1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Wordpress Cpanel HACK. Websites Redirects, Need someone who can clean it

Discussion in 'Hire a Freelancer' started by T2tkid, Feb 5, 2017.

  1. T2tkid

    T2tkid Elite Member

    Joined:
    Oct 13, 2010
    Messages:
    3,826
    Likes Received:
    1,745
    A client got his wordpress cpanel hack and his host (Namecheap) cannot remove the infected files.
    Now, all the websites are redirecting to spamming websites.

    Please let me know if you can remove this and how much it will take. Also, let me know if there is a guide on how to remove it so I can give it a try.

    This is urgent.

    Thanks.
     
  2. virtualpurity

    virtualpurity Jr. VIP Jr. VIP

    Joined:
    Nov 12, 2012
    Messages:
    855
    Likes Received:
    495
    Occupation:
    SEO, Hosting
    Location:
    /root
    Home Page:
    Have you checked the cpanel for any redirects ? Check also htaccess file and other files on the website for suspicious redirects.

    Check the php files as well and see if you notice some code added to most of them...
     
    • Thanks Thanks x 1
  3. davids355

    davids355 Jr. VIP Jr. VIP

    Joined:
    Apr 25, 2011
    Messages:
    10,422
    Likes Received:
    8,121
    How many sites are there?
    It's probably code injected into htaccess or index.php
    But there may also be a weakness somewhere letting the hacker in

    First thing is clean up, then update all Wordpress installs and change passwords and then install wordfence.

    Next step would definitely be moving to reseller hosting - then each site can be fully segregated from the other, so if one site does have a weak point then at least it won't affect the others.

    And if one site has weakness it may be that you have to back up the content from within WP then reload WP, reinstall themes and plugins and then re-import the content.
     
    • Thanks Thanks x 1
  4. T2tkid

    T2tkid Elite Member

    Joined:
    Oct 13, 2010
    Messages:
    3,826
    Likes Received:
    1,745

    I don't have access to the cpanel. But I have ask the client for it. According to him, namecheap did remove all the .bad files, but after awhile, the sites starts redirecting again.

    Am googling to see if anyone has face this issue before and hope to find a solution. Is this a .htaccess problem? All the websites in the cpanel are redirecting.


    It is more than 4 websites perhaps. I will check the .htaccess when I have the logins.

    Thanks.

    Between, if anyone who has done something like this before, please let me know.
     
  5. virtualpurity

    virtualpurity Jr. VIP Jr. VIP

    Joined:
    Nov 12, 2012
    Messages:
    855
    Likes Received:
    495
    Occupation:
    SEO, Hosting
    Location:
    /root
    Home Page:
    If its coming back than in most of the cases i have encountered the reason for the hack is a compromised plugin or a shell stored somewhere between the files.
     
  6. CyberHour

    CyberHour Jr. VIP Jr. VIP

    Joined:
    Apr 3, 2016
    Messages:
    754
    Likes Received:
    192
    Location:
    localhost
    Home Page:
    cPanel it self cannot behacked . Mostlikely redirection through plugin/.htaccess or other script.
     
    • Thanks Thanks x 1
  7. T2tkid

    T2tkid Elite Member

    Joined:
    Oct 13, 2010
    Messages:
    3,826
    Likes Received:
    1,745
    Thanks guys for your input. I am still waiting to get access to the cpanel/. But if namecheap in-house team cannot do it. Am afraid I may not as well. I don't know sh*t about this.

    Just curious, If one of the site is moved out of the cpanel, will it still affect it?
     
  8. T2tkid

    T2tkid Elite Member

    Joined:
    Oct 13, 2010
    Messages:
    3,826
    Likes Received:
    1,745
    I have access to the cpanel now, i check the websites and can't find anything in the .htaccess and .index.

    Here are some of them:

    # BEGIN WordPress
    <IfModule mod_rewrite.c>
    RewriteEngine On
    RewriteBase /
    RewriteRule ^index\.php$ - [L]
    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteRule . /index.php [L]
    </IfModule>

    # END WordPress




    # BEGIN W3TC Browser Cache
    <IfModule mod_deflate.c>
    <IfModule mod_headers.c>
    Header append Vary User-Agent env=!dont-vary
    </IfModule>
    AddOutputFilterByType DEFLATE text/css text/x-component application/x-javascript application/javascript text/javascript text/x-js text/html text/richtext image/svg+xml text/plain text/xsd text/xsl text/xml image/x-icon application/json
    <IfModule mod_mime.c>
    # DEFLATE by extension
    AddOutputFilter DEFLATE js css htm html xml
    </IfModule>
    </IfModule>
    # END W3TC Browser Cache
    # BEGIN WordPress
    <IfModule mod_rewrite.c>
    RewriteEngine On
    RewriteBase /
    RewriteRule ^index\.php$ - [L]
    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteRule . /index.php [L]
    </IfModule>

    # END WordPress



    Am lost :( here.
     
