1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Super urgent - website hacked?

Discussion in 'BlackHat Lounge' started by dgusic, May 24, 2015.

  1. dgusic

    dgusic Regular Member

    Joined:
    Feb 28, 2015
    Messages:
    328
    Likes Received:
    166
    Hello,

    can ANYONE that has any knowledge of security help me with my website as I believe I was hacked somehow. Thank you in advance!

    Best regards
     
  2. Repulsor

    Repulsor Power Member

    Joined:
    Jun 11, 2013
    Messages:
    772
    Likes Received:
    280
    Location:
    PHP Scripting ;)
    We cant help you unless you let us know what happened. What kind of help do you think we can do now, with just what you said?
     
  3. Gogol

    Gogol Jr. VIP Jr. VIP

    Joined:
    Sep 10, 2010
    Messages:
    3,478
    Likes Received:
    3,108
    Gender:
    Male
    I can help you out if you pay :)

    PM me the details.
     
  4. dgusic

    dgusic Regular Member

    Joined:
    Feb 28, 2015
    Messages:
    328
    Likes Received:
    166
    Kind of paranoid, sorry for not giving enough information. I got a suspicious number of login attempts (over 400) and now it says I live in Austria when I am trying to login. Checked it with some free secuity tools and it says that there is some problem with cloaking.

    There is a difference of 981 bytes between the version of the page you serve to Chrome and the version you serve to GoogleBot. This probably means some code is running on your site that's trying to hide from browsers but make Google think there's something else on the page.
     
  5. The Scarlet Pimp

    The Scarlet Pimp Senior Member

    Joined:
    Apr 2, 2008
    Messages:
    884
    Likes Received:
    3,324
    Occupation:
    Chair moistener.
    Location:
    Cyberspace
    was it a wp blog that was hacked? one of my biz partners was hacked and it was a blog.
     
  6. archon10

    archon10 BANNED BANNED

    Joined:
    Oct 10, 2011
    Messages:
    1,181
    Likes Received:
    8,223
    another wp site bites the dust
     
    • Thanks Thanks x 5
  7. fatboy

    fatboy Elite Member

    Joined:
    Aug 13, 2008
    Messages:
    1,618
    Likes Received:
    3,232
    Occupation:
    Retired
    Location:
    Old Peoples Home
    Where are you hosting this - on a shared host or on your own dedicated / VPS?
    If there is small amount of changes, try searching for .htaccess files that have some extra lines in that determine if you are a normal user or Google.

    If you want I can take a look in the next 30 minutes, after that its beer oclock!
     
  8. dragonnet

    dragonnet Registered Member

    Joined:
    Oct 1, 2010
    Messages:
    88
    Likes Received:
    32
    Gender:
    Male
    Cant blame it all on WP,it definitely got more "back-doors" then no-database,single page websites but if its done properly chances to get your WP hacked are the same as any other "website".If server get hacked,your password stolen or whateva there is no help whatever website-system you have obviously.And more likely the real danger will come from that side,not from WP super hacking or shit..these hacker guys have only few tricks in their sleeves and with some decent WP protection they will pick up their shit and go to the next website.

    I say if ur paranoid pay the buck and let the experts configure your WP and hosting.

    For example, search for "secure website" on fiverr,find some trusted seller with good reviews and youre good to go.
     
    Last edited: May 24, 2015
  9. archon10

    archon10 BANNED BANNED

    Joined:
    Oct 10, 2011
    Messages:
    1,181
    Likes Received:
    8,223
    The only thing someone at fiverr will do is install wordfence.

    Actually, WP is hacked more than other sites since people install random plugins and you can download plenty of scripts focused specifically on WP and plugins. Usually, the goal is to insert hacked links and content, and it's more efficient for hackers to focus on WP since it's common and most site owners don't update. Just download a script that hits WP's admin dashboard and you're done. Focusing on custom applications takes more time.
     
    • Thanks Thanks x 5
  10. The Scarlet Pimp

    The Scarlet Pimp Senior Member

    Joined:
    Apr 2, 2008
    Messages:
    884
    Likes Received:
    3,324
    Occupation:
    Chair moistener.
    Location:
    Cyberspace
    you can also use htaccess to restrict access to your own wp admin page. :D
     
  11. dragonnet

    dragonnet Registered Member

    Joined:
    Oct 1, 2010
    Messages:
    88
    Likes Received:
    32
    Gender:
    Male
    I agree,people do install all sorts of plugins and do not update WP and thats painfully simple reasons why there are so many hack reports,its a popular platform and for sure a lot of people do and will get hacked.Its reasonable thing,my point is that it can be respectfully secure,but in the same time it can be a gaping hole if some newbie admin get plugin frenzy and open the doors for many injections.

    I just put fiverr as an example,i know you cant expect some NASA stuff for 5$ but i think they will at least update the WP,check some basic logs and as u said install/configure some free security plugin.
     
  12. dgusic

    dgusic Regular Member

    Joined:
    Feb 28, 2015
    Messages:
    328
    Likes Received:
    166
    Ah, false positive. My website was not hacked. I panicked because of the 500 login attempts to my website and because it said I am coming from Austria, but I live in Croatia.

    Also now I installed BruteForce attack thingy, limited login attemps and installed 2 step auth login from clef.

    If there is a living soul who would be kind enough to look at my FTP and .htaccess I would be eternally grateful. :) (for free, I am poor)
     
  13. MafiaBoss

    MafiaBoss Elite Member

    Joined:
    May 5, 2012
    Messages:
    1,519
    Likes Received:
    1,032
    Gender:
    Male
    Occupation:
    Currently Un-Occupied
    Location:
    In granny's Basement
    Home Page:
    it must be the recent Zero day vulnerability.
     
  14. HelloInsomnia

    HelloInsomnia Jr. Executive VIP Jr. VIP

    Joined:
    Mar 1, 2009
    Messages:
    1,828
    Likes Received:
    2,939
    If you think you're good now here are a few quick things you can do to make your Wordpress site 100x more secure:

    In order of importance:

    Don't use admin as a username
    Use a strong password 20+ characters, ideally even more and don't use this password anywhere else
    Change your Wordpress nicename so they can't find your username in the source code (Google it)
    Install WordFence and set it to block login attempts after 3 attempts and lock out the IP for 30+ minutes
    Set WordFence to notify you of updates and also update Wordpress automatically
    Remove any plugins/themes you are not 100% sure are clean
     
    • Thanks Thanks x 3
  15. dgusic

    dgusic Regular Member

    Joined:
    Feb 28, 2015
    Messages:
    328
    Likes Received:
    166
    You mean this? 15 char pls.
     
  16. dgusic

    dgusic Regular Member

    Joined:
    Feb 28, 2015
    Messages:
    328
    Likes Received:
    166
    Oh thanks for the suggestions. :)
    I have done everything but that nice name and I will do it now!
     
  17. Zwielicht

    Zwielicht Moderator Staff Member Moderator Jr. VIP

    Joined:
    Aug 31, 2013
    Messages:
    7,641
    Likes Received:
    13,783
    Gender:
    Male
    Occupation:
    Death
    Location:
    Riverside, California
    Home Page:
    Here's one more suggestion that will really help: use a plugin such as Rename wp-login.php to rename your wp-admin page to something else (this will result in users who do not know the login page's new URL to see a 404 error page).
     
  18. dgusic

    dgusic Regular Member

    Joined:
    Feb 28, 2015
    Messages:
    328
    Likes Received:
    166
    I wanted to install it, but it says it has not been updated some time. When I was reading about WP security I read that some attacks are done through older and unupdated plugins. But thanks for the suggestion. The site is now as secured as much as I can secure it.