Support » Plugin: Wordfence Security - Firewall & Malware Scan » Trying to identify how a hacker got in to my site

  • Resolved aenea

    (@aenea)


    I was recently hacked. It happened while I was on holiday so I didn’t notice but the compromise was picked up by my service provider who immediately took the site offline. Fortunately it is just a test site so the need to get in back working is not urgent and I can afford some time to try and figure out how the hacker got in before rolling back to a previous uncompromised (I hope) version of the site.

    I had Wordfence installed on the site and, on 20 July, I received an email from Wordfence alerting me to the fact that someone with username ‘jakonda’ had logged in to the site with admin privileges. No such user should exist on the site but, alas, as I was on holiday, I didn’t notice the email nor did I notice the fact that, from that point on, the usually regular emails from Wordfence stopped. My bad 🙁

    Now I’m back and my service provider has permitted (just) me to access the site to clean things up. When I logged in found that the hacker had deleted Wordfence, so there are no logs after the 20 July but, by re-installing Wordfence, I was able to pick up the live traffic logs back to 8th July. There, in addition to recording the login by ‘jakonda’ at 10:22 on July 20, there are a number of apparently harmless page access attempts from the same IP address from 9am onwards but there is one strange record in the log that rings alarm bells:

    
    Activity Detail
    Voronezh, Russia visited https://hogroasterhire.com/wp-content/themes/924/add_admin.php
    7/20/2019 9:53:36 AM (16 days 6 hours ago)  
    IP: 109.106.140.170 Hostname: 109.106.140.170
    Browser: Chrome version 0.0 running on Win7
    Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.100 Safari/537.36 OPR/62.0.3331.72
    

    Does this ring any bells for anyone out there? Could this have been the step that enabled him to create the rogue ‘jakonda’ user? And most worryingly, how?

    The URL listed in the record above doesn’t exist but the site hogroasterhire.com does. A scan by Sucuri doesn’t detect any malware on the site but it does warn that the Apache software is outdated (under 2.4.39).

    Any advice on where I should/could go from here to identify how the hacker got in would be much appreciated. I have to admit there were a number of plugins awaiting update so perhaps there is potential there, but none of the plugin updates were identified as ‘critical by Wordfence.

    • This topic was modified 6 months, 2 weeks ago by Jan Dembowski.

    The page I need help with: [log in to see the link]

Viewing 3 replies - 1 through 3 (of 3 total)
  • Plugin Support WFGerroald

    (@wfgerald)

    Hey @aenea,

    I’m sorry to hear you’ve run into this, but I’m happy to hear it’s only a test site. Still, it’s essential to get it cleaned up in case it’s a type of infection that can affect other sites on the server.

    I can’t say how this has happened. The guide below will help you clean the site and possibly find the point of entry. However, if the infection returns after cleaning the site, I’d suggest getting with a professional hack repair service to clean it and patch the point of entry.

    https://www.wordfence.com/docs/how-to-clean-a-hacked-wordpress-site-using-wordfence/

    Please let me know how it goes.

    Thanks,

    Gerroald

    Thanks, Gerroald.

    I’m not proposing to attempt to clean the site in its current state but rather to roll back to to backups taken 3 weeks before the hack took place. At that time, nothing untoward was detected by either Wordfence or my hosting provider. I note the point in the cleaning guidelines you referred me to about the danger of old backups but I believe the backups maintained by my hosting provider are not accessible over the web so should be clean.

    Once I have rolled back, I will then immediately update WordPress and all the plugins requiring updates, before asking my hosting provider to open up the site again at which point I’ll put the site through multiple malware scanners, including Wordfence.

    I’ve done everything I can think of to try to find the weakness exploited by the hacker but, other than identify the hogroasterhire URL as the likely tool used to create the new username with admin permission, I’m no further forward. I was hoping a post here might find someone with an idea but knew it was a long shot.

    I’m assuming that my hosting provider (TSOHost) is savvy enough to ensure that my site can’t affect other sites on the server in its current state. I’ve asked them for further details on the nature of the ‘malicious activity’ they detected on the site but don’t know if that will be forthcoming.

    Plugin Support WFGerroald

    (@wfgerald)

    Hey @aenea,

    Were you able to perform the rollback?

    Your host may have a service that can help pinpoint the point of entry. If they aren’t able to and this happens again I’d suggest reaching out to a professional hack repair service.

    Thanks,

    Gerroald

Viewing 3 replies - 1 through 3 (of 3 total)
  • You must be logged in to reply to this topic.