perezbox
Forum Replies Created
-
Forum: Fixing WordPress
In reply to: My wordpress site may have been hackedHI @duncantmc
This means you have something on the server blocking the scans, why it’s generating 403’s (forbidden).
Are you running wordfence? maybe some .htaccess rules? or some other tool that might be proactively blocking IPs?
Thanks
Forum: Fixing WordPress
In reply to: WordPress got hacked todayhey @jaschaio
My general rule of thumb is assume once they are in, they are in. I’d be watching things very carefully.
As it’s a VPS, trying using this to help investigate further: https://blog.sucuri.net/2016/02/investigating-a-compromised-server-with-rootcheck.html
I’d also setup OSSEC in general to monitor the servers activity, see if anything changes that might not present itself externally:
A few years old, but still very applicable: http://perezbox.com/2013/03/ossec-for-website-security-part-i/
Good job on the user isolation.
Here is another oldie but goldie that might help from a server level configuration perspective: https://blog.sucuri.net/2012/07/wordpress-and-server-hardening-taking-security-to-another-level.html
Cheers
Forum: Fixing WordPress
In reply to: WordPress got hacked todayHi @jaschaio
Bravo on going to your logs for answers!! Love it!!
Is this a VPS?
Too bad you deleted the /uploads folder, all you had to do was disable PHP execution in the directory. They were executing a mailer script, pretty common these days.
As for what happened, seems they were able to brute force as you described, but it is odd being your user / pass combination.
It’s no surprise they installed their own tools, that’s very common. They will install and configure the things they are most comfortable with to accomplish their goals. Speculating beyond this will be very tough though with direct access to see exactly what happened.
Nice catch though.
Tony
Forum: Fixing WordPress
In reply to: Google says my site might be hackedHi @rudestone2
Here is an article you’ll want to read and digest when working with Google Blacklisting. It really depends on what exactly they are flagging as an issue.
Going to need a lot more than “help” to help understand what you’re dealing with, but it’s likely associated with Search Engine Poisoning if I had to bet.
Thanks
Forum: Fixing WordPress
In reply to: My site have been been hackedHi @islandwoman
This is very common. The bots are still hitting the known location, it’l persist for a while until someone sees the issue and takes your domain out of rotation.
Tony
Hi @arunchus
Could you send us an email at support@sucuri.net? We’d love to understand better your environment and what might be going on.
Thanks
Forum: Fixing WordPress
In reply to: My site have been been hackedHi @islandwoman
Spoke with one of our analysts, and he decoded it for you and everyone else. This is a file upload backdoor, you can see it in it’s raw format here: https://pastebin.sucuri.net/zo0u27ibhy5tc1k
The attacker is able to use this to upload a file, likely another backdoor to gain full access to the environment.
I’d say you’re environment is definitely compromised.
Tony
Forum: Fixing WordPress
In reply to: admin log in page hacked by ransomwareHi @mwark
What is a MASTER SET?
Here is an article that might offer some assistance: https://blog.sucuri.net/2016/01/ransomware-strikes-websites.html
Know however that ransomware is really tough to deal with because of how the files are being encrypted. In some instances, the best bet is to restore from a backup if you have it available.
If the wp-admin is encrypted, you might want to look at replace wp-admin, but it just depends. Without knowing more of the situation it’s really difficult to speculate. The recommendation by @vnseum might work, don’t know without trying.
Thanks
Forum: Fixing WordPress
In reply to: My site have been been hackedHi @islandwoman
It’s hard to answer this question:
“Can anyone tell if this is a malicious code? And how this file keeps reapping?”
1 – We’d need to see the file, and it’s content.
2 – The real question is how the file getting there? There are instances in which hosts add files to the root, so it could be theres. Have you asked them if they’re familiar with the file? If they’re not, then it’s pretty safe to assume the environment compromised.
3 – Sounds like you addressed all the access control issues, although hard to verify based on what you said and not knowing what your environment consists of. The next question would be, how are you addressing all the software vulnerability issues? Neither the WordFence or Sucuri plugins will address that.
Here is a good article on the subject: https://blog.sucuri.net/2014/09/understanding-the-wordpress-security-plugin-ecosystem.html
4 – Most scans will only show you something if the integrity of a file is changed, or if the site is displaying something externally. Backdoors and other scripts can be a bit tricky, just depends on how you have tools configured.
Answers to some of the questions would help move things in the right direction.. 🙂
Tony
Forum: Fixing WordPress
In reply to: Hacked – what is showing on my startpage?Hi
You’re suffering from what is known as Search Engine Poisoning (SEP). There is something being appended to your pages. Without accessing the environment it’s difficult to say exactly where it’s loading from, but take some time to do a search in your database.
A cool little trick is to do a search in your posts / pages using wp-admin to look for things like “payday loadns” “online payday loans”. This will only work if the payload is not encrypted, if it is it’ll be a bit trickier.
Here are a few articles that might help you:
https://blog.sucuri.net/2013/02/payday-loan-spam-affecting-thousands-of-sites.html
https://blog.sucuri.net/2014/11/combat-blackhat-seo-infections-with-seo-insights.html
https://blog.sucuri.net/2014/02/not-just-pills-or-payday-loans-its-essay-seo-spam.html
Each one talks to different forms of Blackhat SEO campaigns. Here is another write up that might be helpful: https://blog.sucuri.net/2012/11/website-malware-removal-ftp-tips-tricks.html
Best of luck
Forum: Fixing WordPress
In reply to: website was hackedHi @peterlee
This statement is grossly inaccurate: “WordPress script is one of the easiest platform to be hacked in.”
Whomever told you this is misinformed and lacks knowledge in WordPress and Security. The platform itself is one of the more mature platforms on the market. In my experience hacks website owners experience are rarely attributed to the platform itself. They’re often associated with things website owners do, like installing plugins / themes and not appropriately managing the environment.
It’s hard to decipher where to even begin with your post as you don’t ask a specific question. It seems your host is taking care of the problem, is that right? I would take time to read through the guides @james provided as a good place to start.
I’d also take some time to read this article, that talks to the real vulnerability within the WordPress environment.
Forum: Plugins
In reply to: [WP Super Cache] Sucuri flagging cache filesHi
Curious, would you mind sending this question to labs@sucuri.net? Our researchers would be happy to take a look and see what might be going on.
Thanks
Hi @ryseale
Interesting. Very curious about all the symptoms you’re experiencing. Whenever you see a plugin you haven’t installed, installed, it’s often a very clear indicator that something is wrong. Do you by chance have any logs for the site? You’re going to want to investigate when things happened. I would personally start there.
The good news is you have a good place to start, you know there is a plugin that was installed that you didn’t do. Focus on that, and follow the cookie trail.
What you’re experiencing is very common. Attackers will often install whatever tools they require to complete their objective.
If you need any help let me know at tony@sucuri.net
Thanks
Tony