Title: Hacked Last modified: August 30, 2016 --- # Hacked * [Gooly](https://wordpress.org/support/users/gooly/) * (@gooly) * [10 years, 9 months ago](https://wordpress.org/support/topic/hacked-99/) * This week I was called to solve two hacking issues with WP websites which were developed by me. * In both cases I noticed that a plugin was installed: UBH CSU (Looked like some kind of plugin to adminster WP from some remote console) * In one case an ‘admin’ account was added (I never do this myself) * I always install the WordFence plugin by default and I checked the login attempt. – In one case I saw a succesful login on name ‘admin’ (The account was there, just like that, without a previous succesfull login) – In the other case there was succesfully logged in with the users correct login name (I always use the users last name, with a prefix and postfix as login name) * What I did: * – Of course I removed this UBH CSU plugin – I checked WordFences scan results– WordFence alerted on the UBH plugin files and one modfied WP core file. The plugin was already removed and I restored the original core file. – I removed the admin user – I created new backend logins with new names and new passwords and removed the old ones – I changed the database password * My Questions: * 1) Does anyone know more about this peculiar UBH CSU Plugin? (It has information about the creators and you can even see their [)Facebook page](https://www.facebook.com/ubhteam.org) * 2) Did I take all necessary steps to clean up, or did I forget something important? * 3) Is this an isolated hacking attempt, or is this a WP generalknow issue? Viewing 2 replies - 1 through 2 (of 2 total) * [Tim Nash](https://wordpress.org/support/users/tnash/) * (@tnash) * Spam hunter * [10 years, 9 months ago](https://wordpress.org/support/topic/hacked-99/#post-6356030) * You need to start working your way through these resources: - [https://codex.wordpress.org/FAQ_My_site_was_hacked](https://codex.wordpress.org/FAQ_My_site_was_hacked) - [https://wordpress.org/support/topic/268083#post-1065779](https://wordpress.org/support/topic/268083#post-1065779) - [http://smackdown.blogsblogsblogs.com/2008/06/24/how-to-completely-clean-your-hacked-wordpress-installation/](http://smackdown.blogsblogsblogs.com/2008/06/24/how-to-completely-clean-your-hacked-wordpress-installation/) - [http://ottopress.com/2009/hacked-wordpress-backdoors/](http://ottopress.com/2009/hacked-wordpress-backdoors/) * Additional Resources: - [http://sitecheck.sucuri.net/scanner/](http://sitecheck.sucuri.net/scanner/) - [http://www.unmaskparasites.com/](http://www.unmaskparasites.com/) - [http://blog.sucuri.net/2012/03/wordpress-understanding-its-true-vulnerability.html](http://blog.sucuri.net/2012/03/wordpress-understanding-its-true-vulnerability.html) * Moderator [Ipstenu (Mika Epstein)](https://wordpress.org/support/users/ipstenu/) * (@ipstenu) * 🏳️‍🌈 Advisor and Activist * [10 years, 9 months ago](https://wordpress.org/support/topic/hacked-99/#post-6356031) * Just FYI, since the plugin isn’t hosted on WordPress.org the best thing to remember is “Use at your own risk.” * Looking at it, it’s all encrypted. * Delete the plugin. * Treat the site as if it was hacked. Delete (yes, delete) ALL the core files. All the plugins. All the themes. Reinstall KNOWN CLEAN VERSIONS. * Change all passwords. WP, DB, server (ssh/sftp), account passwords. Viewing 2 replies - 1 through 2 (of 2 total) The topic ‘Hacked’ is closed to new replies. ## Tags * [hacked](https://wordpress.org/support/topic-tag/hacked/) * In: [Fixing WordPress](https://wordpress.org/support/forum/how-to-and-troubleshooting/) * 2 replies * 3 participants * Last reply from: [Ipstenu (Mika Epstein)](https://wordpress.org/support/users/ipstenu/) * Last activity: [10 years, 9 months ago](https://wordpress.org/support/topic/hacked-99/#post-6356031) * Status: not resolved ## Topics ### Topics with no replies ### Non-support topics ### Resolved topics ### Unresolved topics ### All topics