Latest WP but still hacked with RFI

travellers
(@travellers)

12 years, 3 months ago

Had a message from my host tonight saying that I’ve been hacked – the following files *at least* are compromised:

./MYDOMAIN/public_html/archive.php: PHP.C99-13 FOUND
./MYDOMAIN/public_html/admin.php: PHP.ShellExec FOUND
./MYDOMAIN/public_html/htdocs.php: PHP.Mailer-7 FOUND
./MYDOMAIN/public_html/wp-content/themes/MyCuisine/log.php: PHP.ShellExec FOUND
./MYDOMAIN/public_html/wp-content/themes/MyCuisine/cache/newfile.php: PHP.ShellExec FOUND

Not clued up on this sort of stuff, but Googling PHP.99-13 took me to a Wikipedia page about Remote File Inclusion. Of course I can simply upload fresh copies of these files from a backup, but how have I been infected, and how do I ensure I’ve not left the door open for the files to be overwritten by the hack again?

Any and all advice gratefully received – my host is threatening to remove the site unless I get it sorted. Damn hackers, I would genuinely support legislation to kill them on conviction of a first offence 🙁

Viewing 3 replies - 1 through 3 (of 3 total)

esmi
(@esmi)

12 years, 3 months ago

Of all of these reports, only public_html/wp-content/themes/MyCuisine/log.php is directly related to WordPress. Have a look at these resources:
http://codex.wordpress.org/FAQ_My_site_was_hacked
http://wordpress.org/support/topic/268083#post-1065779
http://smackdown.blogsblogsblogs.com/2008/06/24/how-to-completely-clean-your-hacked-wordpress-installation/
http://ottopress.com/2009/hacked-wordpress-backdoors/

With the other files, I guess they were left behind by the hacker, so you can just delete them.

Thread Starter travellers
(@travellers)

12 years, 3 months ago

Well yes I can follow that. My machine comes back clean, and I’m guessing my host isn’t responsible since it was him who discovered it and notified me. I’ve changed all my passwords across the board, cpanel, wp admin, etc. And I can restore backups of the files and the database.
But none of that does anything about how they got in in the first place. They certainly didn’t guess any passwords – none of those is less than a dozen characters that are all random symbols. I’m running the latest version of WP, all my plugins and theme are up to date. If I can’t close the back door, all I’m doing is rearranging deckchairs on the Titanic – the hacked files will be back next time the hacker’s bot stops by!

esmi
(@esmi)

12 years, 3 months ago

But none of that does anything about how they got in in the first place.

It could have been via an insecure plugin or theme. Or it could have been somewhere else on the server and nothing to do with WP at all. Another possibility is FTP. A lot of hackers are now sniffing insecure FTP connections, so use SFTP/encrypted FTP whenever possible.

That last link in the list above gives a pretty good tutorial on hunting down hacker back doors.

Viewing 3 replies - 1 through 3 (of 3 total)

The topic ‘Latest WP but still hacked with RFI’ is closed to new replies.

Latest WP but still hacked with RFI

Topics

Topics with no replies

Non-support topics

Resolved topics

Unresolved topics

All topics