Hacked

  • martyn

    (@martyn_leggebtinternetcom)


    8 years, 6 months ago

    Hi I am running 4.3.1 with the 2014 theme. The site has been hacked, a new admin class user called “badmin” has been added with all capabilities and code has been added to search.php.

    I have the sucuri plugin loaded and this is how I saw that a badmin user was logged in. So, I can clean this BUT there is clearly another exploit that allowed this user to be created in the first place and this was done without a legitimate login because there is no record in the Sucuri logs.

    Any ideas where to look please? or do I just have to delete the whole site and start again.

    The inserted code started like this…

    <?php $zdaxc=’d_/0T1H90/e0Fg2Vg4TpkaV….

    any help greatly appreciated.
    Martyn

Viewing 10 replies - 1 through 10 (of 10 total)
  • RossMitchell

    (@rossmitchell)

    8 years, 6 months ago

    Keep calm, follow all the steps here:
    http://codex.wordpress.org/FAQ_My_site_was_hacked

    Locking down your website and closing the point of entry are your priority.

    The Hack Repair Guy

    (@tvcnet)

    8 years, 6 months ago

    I would start by ensuring all versions are updated to latest (WordPress and plugins).

    Then work to change all your passwords (WordPress, FTP, and email).

    If all is updated, go to Dashboard and click Updates. Then re-install now.
    That may help to overwrite the core files.

    You’ll then need to have someone visually work through your files and remove any back door scripts to fully clean your account.

    Andrew Nevins

    (@anevins)

    WCLDN 2018 Contributor | Volunteer support

    8 years, 6 months ago

    You’ll then need to have someone visually work through your files and remove any back door scripts to fully clean your account.

    @tvcnet – Let’s leave that bit out unless someone asks and then we can forward them onto the appropriate avenues.

    CommodorePetForever

    (@commodorepetforever)

    8 years, 6 months ago

    A customer of mine just had the same hack, the user “badmin” logged in (as reported by WordFence) even though that user is not listed as a WordPress user. Can you tell me what plugins you’re using? Perhaps we have a plugin in common that is acting as the backdoor.

    technologyinclass

    (@technologyinclass)

    8 years, 6 months ago

    I was also hacked by “badmin” a few days ago. I had to delete some old themes that I installed but were not activated nor updated. After doing this my sites have been clean.

    Thread Starter martyn

    (@martyn_leggebtinternetcom)

    8 years, 6 months ago

    I had the following plugins…
    Global Gallery
    Google Doc Embedder
    Comprehensive Google Map plugin
    jQuery Updater
    My Custom CSS
    Sucuri Security – Auditing, Malware Scanner and HardeningUser Role Editor
    WP Clone by WP Academy
    WP Crontrol
    WP-Filebase

    This is not definitive because it looks to me as though the exploit was installed a long time ago, but only triggered this week.

    I had 2014, 2015 and a responsive theme from cyberchimps installed.
    Many directories have been modified with files added with strange looking php. I have deleted them all. The illicit logon was used to edit the search results page, addiing some php.

    Thread Starter martyn

    (@martyn_leggebtinternetcom)

    8 years, 6 months ago

    one thing that is still puzzling me is that there is a file in the root directory called .wpcli. 0 bytes long and owned by 0, group 0. Anyone know what this is?

    RossMitchell

    (@rossmitchell)

    8 years, 6 months ago

    the file “.wpcli.” is part of “WordPress command line”, more details here:
    http://wp-cli.org/
    https://codex.wordpress.org/wp-cli

    If you don’t use it, and didn’t install it then it may have been installed by your hacker, in which case you get rid of it pronto.

    Thread Starter martyn

    (@martyn_leggebtinternetcom)

    8 years, 6 months ago

    OK an update. I have….
    a) removed any plugins that were not being used
    b) replaced the deprecated google maps plugin
    c) removed inactive themes
    d) run various scanners which gave me a list of files which should not be there and have removed all offending files = there were about 50 Many of these were dated 2013 so they apparently have been around for a long time.
    e) removed the badmin user
    f) compared my installation with a clean installation at the file level. All files match, or I can explain why not

    My installaton was already “hard” according to sucuri’s scanner but it’s obviously not hard enough. Will continue to investigate.

    Digico Paris

    (@digico-paris)

    8 years, 6 months ago

    Hi Martyn,

    Not sure what kind of setup you’re running WP on, but obviously there was a flaw somewhere. Dumb questions, by priority:

    – did you check folders rights are well setup? (see wordpress codex for more info – 777 for all folders is VERY bad)
    – did you delete wp install folder?
    – did you check who access wp-admin folder? (it’s possible to change that url for more security)
    – did you remove all guests to register an account in options? (for the time to solve the issue)

    Good luck,

Viewing 10 replies - 1 through 10 (of 10 total)
  • The topic ‘Hacked’ is closed to new replies.

Tags