Hack/exploit of this plugin: my experience and how I worked it out

  • mrprainx

    (@mrprainx)


    4 years, 8 months ago

    Hello everyone.

    As reported from other users here this plugin has been hacked/exploited.

    Please read the post for further information.

    I would like to share with you my experience and how I worked it out, because I truly believe that this could be helpful for others.

    Basically, I, all of a sudden, find out that people visiting my website were redirected to other (malicous) websites. Furthermore, I couldn’t access my dashboard. I also tried to restore a previous back-up of my website and disabling all the plugins. Nothing worked.

    After reading all the suggested solutions (and other cases) in the abovementioned post, I finally managed to have my website back to normality by:

    • With the help of my hosting company, I found and deleted an .htaccess file created by the invader inside the folder of another plugin.
    • As suggested by @theprometeus in the abovementioned post, I’ve:
      Changed my database password and (possibly) the username.
      Reset my WP salts and unique keys inside wp_config.php.
      Reset the siteurl and home inside wp_options table in the database. You can do this using these commands

      UPDATE wp_options SET option_value = 'yoursiteurl' WHERE option_name = 'siteurl';
UPDATE wp_options SET option_value = 'yoursitehomepage' WHERE option_name = 'home';

    After regaining access to the dashboard, I’ve immediately updated the ND Shortcodes plugin to the latest version which, according to the author, hopefully fix the vulnerability.

    Everything is now working fine. Fingers crossed.

    Hope this helps.

    • This topic was modified 4 years, 8 months ago by mrprainx.
    • This topic was modified 4 years, 8 months ago by mrprainx. Reason: spelling
Viewing 2 replies - 1 through 2 (of 2 total)
  • Matheus Giovani

    (@theprometeus)

    4 years, 8 months ago

    Btw just a heads up that the plugin author just removed the import/export function in the last update, and he didn’t have fixed the plugin, so it’s a good practice to be ready if anything happens again in the future.

    lluca

    (@lluca)

    4 years, 8 months ago

    Thank you @mrprainx, I wanted to write it down too, but you beat me to it.
    I would like to add a few points to what you and @theprometeus have written:

    • Delete your files on the hosting and db
    • Restore a previous backup (before the hacking)
    • Change database password and (possibly) the username.
    • Reset my WP salts and unique keys inside wp_config.php
    • Reset the siteurl and home inside wp_options table in the database. You can do this using these commands
      • 
UPDATE wp_options SET option_value = 'yoursiteurl' WHERE option_name = 'siteurl';
UPDATE wp_options SET option_value = 'yoursitehomepage' WHERE option_name = 'home';
    • Change admin and other WP user password
    • Check if exist a unusual user on WP, eventually remove it
    • Rename theme folder via FTP
    • Download from themeforest (in my case hotel booking) the last version of theme and upload it on ftp theme folder
    • Deactivate and deinstall the plugin ND Booking, ND Shortcodes, Visual composer (js_composer), Revolution Slider and reinstall it from the new theme package
    • After ND Shortcode installation, you receive an update to versione 5.9.1. Apply this update
    • Delete the previously renamed theme folder
    • cross your fingers and hope it’s really patched with these latest updates

      • note: I saw that in the package available on themeforest have been updated the plugins ND Shortcodes (v. 5.9) but also ND Booking (v.2.6)

Viewing 2 replies - 1 through 2 (of 2 total)
  • The topic ‘Hack/exploit of this plugin: my experience and how I worked it out’ is closed to new replies.