses etc.
I don’t see these “pages” under Pages or Posts and haven’t been able to find these links in the database either.
How are these things created? What vulnrability are they exploiting? How can I stop this?
I know, remove and reinstall everything, etc. I just want to understand what is going on.
How are these things created? What vulnrability are they exploiting?
Much of it depends on the host; some are less secure than others. You need to parse the server logs to find the exploits.
How can I stop this?
Find a good host. And read Hardening WordPress – WordPress Codex and Brute Force Attacks – WordPress Codex
Can anyone explain technically how this is done? If it is not a post or a page, how does it become a link?
Is something like this definitely coming from the database? I haven’t been able to find it there yet.
I have already done all those WordPress hardening suggestions.
Have you looked through the contents of your .htaccess file? Wordfence and Sucuri don’t seem to examine that file and I’ve seen redirects placed there before.
I agree with Mark: Look through your server logs to see what the hackers have touched.
Best wishes.
