WordPress.org

Forums

[resolved] Site hacked (10 posts)

  1. Rob Cubbon
    Member
    Posted 3 years ago #

    What is the best procedure about a hacked WordPress site?

    The owner of this site is saying that someone put dating imagery on it.

    It is www littledipper net

    I can't get into the administration area. I don't know much about it, what version of WordPress or anything I'm afraid.

  2. MickeyRoush
    Member
    Posted 3 years ago #

    Here is the result from a scan with sucuri.net:

    http://sitecheck.sucuri.net/results/littledipper.net

    There is no easy fix. It looks like it was infected with the latest timthumb hack, but I could be wrong.

    I've compiled a list of links that should help you so that you won't scour the net looking for them.

    Check your site(s) here:
    1. http://sitecheck.sucuri.net/scanner/
    2. http://www.unmaskparasites.com/
    3. http://www.virustotal.com/
    4. http://www.phishtank.com/
    5. http://www.browserdefender.com/
    6. http://ismyblogworking.com/
    7. Google Safe Browsing (to access a site's google info, add their domain to the end of this):
    http://www.google.com/safebrowsing/diagnostic?site=
    example:
    http://www.google.com/safebrowsing/diagnostic?site=example.com

    Backup everything and put that backup somewhere safe. This is in case you have problems later on. Even though you could be backing up infected files, it is more important to have a backup up of your work, for if you make a mistake cleaning your site, you will still have the backup(s).
    1. http://codex.wordpress.org/WordPress_Backups
    2. http://codex.wordpress.org/Backing_Up_Your_Database
    3. http://codex.wordpress.org/Restoring_Your_Database_From_Backup

    Then read these:
    1. http://codex.wordpress.org/FAQ_My_site_was_hacked
    2. http://wordpress.org/support/topic/268083#post-1065779
    3. http://smackdown.blogsblogsblogs.com/2008/06/24/how-to-completely-clean-your-hacked-wordpress-installation/
    4. http://ottopress.com/2009/hacked-wordpress-backdoors/

    If you have indications of possible timthumb hacking, please read these:
    1. http://blog.sucuri.net/2011/08/timthumb-php-security-vulnerability-just-the-tip-of-the-iceberg.html
    2. http://markmaunder.com/2011/08/02/technical-details-and-scripts-of-the-wordpress-timthumb-php-hack/
    3. http://www.wpbeginner.com/wp-tutorials/how-to-fix-and-cleanup-the-timthumb-hack-in-wordpress/
    4. http://wordpress.org/extend/plugins/timthumb-vulnerability-scanner/

    Once your site is clean, then read this:
    1. http://codex.wordpress.org/Hardening_WordPress
    2. http://codex.wordpress.org/htaccess_for_subdirectories

    If you believe your personal computer (not your host server) is infected please read these:
    1. MajorGeeks.com malware removal:
    http://forums.majorgeeks.com/showthread.php?t=35407
    2. MajorGeeks.com how to protect yourself from malware:
    http://forums.majorgeeks.com/showthread.php?t=44525

  3. Rob Cubbon
    Member
    Posted 3 years ago #

    Thank you so much for this help, Mickey.

    I might be being naive here. But can I copy all the text from the pages. Save the theme files, deleting the TimThumb script. Delete all the WP files and others on the server. Delete the DB. Set up a new WordPress install with a new DB. And re-install old theme with new TimThumb script.

    Would this be sensible?

  4. MickeyRoush
    Member
    Posted 3 years ago #

    Well the DB contains most of the sites' content, like posts, pages, comments, etc.

    The best thing to do is backup everything first. Even if it's still infected, because that way you still have everything. So backing up the DB is critical. As well as the contents in the wp-content directory.

    Most important is to read here:
    http://codex.wordpress.org/FAQ_My_site_was_hacked
    And follow those directions.

    Especially this part:
    Replace the core WordPress files with ones from a freshly downloaded zip.

    You need to make sure you back up your DB. I haven't seen many infections affect the DB. And your safe to replace the core files with a fresh downland unless you did some customization to them. The same goes for your wp-content directory. Be sure to backup you uploads directory (images or whatever). Sorry, there is no really simple answer. Just make sure you backup everything before you make any changes. I can't stress that enough.

    Good luck.

  5. MickeyRoush
    Member
    Posted 3 years ago #

    On another note, you may want to download your backups to your work PC and scan them with your PC Anti-Virus program. Some AVs will find malicious scripts, especially .js files.

    And the timthumb script itself is probably not be infected, it was probably used to infect a site, that's why it needs to be updated or configured correctly. See the timthumb links that I provided.

    So even if you replace everything, you have to make sure that your backups didn't provide any back doors or scripts that would reactivate the problem.

  6. Rob Cubbon
    Member
    Posted 3 years ago #

    Thank you very much, Mickey, I'll let you know how I get on.

  7. Rob Cubbon
    Member
    Posted 3 years ago #

    Hello Mickey, thanks again for all your help and I'd just like to tell you where I am.

    I've copied all the files via FTP. And exported the DB with PHPMyAdmin (this was a new version of PHPMyAdmin so I'm not sure if I did this right but I have an SQL file.

    As a matter of interest I'm not sure if it was the TimThumb vulnerability as I've checked the WP files and they are riddled with eval code and 1px by 1px iframes pointing to gogofly dot cjb dot net which is a "top domain distributing malware" according to Sucuri. And there wasn't the tell-tale signs in the config.php of TimThumb vulnerability. But it may have been a combination of things. The passwords weren't very good and it was WP 3.2.1.

    Anyway, I've deleted all the files and the DB and created a new WP clean install (this was necessary as the person has lost the WP passwords and the email address that originally created it).

    So what I'd like to do now is to import the information in the old DB into the new DB as it has all old text, pages and image paths.

    How do you do this? I have tried importing it into the new DB via the Import function in PHPMyAdmin and it just stops WP working - you get a white screen of death. I presume because the usernames and passwords are different between the old and new DBs?

    I've googled around about this but I haven't come up with anything - I will keep at it though.

  8. Rob Cubbon
    Member
    Posted 3 years ago #

    Just to give you an update, in case this helps anyone else...

    Unfortunately I couldn't rescue the database so I copied everything over manually, there were only a few pages, anyway.

    If you run a security scan with Sucuri on the site it no longer comes up with anything, just the blacklisting. I've applied to Google for the blacklisting to be lifted – I've no idea when that will happen.

  9. Patrick Nommensen
    Member
    Posted 3 years ago #

    They usually process those requests fairly quickly. Make sure you secure the site so it doesn't get easily hacked again!!

  10. Rob Cubbon
    Member
    Posted 3 years ago #

    You're right, Patrick, the blacklisting has been lifted less than 24 hours after the request – I'm really impressed!

    I have changed all passwords and hardened the site in every way I know, thank you :)

Topic Closed

This topic has been closed to new replies.

About this Topic

Tags

No tags yet.