website was hacked and deleted 5/14/15
-
One of my websites was hacked sometime 5/14/15 and all the files were deleted. My host has some backups so I can get it back I think. This is the 4th time this has happened since 1/15/15. What log files do you need to see on this.
-
Either your hosting account (all websites infected/hacked) was not completely cleaned up of all hacker files when it was originally hacked months ago or you have something installed on your site that has a coding flaw in it (plugin, theme, etc) that is allowing hackers to bypass all of your website security or your host server itself has a vulnerability or you are not using a secure FTP password or your computer is hacked/infected. So either your hosting account has been hacked since 1-15-2015 (usually a hosting account is hacked for much longer before you see any obvious signs that it is hacked – typically for 6 months to a year before you figure out that your hosting account is hacked) and was not hacked again since it has been hacked for months or you need to do forensic research to find the point of entry so that you can permanently fix that problem. You need to work with your web host to find the point of entry by looking at the host server logs. This is not something that can be done by looking at BPS log files.
Also this is very important to point out since I see this very common mistake made by folks all the time. A person cleans up one hacked website in their hosting account, but does not clean up the entire hosting account. What that means is that hacker files and code still exist in that hosting account and the clean up work that they did on the one website is negated since the hosting account is still hacked. A hacker Shell script is a hacker Administrator control panel of sorts that can control all websites under a hosting account. A hacker Shell script is basically the same thing as your web host control panel. It gives the hacker complete control of your entire hosting account – all websites under that hosting account.
When I used to do hack cleanup professionally I used this rule every time – If one website is hacked under a hosting account then I automatically assumed that the entire hosting account was hacked and followed the hack cleanup steps in the link below. Assuming that the entire hosting account is hacked and doing the appropriate cleanup guarantees that you do not miss anything and that the hosting account will be 100% clean of all hacker files and code.
How to clean up a hacked hosting account:
http://forum.ait-pro.com/forums/topic/wordpress-hacked-wordpress-hack-cleanup-wordpress-hack-repair/Another important point is that hosting account hack cleanup needs to be done manually and cannot be done magically in an automated way by clicking a button.
I know that you have Wordfence installed on all of your sites from previous forum threads that you have posted and emails that you have sent to me directly. I am not trying to pass blame or say anything derogatory about Wordfence.
What I know from years of professional hack cleanup (I no longer offer that service anymore) is this fact: hackers intentionally design hidden hacker files from being detectable by any scanners. The reason for that is they know that most of their hacker files will be detected by the scanner, but not the hidden hacker file or files.
The hidden hacker file or files has/have the capability to recreate/regenerate new hacker files. So what you end up with by using a scanner is that you only clean the surface obvious hacker files, but do not find the hidden hacker file or files, which then re-infect the entire hosting account all over again in an endless loop. I know this as fact because when I first started cleaning up hacked websites professsionally many years ago (I no longer offer that service anymore) I learned the hard way about hidden hacker files since all of my hack cleanup work was negated/undone by hidden hacker files.
Scanners have great value and are a very valuable tool, BUT the only method of guaranteeing that you have found and removed all hacker files and code is to do the hosting account hack cleanup manually. So you can use a scanner to cleanup all the surface obvious hacker files and code, BUT you need to do the rest of the hosting account hack cleanup manually to guarantee 100% that the hosting account is really clean of all hacker files and code.
Or another possibility is that your website/hosting account is not really hacked (I should have created this reply first since all of the clues indicate that your website and hosting account are not actually really hacked). hackers do not normally delete website files since that would defeat the purpose of hacking a website. hackers want your website to be up and functioning normally and do not want you to know your website is hacked so that they can do whatever they want with your functioning website.
In this forum thread that you posted a week ago: https://wordpress.org/support/topic/changed-files-in-bps-517?replies=23 you stated that you thought your website was hacked and that you thought you found hacker code, but it turned out to be a problem with a plugin or database damage. The code you posted was not hacker code and the problem was being caused by either a plugin or database damage.
