My site was hacked and PHP.RSTBackdoor was installed

mfigrs
(@mfigrs)

8 years, 9 months ago

My website: figtreephotodesign.com, was recently hacked by a Bangladesh hackers group. They installed the PHP.RSTBackdoor and replaced my homepage. However, the backdoor script was accessed some 13 times – more than needed to replace the index.php – I wonder what they were up to…

Anyway, I cleaned my WP from files created on that day, changed passwords, blocked certain IPs and disabled access to xmlrpc.php – a suspected route of attack.

During the search for new/updated files I found a bunch of jpegs – resized to a rather small size by “gd-jpeg v1.0 (using IJG JPEG v62)” – that’s the text found in these files. More interestingly, I’ve removed some of those files and accessed my blog to see if it still works, and these files were re-created!

However, these files do not seem to contain any EXIF info, so not sure if they can be considered a threat…

I wonder if this re-appearing thumbnails could be a plug-in or theme feature. I’m using “TheStyle” theme from Elegant Themes, and a bunch of plugins: Advanced Code Editor (on), Appointments Lite (on), Bad Behavior (on), Catch IDs (on), Contact Form 7 (on), Elegant Themes Updater (on), Jetpack (on), PhotoMosaic (off), Really Simple Captcha (off), Regenerate Thumbnails (off), Rename wp-login (on), UpdraftPlus (on), WordPress SEO (on), WP Copy Protection (on).

Any help / ideas would be appreciated.

Viewing 3 replies - 1 through 3 (of 3 total)

Moderator t-p
(@t-p)

8 years, 9 months ago
You need to start working your way through these resources:
Additional Resources:
Thread Starter mfigrs
(@mfigrs)

8 years, 9 months ago

Tara,

Thank you. I have already found some of those resources and followed these directions. E.g. I’ve already replaced all WP core files and examined other files (themes & plugins) for malicious code – didn’t find any. I also did not find any altered posts in the database.

The only thing that bothers me right now is these re-appearing thumbnail files. Could it be that my ET theme or one of the plugins generates them on the fly, or is it certainly malicious?

wslade
(@wslade)

8 years, 9 months ago

I’m glad you were able to recover quickly from the damage to your site. Most hacks are fully automated using botnets programmed to look for known exploits. The extra looks may have simply been trying additional exploits. They could have also been installing more backdoors.

Hacks are getting more sophisticated every day. In the past, a big tip off to possible malware was any file in an image folder with a non image extension.

A great hiding place for malware is in wp-content/uploads, amongst the images. Nowadays it’s not unusual for me to see an image extensions used to hide malware.

But from what I understand from your post, your thumbs are real images but are just resized, is that correct? If you can view the images, your idea of looking at plugins and even WordPress core functions seems a logical one. The Media Library generates a number of additional images for each upload, including thumbs.

If you haven’t already done so, you may want to install a good security plugin. I leave a properly configured version of Wordfence in every damaged site that I repair.

I’d be most interested in hearing back about what you find with the regenerating thumbs.

Viewing 3 replies - 1 through 3 (of 3 total)

The topic ‘My site was hacked and PHP.RSTBackdoor was installed’ is closed to new replies.

My site was hacked and PHP.RSTBackdoor was installed

Tags

Topics

Topics with no replies

Non-support topics

Resolved topics

Unresolved topics

All topics