Title: New Hack After Scan Last modified: September 27, 2017 --- # New Hack After Scan * Resolved [JustDuckyDesigns](https://wordpress.org/support/users/justduckydesigns/) * (@justduckydesigns) * [8 years, 6 months ago](https://wordpress.org/support/topic/new-hack-after-scan/) * My server was hacked a few weeks ago. I’ve been working with my host and a security expert to get everything clean. We thought we had everything and then I also download your plugin, installed it on all of my sites (over 80) and ran a scan on each one (I’m sure you know this was a long process). The plug in did find a few issues on about 3 sites and seemed to clean them perfectly. The problem is one of the sites that I scanned (and you plug in found nothing) was hacked again 2 days ago. I just scanned it last Friday and it was hacked on Monday. I got an email from my host that the site was being used as a phishing site again. * Are there any additional steps I can take? This seems to be like a pretty big miss and it makes me very nervous about the rest of my sites. And, yes, I did donate and I downloaded all the new definitions and set the scan to run automatically and scanned the core files. I ran the scan on the entire /public_html/ folder for all sites. * Can you suggest anything further? Viewing 10 replies - 1 through 10 (of 10 total) * Plugin Author [Eli](https://wordpress.org/support/users/scheeeli/) * (@scheeeli) * [8 years, 6 months ago](https://wordpress.org/support/topic/new-hack-after-scan/#post-9537212) * Did my plugin find the new hack that was placed on that site or is there still a malicious script at large / undetected? * What you need to find out is how that hack was put on your server. With 80+ sites on the same account that is not going to be easy and you might need your host to help. * You need to know the exact time of the infection so that you can check your access_log files to see if you can find any evidence of how it was added. * Thread Starter [JustDuckyDesigns](https://wordpress.org/support/users/justduckydesigns/) * (@justduckydesigns) * [8 years, 6 months ago](https://wordpress.org/support/topic/new-hack-after-scan/#post-9537268) * No the plugin told me the site was clean, that was last Friday. Then today I got the email from my host telling me that they had been contacted with the information that this site was being used (again) as a phishing site. * My host is not being of much help, they tell me that it’s my responsibility to keep my individual sites clean. * I have a security guy looking at the quarantined files over the next couple of days. I’m hoping he can shed some light on this. * There had to be something, either in this site or my other sites (I am on a shared server) that allowed them back in. I’m on a mission to find out how they got back in. * Any ideas you have would be greatly appreciated. * Plugin Author [Eli](https://wordpress.org/support/users/scheeeli/) * (@scheeeli) * [8 years, 6 months ago](https://wordpress.org/support/topic/new-hack-after-scan/#post-9537377) * Ok, so the plugin told you the site was clean last Friday. Then today you got the email from your host telling you that they had been contacted with the information that this site was being used as a phishing site (note that without dated evidence in their email to you the notification that they got could be old and could be referring to a threat that you have already removed). * You should run the Complete Scan again on that site to see if it turns up any new threats or if it’s still saying that the site is clean. * Also, ask you host for the details of the phishing site complaint to confirm that it was related to activity occurring after you cleaned the site. * Thread Starter [JustDuckyDesigns](https://wordpress.org/support/users/justduckydesigns/) * (@justduckydesigns) * [8 years, 6 months ago](https://wordpress.org/support/topic/new-hack-after-scan/#post-9539076) * My host quarantined the entire site, so I can’t run the scan again. But I did look at the quarantined files and could see that there was a folder that was added on Monday (ran the scan on Friday, got the notice of phishing on Wednesday) that was clearly infected, it contained php files and files that pointed to credit card sign up pages. None of those pages were there before; which tells me that the hackers had something in that site that allowed them back in. Right after the first hacking incident happened – before I installed your plugin – I made sure the site was running the most recent version of WP and all the plugins, I deleted any plugins that were not in use, I changed all of the cpanel passwords, I changed all of the WordPress passwords, I verified that there was only one user account within the WP site (mine), I made sure there were to other FTP users. I’m not sure what else I could have done. The only thing I can