So I am willing to go the extra mile and look at anything you think might be hacker files or code or any other evidence. Send any information that you have directly to me and I will let you know whether or not your website and hosting account are really hacked or not.
1. Successfulflyfishing.com is the third account to have all the files deleted since 1/15/15. The pattern in all 3 is for probes to happen about a week to 10 days before the deletion, a brute force attack for a couple of days until they stop. And about a week later, the site is deleted.
2. I moved from my current/old host to a different host for 1 week in Dec 2014. When I came back to my current host, I did not use any files from the new host. I had my old/current host reinstall my files from a complete cPanel backup they had to avoid any hacked files coming back.
3. About 2 to 3 weeks ago, I found half of the core WP files on my main account changed from 644 to 755. My host tracked this down to a “malfunction” in File Manager. They changed the permissions back and two days later I found more files permissions changed. They again changed them back to 644 and said they had fixed the File Manager “malfunction”. Since then I have not found any more permissions changed. But that said, I have never heard of a “malfunction” in a cPanel File Manager. They found the permissions actually changed in the File Manager from 644 to 755 and I did not do it. (Now that sounds like a cPanel hack to me.) Since the last reset of permissions, I have not found any more changed. (not to say they could have been changed and changed back)
4. Also about 2 to 3 weeks ago around the time of this cPanel some custom rewrite rules I had stopped working. These were rules that are std htaccess code and should work. I have checked the syntax with a checker and it says ok. They just return a 404 instead of the 410 they should be returning.
5. Another possibility is this. My host and I are not on friendly terms right now and this could have been an inside job. My intuition is they would like me to go away. And they may soon get that wish.
6. This outfit hackedwpapp.com is monitoring this thread and has sent me an email offering to clean up my site. Hmmm??
7. With all respect. I know your plugin had some XSS issues a few versions back. I have to ask. Is there still any possibility of any similar issues remaining in the code?
8. Any host recommends. If you would rather not, I understand or send to my email.1. I have never once seen or heard of a hack happening with the things you are describing in the last decade and probably somewhere around 100,000 websites total. If a hacker was doing this it would happen immediately and not 1 day later and especially not a week later. The more things you describe about what you think is a hacked website, the more I am convinced that it has nothing to do with a hacker or hacked website.
2. Cannot say whether this information is relevant, irrelevant or useful. Most likely it has no bearing on anything whatsoever.
3. Eureka finally something that makes logical sense – “My host tracked this down to a “malfunction” in File Manager.” This is the first thing that you have posted that makes any logical sense and could be related to what is going on. If the File Manager malfunctioned and changed file permissions on its own then since it is a file manager that has the capability to delete files during a malfunction then logically I think you have found the source of the problem. Even if the file manager did not do this, it is much more logical that something on your server or installed on your website deleted your website files.
– 1. hackers do not delete website files – unless you are a major target and are being attacked/hacked by an elite group of hackers with the intended goal of disrupting your website by intentionally deleting files. I have only heard of this being done if you are huge corporate entity and not some small fish in a small pond.
4. Sounds like a typical server problem or a problem with a cPanel tool/utility. cPanel tools/utilities have a long history of causing this type of problem (approximately 13 years). I believe the most current version of cPanel has finally fixed problems like this that have been occurring for the past 13 years.
5. Being a little paranoid is a good thing because you are alert and prepared/ready for bad things if they occur, being overly paranoid is a bad thing because you start imagining bad things that are not really happening. If there is bad blood with your host then yes you should move to another host. I find it very hard to believe that your host, which is a very reputable host and is one of the top 10 hosts in the world would stoop to messing with your site, but yeah 1 pissed off tech might do that. Very doubtful though.
6. God bless oportunists. 😉 Or if I was overly paranoid then I might think they hacked my site and this whole thing is just one big conspiracy to get all my money. Hopefully you realize I am being sarcastic and making a joke here. 🙂
7. With all due respect, the question you are asking is not relevant to anything in this thread, but to answer there are currently no known bugs in the most current version of BPS. What is typically called a security vulnerability is usually a coding mistake/bug that cannot actually be successfully exploited, but nonetheless it is a bug that needs to get fixed.
