[resolved] Website hacked inspite of WP-security (21 posts)

  1. Saqib Khan
    Posted 3 years ago #

    My website Restaurants Uncut was hacked in spite of sufficient security including WP-security plugin.

    The problem is I cannot detect any file whose code has changed. Usually in the past I could find the suspicious file. This time around, there's just no altered file. I've checked the modified dates and no file is modified in the dates when the site was hacked.

    I've tried the recommended method of deleting all the files as well as admin and include folders (except wp-content) and replacing them with clean install of the same version. In the past this method has worked. Not this time around.

    Where can the malicious code or file be hidden? Is there any WP plugin that can detect this.

    For the record, I'm still able to access the admin area, it's the front-end that has been defaced.

    Please help me!

  2. esmi
    Forum Moderator
    Posted 3 years ago #

  3. Saqib Khan
    Posted 3 years ago #

    Thank you Esmi for the help.

    I've gone through the links you shared in detail and I've done the following things to try to get rid of the problem:

    1. Deleted all the themes and installed a clean theme. Hack remained.

    2. Deleted all the plugins including wp-security. No change. (Installed a clean version of it now)

    3. Checked the database with textcrawler software for eval, decode base64, and the names of the websites that the site redirects to in the status bar. Nothing found.

    4. Strangely enough, the site is working on IE but shows a hacked version on Firefox and Chrome. What the hell is going on? Can you please check and explain this phenomenon?

    5. Where can the malicious code be hidden since I've deleted pretty much everything including themes plugins except posts, pictures and the database. Can it be hidden in these places and if it is, how do I find it?

    6. Everything seems to be working including the admin, it's just that the site keeps redirecting to the hackers page. How do I stop that from happening even if I couldn't find the evil code itself?

    I do have backups of the site before the hack but I'm afraid once I delete the complete site something may go wrong, especially because the back-ups are not synchronized, meaning, the DB backup was done at a different time and day and the wp-content back-up at another day.

    Does this has the potential of messing things up?

    Finally, upgrading wordpress is my topmost priority once I get rid of this menace.

    Really looking forward to anyone's help.

  4. esmi
    Forum Moderator
    Posted 3 years ago #

    Strangely enough, the site is working on IE but shows a hacked version on Firefox and Chrome. What the hell is going on?

    Er... that sounds like it is your computer that has been compromised. Not your WordPress site.

  5. Saqib Khan
    Posted 3 years ago #

    No thats not the case. Checked with other people who tried to access the site. Site's definitely hacked.

    Plus the laptop is loaded with Mcafee and Malwarebytes Anti-Malware which report no problems whatsoever.

  6. esmi
    Forum Moderator
    Posted 3 years ago #

  7. Rab
    Posted 3 years ago #

    Can I recommend the WordPress File Monitor Plus plugin. It sends you an email when files change on your website.

    Do you have FTP access? Can you make sure your wp-config.php file is set to something like 600 or 640.

    If you know when the hack took place you can look at the last modified date of your files to see what might have been changed.

    If you have shell access to the server you can run something like

    find / -mtime -5 -print

    This should find all the files from the root directory which changed in the last 5 days. Perhaps your web host will be able to run this for you if you don't have access.

  8. Frumph
    Posted 3 years ago #

    Wordfence security plugin has a scanner in it that checks all directories and files which can tell you if a hack was added to your filesystem.

  9. Saqib Khan
    Posted 3 years ago #

    Yes I did that as well. And it just doesn't make sense.

    It is and it was showing a clean bill of health - no malware, no suspicious redirections.

    Is this a more sophisticated attack that even Sucuri could not detect?

    I just don't know where to look next.

  10. Saqib Khan
    Posted 3 years ago #

    Thanks Rab for the recommendation. Will definitely install the plugin once I sort this out. I don't think it can help in this case when the files have already changed before the plugin was installed, isn't it?

    About the file change, that was the first thing I checked when I discovered the hack through both FTP and Cpanel.

    Again it was mind-boggling. No file was changed! Not even the plugin and theme files that you expect the most to be compromised. I still went ahead and deleted all of them, but to no avail.

    My guess is it has got to do with the database. Trouble is, it's such a huge database and I don't know what I should be looking for in it.

    It's like looking for a needle in a haystack, only in this case you don't even know what the needle actually looks like :(

    @Frumph: Thanks for the suggestion. I've already installed Firewall 2 and WP Better Security. I don't know if a third security plugin would help that much.

