ningishzidda

Just an update, it is still doing this. Gets stuck in autosave apparently forever.

More mysteries emerge.

It appears the work was saved, but to a revision, I was able to retrieve my lost work by going to a previous version. That means WordPress is somehow not calling up the most recent “Save” done by changing the code on the Update button in chrome, when I click on a post in the post list.

Forgot to add…I disabled all plugins and reinstalled WordPress, overwriting old files.

[Expletive] xst let me just log into the cp and haX0r infested darknet, WHERE I CAN ACTUALLY TALK ABOUT WORDPRESS AND THINGS RELATING TO WORDPRESS.

That’s nice to hear photocrati, your plugin is very valuable to me and I will reinstall it when I stableize.

You can take a look at a partial error log leftover from earlier i have. Remember that this is not ONE person doing this. I watched the live feed and this was basically a team of people who targeted our site specifically over some grievance, using many different exploits. This just happens to be the most annoying, although not the most damaging portion of the attack. This is the tail end of what has been a really interesting Post-Superbowl weekend I do not know anything about the earlier attacks as I have not had a breathe to take a look.

But first I’ll tell you what was occuring while the errors were happening, and I can give you access to the full logs if you like, but I’d have to find them first as I am an amateur.

First the site would get broken into, permissions changed, adverts go up.

I take them down, change the permissions.

The error log THEN reports this:

[removed]

After this string, the process repeats itself. The permissions are changed, the popups go back up.

I delete the Yillix and Bidsweeper code out of sidebar and footer, and change the permissions back.

Repeat about 10-20 minutes later. (by the way my admin name is not really admin, do not worry)

Now where am I at now?

I switched themes to 2015, as it is the safest theme you can get. I deleted Gamepress, because it did not update with the latest upgrade. Our leader is really attached to the theme but it has java built into it for some damned reason. The exploits appeared to be targetting NextGen gallery java and the Gamepress theme java.

My ex-husband who was in IT used to say, “It’s always [removed] java!” Before screaming. He became a cop after ten years in IT and Security because he was so sick of this stuff. Don’t know how true that is but it does appear to be some java exploit they are using.

I have no idea what it is. My webhost got back to me and offered to harden the site for $45 which was nice, so I took the offer and I am going to see what they do. I hardened WHM as best I could and scanned my computer again but nothing dangerous was found.

SO far it’s holding, the 2015 theme has been up for an hour. I am stripped down to very few plugins right now.

Here’s what I did:

Deleted Social Media Feather by Acurax because it was specifically targeted by somebody this morning. I cannot afford to lose Next gen gallery as i think most people will agree, so I installed Wordfence after finding it highly rated during a search for the outdated Sucuri (more below)

I reinstalled WordPress.

Global settings on the sidebar somehow got set to allow users to write, so I set them not to be able to write, which would have prevented the sidebar from getting hacked to show google ads.

I am tired of the footer constantly getting hacked by less malicious hackers to point to yontoo, (for some reason any new updates to wordpress like to set the value to allow users to write again, after ive disallowed it) so I’ve disabled user registrations and deleted our vast collection of members – they wernt really adding that much of value to the site anyways. I do not need them. This will prevent user uploads at least.

I think the culprit for the first hack may have been Next Gen Gallery as the majority of the attempted attacks this morning seem to have been directed at it. Looks like there was a WordPress update between then and now, too so I wonder if that was it.

I also uninstalled Wang guard since I don’t have any users anymore.

Sucuri was reccomended by those links, but it is outdated with current version of wordpress, so I disregarded it. I installed Wordfence instead which came highly reccomended.

By the way, that security company/webhost I called was a joke. The guy called me and couldn’t tell me anything useful about what their security company did, just a bunch of flashy sounding rhetoric in an email after the useless phonecall. He said “What really makes us the best is we learn every time we get hacked.” I was like “erm, yes that is the thing to do after making a mistake or getting attacked, you learn from it” The tour through the free plugin Wordfence is much more impressive with actual information. The math is easy free or 350 a month, or 200 a year for three site keys from the Wordfence plugin, or 350 a month. Looks like it’s all the same stuff.

I uninstalled my cache program because Wordfence includes one.

Thanks for all of those links. I’ve done the hardening one before.

The site is still getting hacked, although not as badly now and I am looking through the error log from the hacker activity today.