WordPress.org

Support

Support » How-To and Troubleshooting » [Resolved] Website hacked inspite of WP-security

[Resolved] Website hacked inspite of WP-security

  • My website Restaurants Uncut was hacked in spite of sufficient security including WP-security plugin.

    The problem is I cannot detect any file whose code has changed. Usually in the past I could find the suspicious file. This time around, there’s just no altered file. I’ve checked the modified dates and no file is modified in the dates when the site was hacked.

    I’ve tried the recommended method of deleting all the files as well as admin and include folders (except wp-content) and replacing them with clean install of the same version. In the past this method has worked. Not this time around.

    Where can the malicious code or file be hidden? Is there any WP plugin that can detect this.

    For the record, I’m still able to access the admin area, it’s the front-end that has been defaced.

    Please help me!

Viewing 15 replies - 1 through 15 (of 20 total)
  • esmi

    @esmi

    Forum Moderator

    Thank you Esmi for the help.

    I’ve gone through the links you shared in detail and I’ve done the following things to try to get rid of the problem:

    1. Deleted all the themes and installed a clean theme. Hack remained.

    2. Deleted all the plugins including wp-security. No change. (Installed a clean version of it now)

    3. Checked the database with textcrawler software for eval, decode base64, and the names of the websites that the site redirects to in the status bar. Nothing found.

    4. Strangely enough, the site is working on IE but shows a hacked version on Firefox and Chrome. What the hell is going on? Can you please check and explain this phenomenon?

    5. Where can the malicious code be hidden since I’ve deleted pretty much everything including themes plugins except posts, pictures and the database. Can it be hidden in these places and if it is, how do I find it?

    6. Everything seems to be working including the admin, it’s just that the site keeps redirecting to the hackers page. How do I stop that from happening even if I couldn’t find the evil code itself?

    I do have backups of the site before the hack but I’m afraid once I delete the complete site something may go wrong, especially because the back-ups are not synchronized, meaning, the DB backup was done at a different time and day and the wp-content back-up at another day.

    Does this has the potential of messing things up?

    Finally, upgrading wordpress is my topmost priority once I get rid of this menace.

    Really looking forward to anyone’s help.

    esmi

    @esmi

    Forum Moderator

    Strangely enough, the site is working on IE but shows a hacked version on Firefox and Chrome. What the hell is going on?

    Er… that sounds like it is your computer that has been compromised. Not your WordPress site.

    No thats not the case. Checked with other people who tried to access the site. Site’s definitely hacked.

    Plus the laptop is loaded with Mcafee and Malwarebytes Anti-Malware which report no problems whatsoever.

    esmi

    @esmi

    Forum Moderator

    Can I recommend the WordPress File Monitor Plus plugin. It sends you an email when files change on your website.

    Do you have FTP access? Can you make sure your wp-config.php file is set to something like 600 or 640.

    If you know when the hack took place you can look at the last modified date of your files to see what might have been changed.

    If you have shell access to the server you can run something like

    find / -mtime -5 -print

    This should find all the files from the root directory which changed in the last 5 days. Perhaps your web host will be able to run this for you if you don’t have access.

    Wordfence security plugin has a scanner in it that checks all directories and files which can tell you if a hack was added to your filesystem.

    Yes I did that as well. And it just doesn’t make sense.

    It is and it was showing a clean bill of health – no malware, no suspicious redirections.

    Is this a more sophisticated attack that even Sucuri could not detect?

    I just don’t know where to look next.

    Thanks Rab for the recommendation. Will definitely install the plugin once I sort this out. I don’t think it can help in this case when the files have already changed before the plugin was installed, isn’t it?

    About the file change, that was the first thing I checked when I discovered the hack through both FTP and Cpanel.

    Again it was mind-boggling. No file was changed! Not even the plugin and theme files that you expect the most to be compromised. I still went ahead and deleted all of them, but to no avail.

    My guess is it has got to do with the database. Trouble is, it’s such a huge database and I don’t know what I should be looking for in it.

    It’s like looking for a needle in a haystack, only in this case you don’t even know what the needle actually looks like 🙁

    @frumph: Thanks for the suggestion. I’ve already installed Firewall 2 and WP Better Security. I don’t know if a third security plugin would help that much.

    Here’s another clue I found by installing OSE Firewall plugin which gives this:

    http://www.restaurants-uncut.com/?s=<script>alert(31337)</script&gt;

    How do I find this script and remove it? Is it encoded within the site? If it is how do I detect and decode it?

    @saqib62 … wordfence security has a scanner in it that will scan your directory structure and the contents of all files finding your hacks and the files that shouldn’t be there

    @frumph Already installed wordfence and did a detailed scan. Here’s what it says at the end of that scan:

    “Congratulations! You have no security issues on your site.”

    If that is the case, why is the site redirecting to a hackers page with a ‘security breach’ claim?

    I’ve seen hacked sites before and easily found the culprit code, but this is something way beyond any security plugin or even wordpress security expert’s grasp.

    Is there no hacking expert out there who can figure this out?

    Moderator kmessinger

    @kmessinger

    I see it fine in FF, IE, Safari and Chrome. Did you find the problem?

    Here’s another clue I found by installing OSE Firewall plugin which gives this:

    http://www.restaurants-uncut.com/?s=<script>alert(31337)</script&gt;

    How do I find this script and remove it? Is it encoded within the site? If it is how do I detect and decode it?

    … Those are search parameters, your firewall plugin is telling you that someone is using your search page with sending that info to it.

    Moderator kmessinger

    @kmessinger

    This script

    <script type="text/javascript"><!--
    google_ad_client = "ca-pub-8694032197240851";
    /* Rest main top links */
    google_ad_slot = "0947438735";
    google_ad_width = 728;
    google_ad_height = 15;
    //--></script>
    <script type="text/javascript"
    src="http://pagead2.googlesyndication.com/pagead/show_ads.js">
    </script>

    which looks like a google script to me is running before the DOC TYPE.
    Nothing can be before DOC TYPE or browsers, especially IE will have problems.

Viewing 15 replies - 1 through 15 (of 20 total)
  • The topic ‘[Resolved] Website hacked inspite of WP-security’ is closed to new replies.
Skip to toolbar