The Support Forums will be in read-only mode for a scheduled maintenance window on 01 September 2016 14:00 UTC - 20:00 UTC. More information.

Got hacked.. any way I can find out how? I have logs.. (11 posts)

  1. Tyrion Frost
    Posted 4 years ago #

    Hello everyone.

    So today I was working on a few websites, and when I went back to my main site, http://www.mindfuseproductions.com, I noticed that it had been hacked and taken over by some (most likely script kittie) that went by the name of "Alberto Karlos TKJ | Black Force Crew". My site theme files were edited with the above tagline.. and it said something about "evaluate your security :)." Not that it's relevant but some terrible emo song was also embedded on the page and played in the background.

    ANYWAY.. I've never been hacked before, and trying to find the exploit they used is a bit beyond what I normally deal with. I did look at my access logs however, and found their ip address. They actually apparently come from indonesia..and I noticed that they accessed "favicon.ico" quite a bit.. and right before actually submitting an edited file through the theme editor (the log says POST.. so I'm assuming that's when they submitted the change).

    This is a copy of the log, if anyone is bored and would like to possibly help or give me feedback:


    Their IP is the 111.* address. Along with changing my theme files they also changed my password. I hope this post is allowed, and I hope that someone can help.. as I'm fairly nervous that they'll rehack me. I've changed all my passwords, but clearly they used some sort of exploit to get in, which either bypassed my password or stole it.



  2. adpawl
    Posted 4 years ago #

    Is only a part of log.
    What is the hacked file modification time?

  3. Tyrion Frost
    Posted 4 years ago #

    Well the entire log itself is gigantic. Whatever is offered through my Cpanel is kind of limited..and there doesn't appear to be any options, such as just seeing logs for today. I started where the users IP made a first request though, and ended it where the site was hacked and I fixed it.

    As for file modification time, I'm not sure. I reuploaded fresh php files for my theme.. so I'm unsure =\. I was digging deeper in the log though, and it I think it may have been a javascript exploit.. particularly jquery. I see some very weird requests from this person to jquery.. such as - - [07/Jul/2012:06:33:35 +0400] "GET /wp-admin/load-scripts.php?c=1&load=admin-bar,hoverIntent,common,jquery-color,wp-ajax-response,wp-lists,quicktags,jquery-query,admin-comments,jquery-ui-core,jquery-ui-widget,jquery-ui-mouse,jquery-ui-sortable,postbox,dashboard,thickbox,plugin-install,media-upload&ver=3.4.1 HTTP/1.1" 200 34487 "http://mindfuseproductions.com/wp-admin/" "Mozilla/5.0 (Windows NT 5.1) AppleWebKit/536.11 (KHTML, like Gecko) Chrome/20.0.1132.47 Safari/536.11"

  4. Tyrion Frost
    Posted 4 years ago #

    The edited several files through the theme-editor though.. functions.php.. index.php, header, etc etc.

  5. darrenmeehan
    Posted 4 years ago #

    Without looking at the logs, they shouldn't have been able to edit any files belonging to your site. I'd recommend checking your file permissions.

    Also following these two guides from the codex is a good idea.

    http://codex.wordpress.org/Hardening_WordPress http://codex.wordpress.org/FAQ_My_site_was_hacked

  6. Tyrion Frost
    Posted 4 years ago #

    I read through all of those. I don't think it's a permission issue aside from maybe some sort of javascript exploit.

    I fixed everything last night.. to the best of my ability.. and hacked again. Wtf..


  7. MickeyRoush
    Posted 4 years ago #

    @ Tyrion Frost

    You should be looking at the POST requests. It looks as though they were able to just log in do whatever they wanted.

    You need to lock it down completely from HTTP access the next time you do a clean up. You then need to remove any users that are not authorized, whether that be through the dashboard or the database, in your case most likely the database.

