hacked by Pak Haxor experience

Over the last year, my client’s site has been hit twice by this Pakistani group. The first time I was absolutely bewildered as to what happened and how did they dump over 100 random files into the site. I added the wordfence plugin then. About 3 weeks ago, they got hit again. I fault the client for not keeping the plugins / wordpress etc up to date. Mostly they did no monitoring at all.

I managed to download a bunch of files from the last attack. Along with the typical support.php files with encrypted header lines, there were over 4,090 files in one directory. Mostly simple html drug ads.

I found one php file that had an ip address written into the curl line that would grab the user agent and I’m assuming my clients domain and get a webpage. I gave it a test with a private browser window and bogus information in the url. This lead me to a page with thousands of links (all random numbers and letters). But these urls all linked to various other sites with a common directory (daqhmokdby). Doing a google search for that directory led to the top 10 links all saying “This site may harm your computer.”

I still don’t know how they got into the site. They did not come through the front wp-admin login. I would have seen that in the dashboard. They had other access. The htaccess file was rewritten, 47MBs of files uploaded. I am assuming they have hacked the ftp login information or have hacked the hosting company and are coming from above.

If there’s any interest from WordFence support in seeing these files, please contact me at [ redacted, support is not offered via email, Skype, IM etc. only in the forums ]

https://wordpress.org/plugins/wordfence/