  11. Saqib Khan
    Posted 3 years ago #

    Here's another clue I found by installing OSE Firewall plugin which gives this:


    How do I find this script and remove it? Is it encoded within the site? If it is how do I detect and decode it?

  12. Frumph
    Posted 3 years ago #

    @saqib62 ... wordfence security has a scanner in it that will scan your directory structure and the contents of all files finding your hacks and the files that shouldn't be there

  13. Saqib Khan
    Posted 3 years ago #

    @Frumph Already installed wordfence and did a detailed scan. Here's what it says at the end of that scan:

    "Congratulations! You have no security issues on your site."

    If that is the case, why is the site redirecting to a hackers page with a 'security breach' claim?

    I've seen hacked sites before and easily found the culprit code, but this is something way beyond any security plugin or even wordpress security expert's grasp.

    Is there no hacking expert out there who can figure this out?

  14. kmessinger
    Forum Moderator
    Posted 3 years ago #

    I see it fine in FF, IE, Safari and Chrome. Did you find the problem?

  15. Frumph
    Posted 3 years ago #

    Here's another clue I found by installing OSE Firewall plugin which gives this:


    How do I find this script and remove it? Is it encoded within the site? If it is how do I detect and decode it?

    ... Those are search parameters, your firewall plugin is telling you that someone is using your search page with sending that info to it.

  16. kmessinger
    Forum Moderator
    Posted 3 years ago #

    This script

    <script type="text/javascript"><!--
    google_ad_client = "ca-pub-8694032197240851";
    /* Rest main top links */
    google_ad_slot = "0947438735";
    google_ad_width = 728;
    google_ad_height = 15;
    <script type="text/javascript"

    which looks like a google script to me is running before the DOC TYPE.
    Nothing can be before DOC TYPE or browsers, especially IE will have problems.

  17. Saqib Khan
    Posted 3 years ago #

    Thank you for your help - Frumph, Kmessinger, everyone.

    I was finally able to 'de-hack' the site. For the record, let me disclose the reason so that it may help someone especially considering that this solution wasn't revealed by anyone on the major troubleshooting sites.

    Because we’re so much focused on major hacking attempts, we fail to notice the small things, and the same thing happened in my case. Since I had installed some major anti-hack plugins, the hacker wasn’t able to get to the core of the site.

    He did however managed to penetrate the outer layer and therefore embedded a redirect script in the sidebar textbox.

    Now because my earlier experience had taught me to look for malicious code within the wordpress code, as well as people’s suggestions as well on this forum, I overlooked this simple thing.

    As soon as I deleted this script from the textbox, voila! The site was back online.

    Moral of the story: Don’t forget the small things, even an innocuous thing as a sidebar textbox.

    Once again, thanks everyone.

  18. Saqib Khan
    Posted 3 years ago #

    Now there’s one more issue that has cropped up. Ever since I resolved my last hacking attempt and upgraded wordpress to the latest version, I’ve seen an increase in hacking attempts. At least half a dozen attempts are made every day. Here’s what the security plugins I’ve installed are detecting:

    OSE Firewall™ - Restaurants Uncut


    12:40 AM (18 hours ago)

    to me
    == Attack Details ==

    TYPE: Found Basic DoS Attacks
    ACTION: Blocked
    LOGTIME: 2013-02-03 07:40:09
    FROM IP: http://whois.domaintools.com/
    URI: http://www.restaurants-uncut.comUser-agent:
    REFERRER: http://www.restaurants-uncut.com/wp-login.php

    A host, can check the host at http://ip-adress.com/ip_tracer/ has been locked out of the WordPress site at http://www.restaurants-uncut.com until Monday, February 4th, 2013 at 5:01:14 am UTC due to too many attempts to open a file that does not exist. You may login to the site to manually release the lock if necessary.

    What should I do? Report this to someone?
    Add more security plugins?
    Why is my site becoming the target of so many attacks?
    Is it because of the server? Is the vulnerability there?
    What can I do to stop the attacks?
    Or should I do nothing? Will they be able to penetrate the plugins shield or will it hold?

    Any suggestion would be appreciated.

  19. gcaleval
    Posted 3 years ago #

    RE: "Why is my site becoming the target of so many attacks?"

    Don't feel like you're being targeted. Many, if not most, web sites get "attacked" multiple times per day.