  9. seoguy81

    seoguy81 Senior Member

    Joined:
    May 18, 2011
    Messages:
    1,014
    Likes Received:
    253
    Occupation:
    Donkey balls
    it seems to be that the sites got affected because of some backdoor entry from a weak plugin, which is now affecting all the additional domains that are being hosted from the same account (domains pretty much become folders inside the root folder).

    Go to the online file manager and generally browse to see any suspicious files.
    Go to mysql db and do a URL search to whichever site the hack is redirecting too. This will rule out any issue with DB writing.
    Because you don't know which of the 4 sites became the backdoor, you might have to go into the plugin folder for each and rename the plugins to something (ex: from plugin to 1-plugin).

    Namecheap's tech support is nothing great to talk about and in most cases you will find a solution googling for it than expecting NC tech ppl to answer.
    Good luck!
     
    • Thanks Thanks x 1
  10. Spintent

    Spintent Junior Member

    Joined:
    Dec 23, 2016
    Messages:
    104
    Likes Received:
    14
    I would recommend also maybe talking to the people at Wordfence. They are very responsive and really know their stuff. I secure all of my sites with their plugin which has a free version and is regularly updated. I can definitely say first hand that they have really opened my eyes to the vital importance of website security and have saved my sites from a lot of brute force attacks.
     
    • Thanks Thanks x 1
  11. davids355

    davids355 Jr. VIP Jr. VIP

    Joined:
    Apr 25, 2011
    Messages:
    10,422
    Likes Received:
    8,121
    disable all plugins (temporarily), change WP login details. Then try again and see if the sites are still redirecting.

    Double check index.php as well, and you can also upload original index.php files from wordpress default files (Back your custom ones up first of course).
    If you still cant stop it by doing that then it might be like i said that you need to export content from the sites and then reload everything using default wordpress install then manual plugin and theme install then restoring content over the top.

    I would happily do this for you but its probably a good couple of hours per site.
     
  12. seoguy81

    seoguy81 Senior Member

    Joined:
    May 18, 2011
    Messages:
    1,014
    Likes Received:
    253
    Occupation:
    Donkey balls
    Off topic, and don't mean to derail the thread, but wanted to get your quick opinion in comparing wordfence to jetpack which itself has some in-built safety nets in place?
     
  13. NoirHat

    NoirHat Regular Member

    Joined:
    Feb 4, 2011
    Messages:
    381
    Likes Received:
    182
    Wordfence is excellent..
    I also have exploit scanner plugin

    I went through all that hacking B.S. with namecheap hosting also
     
  14. davids355

    davids355 Jr. VIP Jr. VIP

    Joined:
    Apr 25, 2011
    Messages:
    10,422
    Likes Received:
    8,121
    Never used jetpack but I can vouch for wordfence - I guess the key point is that it is a plugin dedicated to security (Whereas you are saying jetpack has some security features).
    I mainly use these features in wordfence -
    user login limits - you can lock people out if they try too many times unsuccessfully to log in
    you can lock people out if they use a certain username - for example i always avoid using admin for WP, then i auto lock out any IP that tries to sign in with admin :)
    You can limit requests per second for the entire site from devices with end user type agents
    you can block by country
    you can monitor live traffic / threats etc
    you can perform regular scans on your files and your frontend site
    you can scan plugins and themes against repository for unauthorised changes
    etc
    its pretty decent plugin!!
     
    • Thanks Thanks x 1
  15. T2tkid

    T2tkid Elite Member

    Joined:
    Oct 13, 2010
    Messages:
    3,826
    Likes Received:
    1,745
    Update: Couldn't get a developer to do it, and NC tech guys were able to fix it.
    Thanks for your contributions. Appreciated.
     
  16. seoguy81

    seoguy81 Senior Member

    Joined:
    May 18, 2011
    Messages:
    1,014
    Likes Received:
    253
    Occupation:
    Donkey balls
    So what was the issue?
     
  17. Maverick SEO

    Maverick SEO Junior Member

    Joined:
    May 25, 2016
    Messages:
    113
    Likes Received:
    31
    .htaccess is the place to look for sneaky codes.
     
  18. T2tkid

    T2tkid Elite Member

    Joined:
    Oct 13, 2010
    Messages:
    3,826
    Likes Received:
    1,745
    According to namecheap, it was a backdoor entry, probably from an outdated plugin/theme. All the themes were removed, the plugin deactivated and updated.
     
    • Thanks Thanks x 1
  19. Hambone Oblivion

    Hambone Oblivion Registered Member

    Joined:
    Apr 4, 2016
    Messages:
    64
    Likes Received:
    21
    Location:
    Mitten State
    Plugin's will end up haunting you if not updated and maintained. Glad that the issue is now fixed. Any more details as to where the redirecting was happening and why it keep rewriting?
     
  20. T2tkid

    T2tkid Elite Member

    Joined:
    Oct 13, 2010
    Messages:
    3,826
    Likes Received:
    1,745
    No idea. What I found out when I got access to the cpanel/wp-admin was that all the plugins have not been updated for months, including the themes :(