My site was hacked and PHP.RSTBackdoor was installed
-
My website: figtreephotodesign.com, was recently hacked by a Bangladesh hackers group. They installed the PHP.RSTBackdoor and replaced my homepage. However, the backdoor script was accessed some 13 times – more than needed to replace the index.php – I wonder what they were up to…
Anyway, I cleaned my WP from files created on that day, changed passwords, blocked certain IPs and disabled access to xmlrpc.php – a suspected route of attack.
During the search for new/updated files I found a bunch of jpegs – resized to a rather small size by “gd-jpeg v1.0 (using IJG JPEG v62)” – that’s the text found in these files. More interestingly, I’ve removed some of those files and accessed my blog to see if it still works, and these files were re-created!
However, these files do not seem to contain any EXIF info, so not sure if they can be considered a threat…
I wonder if this re-appearing thumbnails could be a plug-in or theme feature. I’m using “TheStyle” theme from Elegant Themes, and a bunch of plugins: Advanced Code Editor (on), Appointments Lite (on), Bad Behavior (on), Catch IDs (on), Contact Form 7 (on), Elegant Themes Updater (on), Jetpack (on), PhotoMosaic (off), Really Simple Captcha (off), Regenerate Thumbnails (off), Rename wp-login (on), UpdraftPlus (on), WordPress SEO (on), WP Copy Protection (on).
Any help / ideas would be appreciated.
- The topic ‘My site was hacked and PHP.RSTBackdoor was installed’ is closed to new replies.