Support » Plugin: Easy WP SMTP » The fix to get back in to infected site

  • chrisdavisberry

    (@chrisdavisberry)


    To recover the infected website:

    Fix it by:

    1. Editing the site_url via the wp-options database (this should let you back into the site)
    2. Access site backend and remove false admin account
    3. Update to the latest version of the Easy WP SMTP plugin
    4. Change your database password (in wp-config) and any other insecure content an admin could see.
    5. Run a scan on the site (via Wordfence plugin etc)

    Hope this helps anyone needing it.

    This should be on the plugin homepage…

Viewing 7 replies - 1 through 7 (of 7 total)
  • Exo

    (@richardshea)

    Nice one Chris!
    I did nearly all of that, but didn’t change the DB password in wp-config and discovered this morning another Admin registered himself.

    That extra step has helped. Cheers.

    As you say, this should be on the plugin home page – he’s getting poor reviews now as I don’t think the author has been transparent about this issue.

    comxcom

    (@comxcom)

    Great !!
    Thanks for sharing the issue that is REALLY helpful

    Salvation in minutes. Just follow 🙂

    alexnc

    (@alexnc)

    I had a lot more to do than the above when cleaning up this mess, please ensure you check your sites for the following too:

    • The attacker uploaded a plugin to wp-content/uploads/wp_simple_plugin.php containing some obfuscated PHP.
    • They enabled user registrations and set the default role to admin.
    • A further obfuscated PHP script was uploaded to wp-content/uploads/6L757rSD/K7u46ank.php
    • Every index.* file on the server had a line of JS prepended to it, to redirect to the same place they’d change site_url to
    • The root directory of each affected site had a random 8 character named (similar to the above) obfuscated PHP script.
    dingo999

    (@dingo999)

    I see, in wp-admin folder is a Cookie.txt injected.

    chrisdavisberry

    (@chrisdavisberry)

    In all likelihood if you see one malicious file or piece of code you will start to find more. The scan step is crucial.

    I should have been clearer with my steps….

    Number 5 should be:

    5. Run a full (High Sensitivity) scan on the site (via Wordfence plugin) and follow all the suggestions of that scan.

    You need to select the High Sensitivity option in the “Scan options and Scheduling”

    If your site has malicious files or code…

    When you check your site files you can see when these files were altered. You can also usually see the time the admin user was added to your account.

    Instead of cleaning files one by one if you have a backup available from before this time or date then i strongly recommend installing that backup to replace the current site – ideally from a few days before if your site has not changed much in that time.

    Its a much quicker process… but remember to update the plugin to 1.3.9.1 on this backed up version and follow the other steps outlined.

    Again, hope that helps.

    chrisdavisberry

    (@chrisdavisberry)

    Sorry … I have an extra step to my suggestions (see top post)

    It should come between 2 and 3 on my list…

    Go to settings, general and check “New User Default Role” has not been changed from your normal settings… usually Subscriber, or Customer on stores.

    So the complete list to recover the infected website:

    1. Edit the site_url via the wp-options database (this should let you back into the site)
    2. Access site backend (dashboard) and remove false admin account
    3. Go to settings, general and check “New User Default Role” has not been changed from your normal settings… usually Subscriber, or Customer on stores.
    4. Update to the latest version of the Easy WP SMTP plugin
    5. Change your database password (in wp-config) and any other insecure content an admin could see.
    6. Run a full (High Sensitivity) scan on the site (via Wordfence plugin) and follow all the suggestions of that scan. You need to select the High Sensitivity option in the “Scan options and Scheduling” of Wordfence.

    Alternative, If you have a site backup

    If your site has malicious files or code and you have a backup dating back before the infection….

    When you check your site files you can see when these files were altered. You can also usually see the time the admin user was added to your account.

    Instead of cleaning files one by one if you have a backup available from before this time or date then i strongly recommend installing that backup to replace the current site – ideally from a few days before if your site has not changed much in that time.

    Its a much quicker process… but remember to update the plugin to 1.3.9.1 on this backed up version and follow the other steps outlined.

    Again, hope that helps.

    Plugin Support mbrsolution

    (@mbrsolution)

    We apologize for any inconvenience. The developers patched the vulnerability the moment it was reported by releasing version 1.3.9.1.

    The vulnerability was introduced in version 1.3.9 when the following features were added?

    1.3.9

    Added Export\Import settings functionality.
    Added option to delete all settings and deactivate plugin.

    One of WordPress moderators published a solution if your site has been hacked. Please refer to the following forum post.

    Kind regards

Viewing 7 replies - 1 through 7 (of 7 total)
  • The topic ‘The fix to get back in to infected site’ is closed to new replies.