Hacked – Anyone have the same issue?

richrider
(@richrider)

14 years, 2 months ago

Before I begin… all of the sites I’m about to mention are 2.9.1 – very few plugins, but all plugins are up-to-date as well.

So here is my plight…

On January 2 I found that one of my web sites had been hacked. In this particular hack – the title of my web site had been hacked and changed. Here is the damage that was done with that attack:

Title of web site changed to say “Hacked by DAVA_Cybernetica”
In the tagline – placed a link to fasthacker.us
Reset the admin password

Okay… pissed off and all – I obliterated the whole site. The WP installation was removed – new 2.9.1 installed. New passwords for the admin account, and new mysql db name and password. I imported the XML file that had my posts in it (only after verifying that nothing suspicous was inserted into it… that took a while).

So the site goes back live two days later. Then this week two of my sites get hacked by the same group. This time instead of changing the information listed above – they inserted a file in the root of my web directory called LC.html – which was a “Your site has been hacked…” file. Same group again.

This time – both sites obliterated – all passwords changed – no plugins running. I checked with my host – they have had no reports of hacking. They are usually very good about responding to stuff like this when it happens, so I do trust their information.

If you Google the group – it’s an Indonesian Defacing group, and you can see several sites across the net who have fallen victim to this group. Sadly no real knowledge of how they are getting in…

First question – has anyone heard/dealt with this group before?

Second question – what suggestions can you give for preventing future attacks. I have seen the “Hardening WordPress” Codex file and have done most of it (that is applicable).

Any suggestions would be very helpful and appreciated!

Thanks for your time,

Rich

Viewing 7 replies - 1 through 7 (of 7 total)

MichaelH
(@michaelh)

14 years, 2 months ago

See FAQ_My_site_was_hacked

http://wordpress.org/extend/plugins/exploit-scanner/

Livewell
(@livewell)

14 years, 2 months ago

Try this site http://educhalk.org

Can you help me with my problem? See under livewell. I am having trouble with when you click on “read more” it takes me to another category page.

Wolf
(@mwkgeo)

14 years, 2 months ago

My site has been defaced / hacked by the same group. My experience and responses are very similar to the OP – and security hardening has not prevented the attacks.

Moderator Jan Dembowski
(@jdembowski)

Forum Moderator and Brute Squad

14 years, 2 months ago

So the site goes back live two days later. Then this week two of my sites get hacked by the same group.

and security hardening has not prevented the attacks.

http://codex.wordpress.org/Hardening_WordPress

Check with your host provider. If you are running your own server/VPS and don’t share with anyone else, then you need to successfully harden your server including the other methods to access i.e. update Apache software, patches, etc.

If you are on a shared box and really hardened your WordPress installation, then your host needs to step up. They need to harden it on their server end. Since the site was defaced again, either you’re doing it wrong or the bad guys are getting in via some other method.

(Sips more coffee. I have no idea how they defaced your site. But if you changed all your passwords, and deloused your site and still got hacked, then it’s either your WordPress install, your PC is hacked, or the server.)

Thread Starter richrider
(@richrider)

14 years, 2 months ago

Let me update my original post to say oops… my bad.

There was one password I didn’t enhance in the entire process. I had neglected to enhance the mysql database password. Now that password is in excess of 40 characters long with everything including the kitchen sink thrown in. Anyone who fell victim to the specific hack above – I’d advise you change your mysql password.

So here we are, one week, at least two hack attempts (that I can tell from my site logs) – and my sites are still up and running. Banned the IP’s from my site… I’m continuing to monitor…

Denny Brown
(@dennispbrown)

14 years, 2 months ago

I had a customer’s site hacked by the indonesian deface group. I was also running 2.9.1 with up to date plugins, mostly Semiologic. Shared hosting at HostGator. HostGator support thinks that the exploit was internal to WordPress; they found no evidence of cpanel/ftp compromise.

They also suggested changing the protections on the web root folder to 750.

Now I’m off to change the MySQL pwd. Thanks richrider.

Thread Starter richrider
(@richrider)

14 years, 2 months ago

Glad I could help (and thankful for everyone elses help too)! My suggestion with the MYSQL password is to find a random password generator and make it 40 characters or more. Rarely if ever are you ever going to need this password after the initial install/setup.

If you have access to the cpanel logs to see when/where they were coming from – as well as what files they were after – I’d be interested in seeing the results.

I posted some info in another post regarding this same issue here – http://wordpress.org/support/topic/363103?replies=2

Make sure you check ALL of your upload folders for any suspicious php scripts left behind (especially if it’s the indonesian defacer group). The post above will cover some info on that.

One other point of interest – on subsuqent attempts to hack the sites – I noticed they were trying to initiate exploits from the default theme that comes standard with WP. One thing I did was changed the name of the folder that contains the default theme to something REALLY random. From the working WP site – if I ever needed the theme temporarily I can still activiate it – but it’s just not called default.

In any case it’s been two weeks and no hack…*fingers crossed that this is it*.

If you have any cpanel logs – please post them!

Rich