Here is some more info on that subject: http://forum.ait-pro.com/forums/topic/this-does-not-look-good/So for that last few years or so there have been some “security vulnerabilities” reported in the BPS plugin. I do not consider most of them real security vulnerabilities. In order for me to consider something a real security vulnerability then it has to be something I can actually exploit. The last one that was a real security vulnerability was several years ago and would have been very difficult to pull off. Also not a single user has ever reported a successful exploitation of any bugs reported in the BPS plugin in the entire history of the BPS plugin.
8. The WP forum rules specifically state not to discuss web hosts so nope no suggestions or opinions, unless you want to send me an email directly. 😉Bulletproof put out an update that requires going into the .htaccess file, copying code, changing pertinent information in the code, then saving a new .htaccess file. I have a few websites that need to be updated. Will someone knowledgable assist me in updating the .htaccess file. How much will it cost me to do 3 sites?
Thank you!
Jerri LyneI assume you are referring to the “Significant Root and wp-admin htaccess File Changes” made back in BPS .51.2: https://wordpress.org/plugins/bulletproof-security/changelog/ Just follow the steps in the displayed Notice. Should take you about 10 seconds to do the one-time steps below on each site.
BPS Notice: One-time Update Steps Required
Significant changes were made to the root and wp-admin htaccess files that require doing the one-time Update Steps below.
1. Click the “Create secure.htaccess File” AutoMagic button.
2. Activate Root Folder BulletProof Mode.
3. Activate wp-admin Folder BulletProof Mode.Note: This is a one-time BPS Update that requires manual steps to be performed. All future versions of BPS will do the normal/typical automatic update of the BPS htaccess files. Overall we felt that creating a Notice about these significant changes vs just doing a normal automatic update was the best route to take for the primary reasons stated above and some additional reasons not stated here.
Or you can run the new Setup Wizard that was created in BPS .51.8.
http://forum.ait-pro.com/video-tutorials/#setup-overview-freeHow do I change http://www.mysite.com/wp-admin to
http://www.mysite.com/wp-9sk2^3##lkjx
I have used all of the Magic Buttons and do not see where I can change the admin login.
Thank you.
Please start a new thread since your question is not related to the topic in this thread. You can create a new thread by clicking this link: https://wordpress.org/support/plugin/bulletproof-security#postform and then post your question in that new forum thread post.
Re cPanel > My host implemented a new version of cPanel at the end of March version 11.42.2 (build 4). Supposedly this is a std version according to tech support. The old cPanel they used I never had any of these weird File Manager issues.
And yes these types of things do tend to tweak the paranoia button. This permissions thing and the site deletions feel more like being messed with. I agree with you about what a hacker wants which is for the site to appear normal so they can make use of it.
Thanks for clearing up my other question. I have great respect for your skills and BPS and rely on both on all my sites. Frankly I was very surprised to even find any thing on BPS at all in the DB I checked. And it was in the versions you mentioned. But you have always been quick to respond and take care of issues.
Maybe the information on this thread will be useful to others and not just me. Your replies had some good info and links to the AIT forums which should be useful.
On the last issue I will contact you privately.
Thanks again for all your help.
I am going to reopen this thread for this post.
Would you look at this code and tell me why it won’t work. My htacess checker says the syntax is ok. This is code that worked until about 2 to 3 weeks ago.<FilesMatch "\.(store + html)$"> RewriteRule ^410\.shtml$ [R=G,L] </FilesMatch>Actually please create a new thread topic for this question and use this topic title: FilesMatch htaccess directive syntax.
https://wordpress.org/support/plugin/bulletproof-security#postformnew thread opened per request. Lets close this one.
- The topic ‘website was hacked and deleted 5/14/15’ is closed to new replies.