    These are automated robots spidering the web, using whois databases and other techniques to throw out probes against anything accessible. However, you are right, that being hacked once often does result in many follow-on attempts as there is some sort of vulnerable site record keeping in dark recesses of the web.

    You will never "stop the attacks," but instead must harden your site against them, and not be panicked by the fact that they occur.

    Esmi provided you some good links to that end.

    But, when one's allowed themselves to be hacked via outdated WordPress or plugin/theme installs, I actually recommend a more severe approach whenever it is possible - start from scratch.

    If you do not have hundreds of pages of content, you are better off wiping everything from your host account and rebuild with all new code and a new database. Of course if you have a lot of content on a site, rebuilding is often not a viable option.

    I take this approach because I have seen situations where ops have experienced one kind of hack, gone through the cleanup steps to the best of their ability, only to later discover that some piece of hack code was left behind in the database that actually predated the experienced hack. It was hiding waiting for activation and not found during cleanup. And was much more serious than a redirect or simple defacement.

    Whether you rebuild or are confident you have a clean system and stick with it, make sure you really have changed all your passwords to very strong, and that you do not use the same password for your WP admin, FTP and cPanel/hosting accounts.

    I also recommend you look at deploying ZBBlock, a completely free solution that provides site wide protection of all WP, plugin and theme php files. I use it on several sites and it is remarkable to see how well it deflects the many different forms of attack.

  20. Saqib Khan
    Posted 3 years ago #

    @gcaleval Thank you for your suggestions.

    I'm afraid there's too much content to start from scratch. But I think I will go with the ZBBlock solution. Looks enticing.

    The passwords are all different for the three entry points, something I learned a long time ago.

    One thing I wanted to ask is, does the choice of service provider have any say in whether your site gets hacked or not? I mean, if I change my website host server will it make any difference in either reducing the intensity of the attacks or making http://www.restaurants-uncut.com less vulnerable?

    I've gone through a lot of stuff on this topic and it seems to me that the experts have an impasse on whether it makes a difference or not. Some say it does, others say it doesn't.

    What is your take on this issue?

  21. gcaleval
    Posted 3 years ago #

    RE: "does the choice of service provider have any say in whether your site gets hacked or not?"

    It's a controversial issue partly because so many people involved in the WordPress community are also involved in, even employed by, hosting companies, and partly because different people have had very different experiences with different hosts.

    My personal experience is that it matters quite a lot.

    I have received sustatined attacks on or originating from Dreamhost, GodDadday, Linode and many others -- all companies that are generally promoted as being reputable.

    The best solution for me was to go to a fully managed VPS with a VPS hosting company.

    BUT, with a VPS more responsibility falls on you to ensure security. For example, when you set up WHM, you need to have your checklist that includes enforcing jailed shells, locking down ssh, setting AllowSymLinksIfOwned and numerous other hardening features. With good fully managed VPS host, you will get a lot of key security taken for you just by asking, including installation of mod_security with core rules, mod_evasive to degrade ddos attacks and so on.

    Whether or not you are on your own VPS, it is just absolutely vital that you

    • keep core, plugins and themes up to date, use WP Updates Notifier
    • monitor file changes on the system, use WordPress File Monitor Plus
    • control your uploads directory with htaccess to prevent access to non-image files (or other formats you allow)
    • use a root htaccess to secure your entire file space

    But honestly, the very most important and best strategy is:

    1. Expect to be hacked
    2. Have a disciplined back up routine that backups up your site and database daily and stores them offline
    3. Keep good logs so you can identify when the hack took place.

    With just those three things, you can revert your entire site back to a day or three before the attack -- and still go through the traditional steps in the links routinely offered by esmi, Jan and others. Do not rely on your host's promised backup features. Very few of them are accurate. With Hostv, you can configure your own backups which will be stored outside the web space, but could still be compromised if some gains root access privileges. Use that feature, but also do your own backups to your own local desktop or an offsite repository like Drop Box or Google+.

    This way you may loose a few days of work that you have to rebuild or abandon, but the bulk of your site will be fine. (Note: if you have basic unix skills, it is very easy to use rsync to backup from your site to your linux box, even if linux is running on a virtual machine on your Windows computer).

    Note: I have no connection to Hostv other than as a customer and speak only for my own experience.

    If you really want to get fully managed/full administered hosting, you can opt for one of the services that does everything, but typically your design and functionality choices are extremely limited.

Topic Closed

This topic has been closed to new replies.

About this Topic