    If you don't need the theme/plugin editor should disable it. In your wp-config.php add the following:

    define('DISALLOW_FILE_EDIT', true);

    But that is not an ultimate solution to your problem, it may only help a bit.

    And since I'm not precisely sure what you've done already I've compiled a list of links so that you won't have to scour the web for them.

    Check your site(s) here:
    1. http://sitecheck.sucuri.net/scanner/
    2. http://www.unmaskparasites.com/
    3. http://www.virustotal.com/
    4. http://www.phishtank.com/
    5. http://www.browserdefender.com/
    6. http://ismyblogworking.com/
    7. Google Safe Browsing (to access a site's google info, add their domain to the end of this):
    8. Check your URL at scumware.org to see if your site has already been classified as malicious:

    Backup everything and put that backup somewhere safe. This is in case you have problems later on. Even though you could be backing up infected files, it is more important to have a backup up of your work, for if you make a mistake cleaning your site, you will still have the backup(s).
    1. http://codex.wordpress.org/WordPress_Backups
    2. http://codex.wordpress.org/Backing_Up_Your_Database
    3. http://codex.wordpress.org/Restoring_Your_Database_From_Backup

    Then read these:
    1. http://codex.wordpress.org/FAQ_My_site_was_hacked
    2. http://wordpress.org/support/topic/268083#post-1065779
    3. http://smackdown.blogsblogsblogs.com/2008/06/24/how-to-completely-clean-your-hacked-wordpress-installation/
    4. http://ottopress.com/2009/hacked-wordpress-backdoors/
    5. http://wpmu.org/why-you-should-never-search-for-free-wordpress-themes-in-google-or-anywhere-else/
    6. http://blog.sucuri.net/2012/03/wordpress-understanding-its-true-vulnerability.html

    If you have indications of possible timthumb hacking, please read these:
    1. http://blog.sucuri.net/2011/08/timthumb-php-security-vulnerability-just-the-tip-of-the-iceberg.html
    2. http://markmaunder.com/2011/08/02/technical-details-and-scripts-of-the-wordpress-timthumb-php-hack/
    3. http://www.wpbeginner.com/wp-tutorials/how-to-fix-and-cleanup-the-timthumb-hack-in-wordpress/
    4. http://wordpress.org/extend/plugins/timthumb-vulnerability-scanner/

    Once your site is clean, then read these:
    1. http://codex.wordpress.org/Hardening_WordPress
    2. http://codex.wordpress.org/htaccess_for_subdirectories
    3. http://www.studiopress.com/tips/wordpress-site-security.htm
    4. http://stopbadware.org/home/security

    Need more help?
    1. https://badwarebusters.org/

    If you believe your personal computer (not your host server) is infected please read these:
    1. MajorGeeks.com malware removal:
    2. MajorGeeks.com how to protect yourself from malware:

    Sorry for the long list of links. But there are thousands of different ways they could be accessing your site(s).

  8. Tyrion Frost
    Posted 4 years ago #

    Incredibly helpful.. I'll be reading over those for probably most of today. I'm currently uploaded a fresh copy of wp to see if I can figure out what they've done now. Last night I was hacked yet again, and I can't figure out how they did it -- or how to get rid of it. It seems they did something differently this time, and I can't figure out where the hacked page is.

    Anyway, thank you very much!

  9. Tyrion Frost
    Posted 4 years ago #

    Btw, I found out they hacked my wp-config file. I've restored it and am fixing stuff. I've also applied a password to the wp-admin directory server-side, so maybe THAT will help while I further investigate what's going on.

    Stupid script kiddies..

  10. darrenmeehan
    Posted 4 years ago #

    be sure to change your passwords too, no doubt they got access to them the first time.

  11. whatrya7
    Posted 4 years ago #

    Tyrion, were you able to find a solution to the /wp-admin/load-scripts.php? attack ?

    I have had the exact same issue, now hacked 2 times in 2 days. I've done everything listed above.


Topic Closed

This topic has been closed to new replies.

About this Topic