Support » Fixing WordPress » Hacked by “Sole Sad & Invisible”

  • Resolved stratocaster

    (@stratocaster)


    Hi, 3 of my sites recently got hacked and had injected code into index.php and overwrote .htaccess. Also dumped an alfa.php file and a folder called alfacgiapi which contains .htaccess, getheader.alfa and perl.alfa

    So, I cleaned them off and ran several different malware scans, internal and external, which reported all was clean. One of the sites has no further problems, but on 2 of the sites, my .htaccess file was still getting overwritten and my index.php file is getting code injected into it.

    So I replaced all the WP (5.5) core files, but the index.php and .htaccess were still getting overwritten.

    My host said I should install sitelock at $299/year on all my websites, but I have 10 of them, no way I can do that. They are just business card sites.

    I have completely deleted one of my sites and created an basic index.html file, that’s all that exists there. Yet, still after a few hours an index.php file appeared with the malware code, but not any WP code. No .htaccess file has appeared though.

    I have changed my cpanel password, all my WP login passwords and deleted all ftp accounts. The host suggests maybe there is some malware in the root folder, but that would leave all my sites vulnerable in that case, yet only 3 were attacked, one is cured and 2 still have problems.
    I’m guessing if I change host, then I’ll get a clean root folder. For the cost of 10 sitelock licences, I’ll get about 20 years hosting including malware protection.

Viewing 15 replies - 1 through 15 (of 18 total)
  • Moderator James Huff

    (@macmanx)

    Volunteer Moderator

    Carefully follow this guide. When you’re done, you may want to implement some (if not all) of the recommended security measures and start backing up your site.

    Moderator Steven Stern (sterndata)

    (@sterndata)

    Forum Moderator & Support Team Volunteer

    Have you tried installing WordFence?

    Thanks James,

    I’ve done pretty much most of that already. None of these folders seem to appear anymore, only index.php and htaccess.

    One domain I have purged the entire website, it has nothing but an index.html file, yet still getting hacked, so am I right to think that means it can’t be wordpress that was hacked?

    Moderator James Huff

    (@macmanx)

    Volunteer Moderator

    It is always possible that the server or hosting provider itself is compromised.

    If you’re sure you have cleared everything following the guide, and your hosting provider won’t assist, it might be time for a new hosting provider.

    We have a few recommendations at https://wordpress.org/hosting/

    Yes, I have installed Wordfence and Anti-Malware Security and Brute-Force Firewall by Eli Scheetz. Both scans say the sites are clean after I replace index.php and htaccess with the original files. Also scanned with securi site check, it says all clean, but a few hours later, index.php and htaccess get overwritten.

    The htaccess file doesn’t contain any bad code, but index.php does.

    Moderator Steven Stern (sterndata)

    (@sterndata)

    Forum Moderator & Support Team Volunteer

    I suspect your hosting is, at this point, compromised.

    I even went to the extreme of copying my entire root folder into one of my sites and called it aa, then ran scans on that site and it came up clean.

    Ok, so new host it is then. Thanks for your help. Much appreciated 🙂

    Hi @stratocaster,

    Logan from SiteLock here. There are additional options available to you, I would suggest checking out the SiteLock Security WordPress Plugin as an option. If all you are looking for is malware cleaning and service, I believe the pricing inside the plugin will be more aligned with your expectations.

    SiteLock has many partnerships with companies where custom plans are created based on the partners’ requirements and offered through their platforms, which can vary significantly in features (and therefore price). I hope that this helps to clear up any confusion around the matter.

    With regard to your question about the “purged” website remaining hacked, keep in mind that once malware has intruded into your web environment, it would be a simple task to traverse between directories and spread. Even after cleaning the initial point of infection, there is a risk that the infection could spread once again if parts of the malicious software are missed.

    If there’s anything I can do to further clarify on the SiteLock products, or answer any malware questions, please let me know.

    Thanks Logan,
    I hope I didn’t sound like I had any problem about Sitelock, of course I don’t at all. It was really just the casual way my host provider said to me “So it’ll be $299 for each website, I can bill it to the card you have on file, would you like me to do that for you now?”

    I’m gonna move to a new host for now, because I have a feeling this was not an attack on wordpress. If there is a bot in my root folder, surely all my sites should be vulnerable, but only those 2 are being attacked.

    I have since found bunch of tables in one of the databases with wdsrj_ prefix. No idea what they are, or how they got there, so I dropped them. So far, no attack for a few hours.

    Thank you all so much for your help and advice here.

    Moderator James Huff

    (@macmanx)

    Volunteer Moderator

    bunch of tables in one of the databases with wdsrj_ prefix

    You can set a custom database table prefix in WordPress, and most automated installers randomize it, so those could very well be your own database tables: https://wordpress.org/support/article/editing-wp-config-php/#table_prefix

    Ah yes, but these tables were actually in addition to WP tables, all those with wp_ prefix are there aswell.
    These wdsrj_ tables looked like they were for some other script, they had a completely different structure to the WP tables. There were a lot of them, like 2 websites running off the same database. After dropping them, the website continues to work as it should.
    Over 4 hours now since the last hack, it normally happens after about an hour or so.

    Fingers crossed, hopefully the culprit was in there somewhere. I guess I’ll know for sure by morning.

    Moderator Steven Stern (sterndata)

    (@sterndata)

    Forum Moderator & Support Team Volunteer

    Is this a linux system? if so, you might find malware code by going to the top of your file tree and looking for wdsrj….

    cd
    grep -r wdsrj *

    I don’t know if its linux to be honest. Its a shared server with Cpanel.
    I tried a search there in file manager, but I think that only searches for file names, not strings inside files.
    I have a backup of the db before I dropped those tables. I’ll open it up local and see if I find anything in there.

    There was a folder of files as listed in the OP, but after removing them, they never returned. They were dumped in the site root folders.

    Well, it has been back during the night and planted its index.php file on my empty website.
    Nothing on the other site yet though, it would normally have done both within an hour or so.

    It must be checking to see if index.php exists and if so, inject the code and if not, create it and chmod 0644. Also, if htaccess exists, then overwrite it with a standard htaccess and chmod 0444, but if not, it is not creating one.

    I’ve created a blank index.php and set permissions to 0000, if that works, I know it’s only a patch for now. As my name suggests, I am a musician by trade, so I can’t really afford to do much about it right now, whilst our industry is in a coma, other than use my time and whatever tools I already have.

    Seems like I’m making some small progress at least.

    Just a quick update. I may have found the culprit, or rather AVG found it after a scan on my laptop. It found 2 files in one of my WP backups in themes/bbtheme/classes:
    dm2.php and radio.php
    I did a search on my server and that site has an outdated beaver builder theme and these 2 files were present in that location. They shouldn’t be there. Updated the theme and now they’re gone.
    Also, my admin password for that site had been changed, so I changed it in phpmyadmin, updated everything and ran a scan. It’s all clean now.

    I guess I’ll just wait & see now..

Viewing 15 replies - 1 through 15 (of 18 total)
  • You must be logged in to reply to this topic.