think that happened is that there was still something within that site that allowed the hackers an open door back in. * Thread Starter [JustDuckyDesigns](https://wordpress.org/support/users/justduckydesigns/) * (@justduckydesigns) * [8 years, 6 months ago](https://wordpress.org/support/topic/new-hack-after-scan/#post-9539082) * I’m working with a security expert and he asked me to have the hosting company zip all the site files and email them to him; which I have done. He hopes to be able to identify the file(s) that allowed the hackers in. I’d be happy to send you that zip file if you are interested. Perhaps you could see what happened, or what was missed. * Plugin Author [Eli](https://wordpress.org/support/users/scheeeli/) * (@scheeeli) * [8 years, 6 months ago](https://wordpress.org/support/topic/new-hack-after-scan/#post-9539910) * It sounds like you have been very thorough and you are doing everything you can to get this situation under control. I agree with you that there must be some back-door or un-patched vulnerability that let these hacker in again (also consider what might have let them in the first time, it could still be vulnerable). * You can certainly send those zipped files to me if you like and there is a chance I might spot something but it sounds like there is going to be a lot in there and I can’t spend a lot of time going through it. That is definitely the hard way to find a threat. It is much easier to follow a hacker’s trail with direct access to the infected server because you can do real-time searches and comparisons with the untainted filesystem (like stat the timestamps of the modified files and grep the access_log files for activity at those time, etc.). * If you wnat to contact me directly my email is: eli AT gotmls DOT net * Aloha, Eli * [bibliata](https://wordpress.org/support/users/bibliata/) * (@bibliata) * [8 years, 6 months ago](https://wordpress.org/support/topic/new-hack-after-scan/#post-9541026) * If this is any help: I run into similar situation several weeks ago when this attack began I run the plugin repeatedly on all my sites, on some of them it takes 4-6 hours to complete. Every time it found problems, we deleted them completely. Then they reappeared again * Finally, examining the file structure, we found the attacker being able to upload whole ZIP files from where extracted complete 2-3 various direcotires with malware plus many files in the main WP directory, plus infecting actual WP files. These had to be deleted by hand. Is this issues planned to be addressed by the plugin in the future and if so how? * Plugin Author [Eli](https://wordpress.org/support/users/scheeeli/) * (@scheeeli) * [8 years, 6 months ago](https://wordpress.org/support/topic/new-hack-after-scan/#post-9541093) * If there are ever any malicious files that you find that my plugin failed to detect then you can send those files to me directly and I will add them to my definition updates so that they can be automatically fixed in the future. * [Adam](https://wordpress.org/support/users/adamlachut/) * (@adamlachut) * [8 years, 6 months ago](https://wordpress.org/support/topic/new-hack-after-scan/#post-9541295) * > I run the plugin repeatedly on all my sites, on some of them it takes 4-6 hours > to complete. * Did you block an access to all your websites sharing the same hosting account in time of scanning? You should. * Did you find and secured the vulnerability? You have to: if someone uploaded/ modified files, deleting/restoring them does not help if he will be able to upload them again * [bibliata](https://wordpress.org/support/users/bibliata/) * (@bibliata) * [8 years, 6 months ago](https://wordpress.org/support/topic/new-hack-after-scan/#post-9541308) * We believe it was done either through the MailPoet plugin or WP core Both have since released new updates The XMLRPC Access was also patched Viewing 10 replies - 1 through 10 (of 10 total) The topic ‘New Hack After Scan’ is closed to new replies. * ![](https://ps.w.org/gotmls/assets/icon-256x256.png?rev=1001824) * [Anti-Malware Security and Brute-Force Firewall](https://wordpress.org/plugins/gotmls/) * [Frequently Asked Questions](https://wordpress.org/plugins/gotmls/#faq) * [Support Threads](https://wordpress.org/support/plugin/gotmls/) * [Active Topics](https://wordpress.org/support/plugin/gotmls/active/) * [Unresolved Topics](https://wordpress.org/support/plugin/gotmls/unresolved/) * [Reviews](https://wordpress.org/support/plugin/gotmls/reviews/) ## Tags * [Missed](https://wordpress.org/support/topic-tag/missed/) * [phishing](https://wordpress.org/support/topic-tag/phishing/) * 10 replies * 4 participants * Last reply from: [bibliata](https://wordpress.org/support/users/bibliata/) * Last activity: [8 years, 6 months ago](https://wordpress.org/support/topic/new-hack-after-scan/#post-9541308) * Status: resolved