Website Hacked

  • ginreviews

    (@ginreviews)


    12 years, 9 months ago

    On 6-30-11

    I used a plugin called Duplicator to move the website http://www.itmentor.net to http://www.ruddytrade.com

    As a result, I had to create a new database with password
    My concern is that when the site was duplicated, security may have been comprised.

    Itmentor.net has a folder on the server called wp-snapshots
    This contains a zip file of the entire site

    on ruddytrade.com I removed the wp-snapshots folder as their were two files inside

    network folder
    and a zip file titled 20110630_ruddytrade.zip

    The index.php inside the network folder has script from http://www.dynamicdrive.com that appears to send login information to two email addresses.

    the zip file appears to be a back up of an offshore backing site.

    On July 22, 2011 my site was detected by the RSA for sending out code that was phishing

    I backed up all malicious files, and have the infected index.php as well as suspicious emails that were sent to my site

    I’d like to

    1. Fix this
    2. Prevent this from happening again

    What more information do you need so you can help me accomplish both these goals?

    Thank you

Viewing 15 replies - 1 through 15 (of 16 total)
1 2
  • Thread Starter ginreviews

    (@ginreviews)

    12 years, 9 months ago

    Here is the message recieved from the RSA

    Dear

    It appears that your website has been hacked by a fraudster.
    It is now hosting a phishing attack against NedBank.

    Please remove the fraudulent folders/files as soon as possible and secure your
    website as it has been compromised.

    Please note that it is possible that the fraudulent content is embedded in your
    website’s legitimate files.

    File modified was an index.php on the website

    In addition, please send us any source files of the attack.

    Please let us know if you have any questions or need further assistance. We
    appreciate your cooperation.

    Thread Starter ginreviews

    (@ginreviews)

    12 years, 9 months ago

    Thank you in advance!

    esmi

    (@esmi)

    12 years, 9 months ago

    http://codex.wordpress.org/FAQ_My_site_was_hacked
    http://wordpress.org/support/topic/268083#post-1065779
    http://smackdown.blogsblogsblogs.com/2008/06/24/how-to-completely-clean-your-hacked-wordpress-installation/
    http://ottopress.com/2009/hacked-wordpress-backdoors/

    Thread Starter ginreviews

    (@ginreviews)

    12 years, 9 months ago

    Thank you for responding with these links.

    I am still looking for a solution and would appreciate further discussion to zero in on where the security breach is.

    Besides these links, what steps can be taken to resolve this?

    Roy

    (@gangleri)

    12 years, 9 months ago

    Delete the website.
    No seriously, if your website has altered theme files, Esmi’s links can guide you through the process of cleaning up and there is no easy way to do that, but… deleting the website.

    Thread Starter ginreviews

    (@ginreviews)

    12 years, 9 months ago

    I appreciate your honesty, and it seems we want to find out how it has happened, how to prevent it?

    Roy

    (@gangleri)

    12 years, 9 months ago

    You can never 100% prevent a hack, not when you have a website on the internet. What you can do it “harden wordpress”:
    http://codex.wordpress.org/Hardening_WordPress

    But when you’re on a shared server and your neighbour has crappy security, there’s still a risk or when you use a badly coded plugin. Not to make you overly scared, but there is absolutely no way to “prevent” such a thing from happening. The best you can do is to make the possibility as small as possible.

    Btw. When the site that you duplicated is still up, you have a nice and clean, unhacked original copy, right? Why not just delete the copy, make an export of the old website, install a new one, run the import and read all about “hardening wordpress”?

    Thread Starter ginreviews

    (@ginreviews)

    12 years, 9 months ago

    Roy,

    Thanks for helping us with this, we are glad you take this as seriously as we do.

    What we want to do is prevent this current exploit from reoccurring and we are looking forward to any incite.

    Roy

    (@gangleri)

    12 years, 9 months ago

    I’m afraid I’m not competent to really help with that. I have no experiences with hacks in my years with WP (or before) πŸ™‚
    What is strange, though, is that it a brandnew website that immediately gets hacked. When you installed the latest version of WP this is very unlikely. Perhaps you duplicated a hacked website, or perhaps the duplication plugin is flawed, or else, the (new?) server isn’t very secure. Did the hack occur immediately when you duplicated the website or later? Something to look into is what plugins you use(d) and perhaps the server’s access and error logs.
    But then again, the links that Esmi gave you will give a great amount of insight!

