1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Anyone have experience with hacked site?

Discussion in 'Black Hat SEO' started by manny521, Jul 14, 2012.

  1. manny521

    manny521 Supreme Member

    Joined:
    Sep 15, 2011
    Messages:
    1,448
    Likes Received:
    367
    My site which is six years old is now being hacked on a regular basis and someone is installing code on my site that deactivates the ssl certificate and makes it so the shopping cart doesn't work, thus no one can buy anything that I am selling.

    I remove the code and then someone goes in and hacks it again and again, over and over.

    Does anyone have any experience and how to get this to stop?

    Thanks in advance for any suggestions!

    The site is a wordpress site and is updated to the latest version.
     
  2. killakem

    killakem Regular Member

    Joined:
    Oct 20, 2011
    Messages:
    383
    Likes Received:
    248
    Install the Timthumb vulnerability checker. you may be using an exploitable version. Im a bit out of the loop so im not aware of any new exploits. They could also have a backdoor of some sort.
     
    • Thanks Thanks x 1
  3. Bazinga

    Bazinga Newbie

    Joined:
    Apr 24, 2010
    Messages:
    16
    Likes Received:
    3
    Occupation:
    Bazinga People
    Location:
    6 Feet Under
    Ask log from your hosting. Try to identify the pattern. The IP and time. Which file the hackers access and change. My site was hacked before too. 3 times in a month. We change and clean everything. We host at our own server. But our network/server team are stupid because they can't provide the log file for me to analyze. If anything failed, try scan using third party software. I would suggest Acunetix. I managed to detect XSS loophole on my site using it. I fix the loophole and the hackers no longer can hack it. But a week after that my site got DDoSed. 3 days down. I guess the hackers pissed off because they cannot XSS my site so they flood my site with http request. lol..anyway good luck..
     
    • Thanks Thanks x 1
  4. abhi28191

    abhi28191 Junior Member

    Joined:
    Feb 6, 2010
    Messages:
    140
    Likes Received:
    18
    Location:
    Mumbai
    happened with me.. was because i was using a clone version..and the exploit was already installed..
     
    • Thanks Thanks x 1
  5. rockert

    rockert Junior Member

    Joined:
    Apr 21, 2007
    Messages:
    107
    Likes Received:
    28
    The problems is not with wordpress, but some plugins. If your site is old, I assume you have a handful installed (I am facing the same situation).
    The best option is delete all the files on your host (including plugins), and then upload wordpress again and install fresh versions of the plugins. I've seen hackers uploaded some php files that are named similar to wordpress core files.

    If you are facing the pharma redirection hack, here is a good article about it http://www.pearsonified.com/2010/04/wordpress-pharma-hack.php
     
    • Thanks Thanks x 1
  6. SnowWar

    SnowWar Power Member

    Joined:
    Mar 3, 2012
    Messages:
    595
    Likes Received:
    48
    Occupation:
    Pure student :p
    Your site might not be hacked. This may happen for several reasons. You should checkout all plugins and tools that you are using in your site.
     
    • Thanks Thanks x 1
  7. nipunn12

    nipunn12 Regular Member

    Joined:
    May 30, 2011
    Messages:
    372
    Likes Received:
    98
    Export a backup of your site posts and make a list of all USEFULL plugins.

    Save a backup of your host and save it on your desktop.

    Tell host to restore account to default.

    Add your site to the host and install wordpress.

    Import the post backup and reinstall only the USEFULL plugins.
     
  8. deletebacklinks

    deletebacklinks Newbie

    Joined:
    Jun 30, 2012
    Messages:
    1
    Likes Received:
    1
    Occupation:
    Entrepreneur and Software Engineer
    Location:
    United States
    A few possibilities of what could be happening...

    Someone could have access to your server login credentials. To check that, change your password and audit your user accounts removing any unnecessary logins. If you have shell access and permissions, run a last | more to see who has logged on and when.

    You may have a vulnerability on your site that lets an attacker gain remote access. Since you said someone keeps installing code that you keep removing, note the timestamp on the code and cross reference your httpd access log. If someone is using a backdoor in a script/plugin to add the code you should see some corresponding entry in the log. Note the request URI and disable the vulnerability (post back if you find something for tips on how to do that).

    If the 'hack' is happening at the same time each day, then there could be some scheduled job that's involved. Use crontab and look for a cron job that is running on a schedule that lines up with the timestamp on the code that is being installed.

    There are other things you could do with chown/chgrp/chmod to try to prevent code from being installed/updated (hard to give you exact details without more info). I would also probably do some simple greps based on the code that gets installed to see if there are any clues. If you want some assistance let me know...
     
    • Thanks Thanks x 1
  9. manny521

    manny521 Supreme Member

    Joined:
    Sep 15, 2011
    Messages:
    1,448
    Likes Received:
    367
    thanks for the suggestions...does anyone have any experience with using cloudflare.com?