1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Site got Hacked! Need Help finding the cause.

Discussion in 'BlackHat Lounge' started by V, Apr 18, 2014.

  1. V

    V Elite Member

    Joined:
    May 18, 2012
    Messages:
    2,113
    Likes Received:
    2,543
    Occupation:
    Student
    Location:
    /tmp
    Hi,
    I have a site on WordPress platform which got hacked today. Although, no damage was done to the site, just the title and footer of the site was changed to show "Hacked by ----blah blah----". I wasn't able to log in and I couldn't receive the email for resetting password. I have limit login attempts and Wordfence plugins installed, and i receive emails when someone gets locked out trying password combinations, but nothing like that happened. I had the backup and everything and I could have restored everything right away, but that would have erased any traces of login that I could find on my site. So, after thinking for some time I thought I should check the Database of my website, and I know where the username and encrypted password are stored in the DB. So, I browsed and found that the username was changed and I didn't know if the password was changed or not because it was encrypted. So I changed back my username and also encrypted a password using md5 algo and pasted in the password field. Now, I was able to log into my account. When I was browsing the DB to see what was happened, I also noticed that the Blog title value was changed hence the change in the title and footer of the website. I changed it back and logged into my WP dashboard. Now, it was time to see the logs and I saw that someone logged into my WP account from an IP (I found the IP), but he didn't change anything besides the username, password and the title. Well, one cannot change the username from WP dashboard without using plugins, and I didn't see any trace of a new plugin installed on my site. So, it must have been done by editing the DB. Plus he only changed the title which is easy to change from the DB as well. So, that makes me think that he anyhow got into my DB and changed those fields using some vulnerability (I am not ruling out the possibility that he first logged into the WP, and then changed everything from there). Unless I find out the cause of my site getting hacked, I cannot do anything and he can/would edit my site again.
    One solution I can think of is to remove the wp-login file when I am not going to log into my site, and uploading it just before i want to log into the WP dashboard, but if it was the DB which got hacked then this won't help in any way.
    So, anyone with experience please give me some suggestions or help me if you can. I would really appreciate your help. :)
    Thanks
     
  2. madoctopus

    madoctopus Supreme Member

    Joined:
    Apr 4, 2010
    Messages:
    1,249
    Likes Received:
    3,498
    Occupation:
    Full time IM
    Without looking at everything in depth and being a security guy its close to impossible to figure that out.
     
  3. V

    V Elite Member

    Joined:
    May 18, 2012
    Messages:
    2,113
    Likes Received:
    2,543
    Occupation:
    Student
    Location:
    /tmp
    you're already in my skype contact list, so i'll talk to you when you get online! :)
    thanks
     
  4. mission

    mission Newbie

    Joined:
    Sep 9, 2009
    Messages:
    39
    Likes Received:
    20
    Occupation:
    IM
    Location:
    canada
    Home Page:
    Have you checked for the tomthumb exploit in your theme?
     
  5. V

    V Elite Member

    Joined:
    May 18, 2012
    Messages:
    2,113
    Likes Received:
    2,543
    Occupation:
    Student
    Location:
    /tmp
    it's timthumb lol, and i guess i don't have it in my theme. :)
     
  6. WormWH

    WormWH Junior Member

    Joined:
    Dec 17, 2011
    Messages:
    168
    Likes Received:
    158
    Location:
    Europe
    Maybe you used a nulled theme? This usually happens with nulled stuff... The other thing i can think off now is that you are using an older version of Wordpress that's exploitable. Must be one of these two.
     
  7. MixerDJ

    MixerDJ Regular Member

    Joined:
    Nov 20, 2012
    Messages:
    374
    Likes Received:
    147
    are you in shared server? Then i guess he did symlinking and read your wp site config file and attack your DB.when they set up symlinking on servers they can access to your database without any problem.Then can edit your email or pw or anything(Only on shared server).if you are on dedicated server he should find exploit and executing commands getting access.check your site they may have added some back-doored files to your server
     
  8. V

    V Elite Member

    Joined:
    May 18, 2012
    Messages:
    2,113
    Likes Received:
    2,543
    Occupation:
    Student
    Location:
    /tmp
    hmmm, yeah it is a nulled theme! :( and maybe I didn't update my WP version on time, i guess. Now it's updated, so I hope that it doesn't happen again.
    yeah it's a shared hosting! I've used many online scanners and they show no warnings, so I guess it's fine or should I look more deeper! :)
     
  9. spmcnerd

    spmcnerd Regular Member

    Joined:
    Dec 20, 2010
    Messages:
    309
    Likes Received:
    106
    The gift that keeps on giving.
    Your host can tell where it entered.
    They tend to quit answering when they know it was from them...
    I would definitely dump anything null. Especially todsthumb
     
  10. birdy23

    birdy23 Jr. VIP Jr. VIP Premium Member

    Joined:
    Dec 6, 2012
    Messages:
    397
    Likes Received:
    151
    Occupation:
    Internet Marketer
    Location:
    Connecticut
    Can I assume you're using Hostgator? All my sites hosted under Hostgator were hacked just a few days ago. Not sure if it's related.
     
