WordPress.org

Support

Support » Miscellaneous » Clean up of one hacked site

Clean up of one hacked site

  • I’ve just had the annoying task of cleaning up a WP site after it had been hacked. To aid others I thought I would share a brief description.

    Disclaimer : This is not the way to go, but just a way I followed.

    Setup : WP 3.3.2. The site had been live, but not updated since March 2012.
    Perpetrator : Haxorsistz
    Morale : Do remember to update both WP and plugins regularly

    The site was defaced on all pages with a death note for the admin (it’s a kindergarten site, so that was really inappropriate). This included the admin login page, so the site was inaccessible.

    Here’s what I did to recover the site:
    – Access site by FTP and PHPAdmin
    – Backup to separate location
    – Check the errorlog
    – Search the server for recently changed files
    – Update WP (I did it through a one-click installer in cPanel)
    – Upload a clean twentyeleven theme
    – Sift through the _options table in the database.
    – Deface code was in fields blogname and widget_text
    – Set new password for DB and change wp-config accordingly
    – Set new salt in wp-config according to inline instructions in that file
    – Reset the encoding, it had been changed to UTF-7

    Resources :
    http://codex.wordpress.org/FAQ_My_site_was_hacked

Viewing 6 replies - 1 through 6 (of 6 total)
  • Viscosity
    Member

    @viscosity

    To clean up is uninstall and install back all the wordpress in order to perform a clean wipe out in which may contain backdoor left behind.

    stabiasport
    Member

    @stabiasport

    Even my website was hacked two days ago from this team and I noticed that I changed the encoding to UTF-7 and changed the name of the title. I changed everything. Now I am sure? What I occore not to suffer more attacks?

    @viscosity
    A fresh install of WP is one way to go. I checked for recent file modifications. After that, as noted above, I updated WP.

    The attack appears to have been an SQL-injection.

    @stabiasport
    Do also check widget_text in your _options table.

    To prevent it from happening you could use the advice about
    http://codex.wordpress.org/Hardening_WordPress
    and perhaps install a security plugin such as (just one example)
    http://wordpress.org/extend/plugins/bulletproof-security/
    or
    http://wordpress.org/extend/plugins/wordfence/

    Cheers
    Mort3n

    Viscosity
    Member

    @viscosity

    There are several things in which you have to look into.

    For application, fresh clean up and re installed help to clear up those mess. Re-installed and update all your required plugins,then do a full backup. Used security plugins like bulletproof security, wordfence, Timthumb Vulnerability Scanner, Theme Authenticity Checker (TAC),etc does not grant u that your sites is not hackable.

    For network, disable all your ftp and ssh when you are not using it connected to your panel.Use strong password with a minimum 15 characters length contain, upper & lower letter, number and including special character to prevent any dictionary attack on your password.

    The attack appears to have been an SQL-injection.
    What make you so sure it is SQL attack? If so, then your gonna look into your SQL updates and version used.

    http://codex.wordpress.org/Hardening_WordPress
    It did mention clearly the steps to take to harden your wordpress.

    External Service
    Cloudflare * Incapsula help to reduce your chance getting hack even though your are using their free service.

    stabiasport
    Member

    @stabiasport

    @mort3n
    Thank you.
    Can you provide the exact path? widget_text in your _options table.

    @stabiasport

    In your database you have a table called yourprefix_options. That is the table I refer to.

    In the table there is a field called widget_text. Apart from the blogname field, that is where I found altered content.

    Cheers
    Mort3n.

Viewing 6 replies - 1 through 6 (of 6 total)
  • The topic ‘Clean up of one hacked site’ is closed to new replies.