Hacked Client website, not sure what to do

Discussion in 'BlackHat Lounge' started by FreakenSEOsmh, Jan 3, 2018.

  1. FreakenSEOsmh

    FreakenSEOsmh Regular Member

    Joined:
    Jul 31, 2017
    Messages:
    291
    Likes Received:
    144
    Gender:
    Male
    Hello BHW


    so one of my clients websites which is wordpress got hacked, the hosting company provided me with a list of files that are infected so basically what i did was remove them all and now the website doesn't work at all, looking closely to the infected files i found that some of the files are essential for wordpress to function such as wp-settings.php so removing the infected files is not an option.

    i tried downloading the files on my computer and then scanning them with Avast AV and then uploading them again, surprise! avast sucks! it didn't clean any of that shit.

    I am aware of the paid malware removal services but my boss is cheap as fuck and he won't pay for these services unless the client pays for them, he just leaves me to deal with this crab on my own like am supposed to inspect the files my self and remove the malicious code by me-self.

    website is Wordpress
    some other websites are joomla, yeah joomla in 2018 ffs

    need advice bhw, Thanks
     
  2. seoz87

    seoz87 Power Member

    Joined:
    Oct 31, 2008
    Messages:
    589
    Likes Received:
    323
    Gender:
    Male
    the only way to clean it completely is install new wordpress.

    1. go to PHPmy admin > export your database > save it on ur pc
    2. If wordpress admin working. Go to Tools (left bar) > Export > All Content > save on ur PC
    3. delete the complete site
    4. RE install wordpress
    5. Go to PHP my admin and update new database with the one u saved earlier.

    Check your website.
     
    • Thanks Thanks x 1
  3. uncutu

    uncutu Elite Member

    Joined:
    Aug 6, 2010
    Messages:
    1,870
    Likes Received:
    1,061
    back up the wp settings (manually if you have to rather than exporting the files from phpmyadmin which are probably infected with backdoor!), the theme css, wp-posts and other relevant files
    delete everything from the server ftp
    delete everything from the mysql db
    delete the old mysql & ftp account
    create new mysql & ftp account
    install fresh wp on the server
    upload the theme, start importing the posts, settings, any other wp stuff

    should be nice amount of hours to bill to the client at the end
    next time do incremental backups to make sure this never happens again, there's free WP plugins to do that. every 1 week (or whatever you set it to) it will wrap everything up into 1 file you can import at any time.
    if you're using a pirated theme/plugin it likely caused the hack.
    use wordfence plugin too if you're not already. don't forget to play w/ the advanced settings.

    there are also free sites online where you input your url & it scans every file for known malware. might be worth looking into to see what file was responsible if it was a file/backdoor and not something dumb like weak password.
     
    • Thanks Thanks x 3
    Last edited: Jan 3, 2018
  4. leadsr8z

    leadsr8z Newbie

    Joined:
    Dec 30, 2017
    Messages:
    3
    Likes Received:
    0
    Gender:
    Male
    remove webshell file and patch your script to the latest, antivirus do not has any help on this matter.
     
  5. FreakenSEOsmh

    FreakenSEOsmh Regular Member

    Joined:
    Jul 31, 2017
    Messages:
    291
    Likes Received:
    144
    Gender:
    Male
    Thank you all for your replies, will do the mentioned above today and will advice and quote you later, i really do appreciate your replies.
     
  6. radiant13

    radiant13 Power Member

    Joined:
    May 19, 2010
    Messages:
    774
    Likes Received:
    408
    Going to bookmark this one cuz I been hacked before.
    Another good security plugin is iThemes Security.
     
    • Thanks Thanks x 1
  7. jazzc

    jazzc Moderator Staff Member Moderator Jr. VIP

    Joined:
    Jan 27, 2009
    Messages:
    3,000
    Likes Received:
    13,634
    Occupation:
    Potentate
    Location:
    Asuncion
    :facepalm: :facepalm: :facepalm: :facepalm: :facepalm:
     
    • Thanks Thanks x 1
  8. FreakenSEOsmh

    FreakenSEOsmh Regular Member

    Joined:
    Jul 31, 2017
    Messages:
    291
    Likes Received:
    144
    Gender:
    Male
    very helpful, Thank you mod.
     
  9. davids355

    davids355 Moderator Staff Member Moderator Jr. VIP

    Joined:
    Apr 25, 2011
    Messages:
    13,644
    Likes Received:
    11,786
    Normally you can do this - back up your site as is, just to keep a "working" copy.
    Download your uploads folder - where most of your content (images) normally reside).
    log in to wordpress if you can, make a note of the theme you are using, pluggings, any other customisations (Shouldn't be many others).
    Make a noteof your database settings and name appended to your database if there is one - take this from wp_config.php in FTP.
    delete all files from the site via FTP.
    Re-upload a fresh copy of the wordpress files - get them from https://wordpress.org/download/
    rename wp_config_sample.php to wp_config.php and add back in your database settings.
    get into wordpress - it should pick up your settings automatically.
    Install the theme and plugins again - but only if they are legitimate copies and not nulled. Otherwise chose some new ones.
    Update everything - themes, plugins etc.
    Then you should be good.

    Normally that resolves it for me.

    Worst case scenario you might also have problems in the database, in which case you may need to do the following -

    back up your settings and content via wordpress, tools, export.
    delete files and database from your host.
    reinstall wordpress completely from scratch.
    re-import settings and content via tools>import.
    reconfigure all custom settings.
     
    • Thanks Thanks x 1
  10. jazzc

    jazzc Moderator Staff Member Moderator Jr. VIP

    Joined:
    Jan 27, 2009
    Messages:
    3,000
    Likes Received:
    13,634
    Occupation:
    Potentate
    Location:
    Asuncion
    Why would you think that posts on a thread would be directed towards helping you? Doesn't "mocking patent ignorance" cut in your list?

    But you're welcome, glad you got value.
     
    • Thanks Thanks x 1
  11. FreakenSEOsmh

    FreakenSEOsmh Regular Member

    Joined:
    Jul 31, 2017
    Messages:
    291
    Likes Received:
    144
    Gender:
    Male
    don't want to start anything but i thought you 'd have better things to do than mocking my patent ignorace. i asked so that i know. lets just keep it at this.
     
  12. darulez

    darulez Elite Member

    Joined:
    Mar 12, 2013
    Messages:
    3,266
    Likes Received:
    1,145
    Gender:
    Male
    Occupation:
    Messing with Clickz
    Location:
    In da Hood
    BS

    Change hosting

    Reinstall wp

    Manual copy paste old content
     
    • Thanks Thanks x 1
  13. jazzc

    jazzc Moderator Staff Member Moderator Jr. VIP

    Joined:
    Jan 27, 2009
    Messages:
    3,000
    Likes Received:
    13,634
    Occupation:
    Potentate
    Location:
    Asuncion
    Like making money? Just like sex, one can do it so much within the day.
     
    • Thanks Thanks x 1