    Moderator Ipstenu (Mika Epstein)

    (@ipstenu)

    πŸ³οΈβ€πŸŒˆ Advisor and Activist

    12 years, 9 months ago

    What we want to do is prevent this current exploit from reoccurring and we are looking forward to any incite.

    Get a hold of your host and ask if they can help you look through the server logs to see how the exploit got there.

    Read http://ottopress.com/2011/how-to-cope-with-a-hacked-site/ however, because if you’re not someone whose skillset is tracking down intrusions, you need to hire someone. Yeah, you need to shell out money for this one.

    Also check out http://ottopress.com/2009/hacked-wordpress-backdoors/ if you want to look in WORDPRESS for the weakness, but I’d be inclined to think it’s server side. Just based on my experience.

    Thread Starter ginreviews

    (@ginreviews)

    12 years, 9 months ago

    We are thinking it was server side, although not 100% sure.

    Both your input is appreciated, and I thank IPStenu for heeding the call.

    It’s just frustrating when you work hard at something and someone decides to take advantage of it.

    We are contacting the hosting company and pending on a response

    Moderator Ipstenu (Mika Epstein)

    (@ipstenu)

    πŸ³οΈβ€πŸŒˆ Advisor and Activist

    12 years, 9 months ago

    The vast majority of hacks are from users. Every time I’ve been hacked it was because I did something I KNEW was insecure (plain FTP on a Windows PC with no firewall, KNOWING a weird pop-up had just happened in IE. That’s how I spell stupid πŸ˜‰ ). Server vulnerabilities are next up, but a little more rare, since more people on your server would have the same issue.

    So long as WP is installed securely, with good, tight, file permissions, there’s nothing to worry about on that front.

    (PS – Emailing me was a little less cool. You tagged the post ‘ipstenu’. That’s good enough for free support.)

    Thread Starter ginreviews

    (@ginreviews)

    12 years, 9 months ago

    We are still not getting to the bottom of it
    I pulled the error log files

    Here they are

    [Log moderated as per the Forum Rules. Please use the pastebin]

    Thread Starter ginreviews

    (@ginreviews)

    12 years, 9 months ago

    it appears the index.php on barcode-test has been all zero’s for permissions

    I also compared .htaccess and this is what I see in differences

    juliehanandesign .htaccess

    [Code moderated as per the Forum Rules. Please use the pastebin]

    Any insight is welcome

    Thread Starter ginreviews

    (@ginreviews)

    12 years, 9 months ago

    Here is a log error report

    text/x-generic error_log
    ASCII text, with very long lines

    [22-Jul-2011 23:57:35] PHP Warning: require_once(/home/klinete1/public_html/barcode-test.com/admin.php) [function.require-once]: failed to open stream: No such file or directory in /home/klinete1/public_html/barcode-test.com/network/admin.php on line 13
    [22-Jul-2011 23:57:35] PHP Fatal error: require_once() [function.require]: Failed opening required ‘/home/klinete1/public_html/barcode-test.com/admin.php’ (include_path=’.:/usr/lib/php:/usr/local/lib/php’) in /home/klinete1/public_html/barcode-test.com/network/admin.php on line 13
    [23-Jul-2011 00:01:28] PHP Warning: require_once(/home/klinete1/public_html/barcode-test.com/admin.php) [function.require-once]: failed to open stream: No such file or directory in /home/klinete1/public_html/barcode-test.com/network/admin.php on line 13
    [23-Jul-2011 00:01:28] PHP Fatal error: require_once() [function.require]: Failed opening required ‘/home/klinete1/public_html/barcode-test.com/admin.php’ (include_path=’.:/usr/lib/php:/usr/local/lib/php’) in /home/klinete1/public_html/barcode-test.com/network/admin.php on line 13
    [23-Jul-2011 00:01:44] PHP Warning: require_once(/home/klinete1/public_html/barcode-test.com/admin.php) [function.require-once]: failed to open stream: No such file or directory in /home/klinete1/public_html/barcode-test.com/network/admin.php on line 13
    [23-Jul-2011 00:01:44] PHP Fatal error: require_once() [function.require]: Failed opening required ‘/home/klinete1/public_html/barcode-test.com/admin.php’ (include_path=’.:/usr/lib/php:/usr/local/lib/php’) in /home/klinete1/public_html/barcode-test.com/network/admin.php on line 13

Viewing 15 replies - 1 through 15 (of 16 total)
1 2
  • The topic ‘Website Hacked’ is closed to new replies.

Tags