  11. Marsilirus

    Marsilirus Newbie

    Joined:
    Dec 28, 2013
    Messages:
    20
    Likes Received:
    13
    Simple sql injection probably in one of your plugins, if not - then it's 50% chance another vulnerability in your plugins.
     
  12. Marsilirus

    Marsilirus Newbie

    Joined:
    Dec 28, 2013
    Messages:
    20
    Likes Received:
    13
    Shared hosting, Wordpress and a Nulled theme - no wonder you were hacked after all.
     
  13. LegitXXX

    LegitXXX Newbie

    Joined:
    Mar 27, 2014
    Messages:
    41
    Likes Received:
    9
    You are using a nulled theme....whats so hard to figure out, the whole point of nulling a theme is so you can hack people when they use it. No one is going to take there time nulling themes without inserting hack into the code. You deserve to get hacked for being stupid and using a nulled theme.
     
  14. V

    V Elite Member

    Joined:
    May 18, 2012
    Messages:
    2,113
    Likes Received:
    2,543
    Occupation:
    Student
    Location:
    /tmp
    no, I am not using hostgator. It's an offshore host. :)
    nulled theme isn't the problem, I checked it before using. Check it at a lot of places to be sure. I guess I didn't update the WordPress on time.
    hmmm, if that's what you think then I am glad that not everyone on the internet thinks like you. There are people who do things for helping other people. lol, yeah I deserve to be hacked if u say so. :p and I guess you always pay for all the softwares you use on your PC, and if the answer is no then stfu and get lost. :)
     
  15. Gogol

    Gogol Elite Member

    Joined:
    Sep 10, 2010
    Messages:
    3,066
    Likes Received:
    2,872
    Gender:
    Male
    Check out my posts on this and implement. You will never get hacked again.

    V1:
    Code:
    http://www.blackhatworld.com/blackhat-seo/blogging/495526-guide-make-your-wordpress-blog-hackproof-complete-guide.html
    V2:
    Code:
    http://www.tech5.net/make-wordpress-blog-hack-proof-v2/
     
    • Thanks Thanks x 1
  16. V

    V Elite Member

    Joined:
    May 18, 2012
    Messages:
    2,113
    Likes Received:
    2,543
    Occupation:
    Student
    Location:
    /tmp
    I already used most of the precautions, but not all. I will try to implement them now. Thanks for sharing mate :) ;)
     
  17. MAC-11

    MAC-11 Junior Member

    Joined:
    Feb 3, 2012
    Messages:
    168
    Likes Received:
    96
    Occupation:
    marketing/ sales
    Location:
    Canada
    You are pretty much asking for your website to be hacked when you use a nulled theme.

    You can find a nulled version of every theme created....do you actually think people are taking the time to null them out of the goodness of there heart? Maybe, but more then likely No they are not.

    They insert malicious code and share the themes so peoples sites get infected.

    Sure there are some themes that are shared that are clean, but 90% are infected.

    You should immediately stop using nulled themes. Themes are not something you can run on Virtual Machine or in a Sandbox like you can with cracked or nulled software on your computer. Once you install a nulled theme, you are installing an edited code with potential malicious script in it.

    And not the mention, the "nulling" process erases certain parts of code and changes it, so that alone opens up security vulnerabilities that might not otherwise be in the theme.

    If you actually care about your site not being hacked again, the first step would be removing the theme.

    However its already probably to late to just "remove" the theme. If it was infected code, the only thing you can do is copy the posts and start fresh with a non nulled theme.
     
    • Thanks Thanks x 1
  18. Alpha.

    Alpha. Power Member

    Joined:
    May 11, 2013
    Messages:
    505
    Likes Received:
    236
    Location:
    Europe... No Borders? No Worries!
    There was a great lengthy article somewhere a few weeks ago, regarding the use of "free" premium themes (or nulled themes as we call them). It shows that a HUGE amount of them had malicious coding implemented.. not just redirects and link-jacking stuff but creating new users with admin capabilities without listing it to you, basically giving away a key to your website to the coder.

    Can't find the article though.. I'm sure some of you read it, I think I remember Matt Cutts posting it on twitter?

    Anyway, what I'm trying to say is: DON'T USE NULLED THEMES (if you don't know & trust who nulled them)
     
    • Thanks Thanks x 1
  19. Macthetrix

    Macthetrix Regular Member

    Joined:
    Feb 21, 2013
    Messages:
    379
    Likes Received:
    390
    Occupation:
    The Boss
    Location:
    Silicon Valley
    Dont use admin as username
     
  20. MixerDJ

    MixerDJ Regular Member

    Joined:
    Nov 20, 2012
    Messages:
    374
    Likes Received:
    147
    i highly recommend you to clear all and reinstall wp.because hackers can backdoored any php files with codes

    Eg:

    i don't think any scanner will detect this small code.so think about it and take some strong action. :)