1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Wordpress site repeatedly getting hacked

Discussion in 'Black Hat SEO' started by seoguy81, Jun 26, 2017.

  1. seoguy81

    seoguy81 Senior Member

    Joined:
    May 18, 2011
    Messages:
    1,014
    Likes Received:
    252
    Occupation:
    Donkey balls
    Hi Guys, I hope someone technical can advise me here.

    I have hosting with siteground and over the past year, my WP site is getting repeatedly hacked. SG doesn't help much (I even got their sitescanner which is absolute waste).

    Tech told me to install sucurri. Did that, but it doesn't catch a thing.
    I'm currently using wordfence, but need to run a scan almost every day to remove infected files.

    How the site is getting hacked:

    I notice a folder called Invoice-CKNQZ-341-908719 being created (the letters keep changing every now and then). In the folder, there is an index.php file with of course a bunch of gibberish.

    This is how the code starts out:

    Code:
    rror_reporting(0); set_time_limit(0); ini_set('max_execution_time', 0); ini_set('memory_limit', -1); class B { private function sp5d74c5($sp8f568e) blah blah 
    What i've done....
    1. Used a clean WP theme from the wordpress.org repository
    2. Plugins I use are: Yoast/Disquss/GoCodes/Google Captcha/Insert post ads/jetpack/Ninjaforms/quforms/same category post/Addthis/WP google search
    For the login, the administrator login is a custom name and the "admin" is already registered as a subscriber.

    Not sure what else to do. Please help!!
     
  2. soccerlover

    soccerlover Jr. VIP Jr. VIP

    Joined:
    Jun 12, 2014
    Messages:
    3,350
    Likes Received:
    1,740
    Gender:
    Male
    Occupation:
    Seo Analyst :D
    Location:
    ♥♥♥ BHW ♥♥♥
    Home Page:
    Please check the permissions for your folder UPLOADS.
    In addition, also check .htaccess file it may also have intrusion code ;) and make sure whether .sh file is there or not. May be some Shell script is getting executed.
     
    • Thanks Thanks x 1
  3. Darmor

    Darmor Newbie

    Joined:
    Jun 25, 2017
    Messages:
    25
    Likes Received:
    12
    Gender:
    Male
    I'm going to be honest with you, cleaning a hacked server is near impossible to do, if you went down once, you will go down repeatedly until you do a fresh install on a fresh vps, and migrate your data.

    Based on the responses you got from their support, they obviously suck and are completely clueless, so changing your provider is a good decision if you're using their managed services.

    As for how they are getting in? Many, many ways, from your hoster being hacked, to some of their servers being hacked either remotely or using priviledge escalation in a shared environment, to a vulnerable WP plugin / version, all the way down to one of the devices you're using to login and manage the site being infected with a trojan.
     
  4. malayguru

    malayguru Regular Member

    Joined:
    Oct 29, 2012
    Messages:
    362
    Likes Received:
    57
    Gender:
    Male
    Occupation:
    Entrepreneur
    Location:
    Singapore
    change all your server login and FTP password, change admin account password
    did you access FTP via Filezilla? don't save password in Filezilla, I was once hacked because of Filezilla
    they store password in text form, which sux big time. no encryption
     
    • Thanks Thanks x 1
  5. seoguy81

    seoguy81 Senior Member

    Joined:
    May 18, 2011
    Messages:
    1,014
    Likes Received:
    252
    Occupation:
    Donkey balls
    Thanks buddy. Checked .htaccess there is no intrusion code there.
    Uploads folder has permissions 0755
    There are no .sh files either
     
  6. Darmor

    Darmor Newbie

    Joined:
    Jun 25, 2017
    Messages:
    25
    Likes Received:
    12
    Gender:
    Male
    If your PC / Laptop is infected with something that can read files on your hard-drive, FileZilla storing passwords in plaintext is the least of your problems.
     
  7. seoguy81

    seoguy81 Senior Member

    Joined:
    May 18, 2011
    Messages:
    1,014
    Likes Received:
    252
    Occupation:
    Donkey balls
    Did that too. Changed all passwords (cpanel, sql db).
    I do use Filezilla, but is the password that vulnerable???

    I use filezilla for other WP sites too (hosted with Namecheap and other hosts). All those sites are working fine.
     
  8. seoguy81

    seoguy81 Senior Member

    Joined:
    May 18, 2011
    Messages:
    1,014
    Likes Received:
    252
    Occupation:
    Donkey balls
    Thanks, yes I will be moving out from them considering that they have no clue.
    I noticed the site getting hacked after I got automated emails from SG that my resource usage was high. They gave vague responses and nothing concrete. It was only after I checked my files folder by folder (and using wordfence) did I find that this was like some kind of backdoor entry.

    Between my first post and now, another of those 'Invoice-CKNQZ-341-908719' folder was created
     
  9. malayguru

    malayguru Regular Member

    Joined:
    Oct 29, 2012
    Messages:
    362
    Likes Received:
    57
    Gender:
    Male
    Occupation:
    Entrepreneur
    Location:
    Singapore
    you never know, I'm using Windows, it's pretty vulnerable I'd say, learn some hacking
    any hacker could penetrate Windows easily and read your text files, just always be on the safe side ;)

    don't save your FTP password in Filezilla, instead only save host, username and port details.
     
  10. KHer0

    KHer0 Supreme Member

    Joined:
    Mar 22, 2011
    Messages:
    1,343
    Likes Received:
    1,226
    Occupation:
    Architect
    No plugin can help you. Here is what happened, your website was hacked cuz of some vulnerability. Then, the hacker uploaded a payload ( small code ) which can be anywhere. In your theme files, new folder, upload directory, main directory, cron jobs, it doesn't matter. This code runs every set of time and checks if the payload is installed. If it's not there, it creates new one.

    Now, here is what you are going to do :-

    1 - Go to cron job in your Cpanel and check if there is any jobs installed. If there, then your whole hosting is hacked and you need to remove this cron, and change your cpanel password.

    2 - Remove the whole website directory and get a fresh install of wordpress, theme, plugins, everything.

    3 - If you are using nulled version of anything, then don't reupload the one you have on your pc. Get a fresh one from either null-24 or theme24x7. Those are the only trusted websites for nulled stuff

    4 - You content should be in your database, so, you shouldn't lose any by removing you wordpress directory

    5 - the malicious code might be in ur DB but I really doubt it. Anyway, check your database table calle users and users meta. Check if there is any admin accounts installed there other than urz and delete them

    6 - If you installed new wordpress websites, you will lose the content. If ur website is small, then great, save them in word and re-write them after the installation of clean wordpress with clean database.

    7 - However, if your website have a lot of content, then you gonna need to use the old database. Check youtube and google to know how. Clean the database users and users meta table like I told you, cron jobs, fresh install of wordpress with the old database should get your content back

    If you don't understand anything from what I am saying then don't do it in ur own. You will make it worse. Hire a professional. If the website is making you money, then hire sucuri team, they are the best in the world and will get everything sorted

    Good luck :)

    PS : your hosting sucks, change them as soon as possible
     
    • Thanks Thanks x 2
  11. seoguy81

    seoguy81 Senior Member

    Joined:
    May 18, 2011
    Messages:
    1,014
    Likes Received:
    252
    Occupation:
    Donkey balls
    Guys... is there some log I can access on cpanel which shows me all activity??
     
  12. Darmor

    Darmor Newbie

    Joined:
    Jun 25, 2017
    Messages:
    25
    Likes Received:
    12
    Gender:
    Male
    - Windows is extremely difficult to penetrate remotely, and if you're behind a NAT router (which almost everyone is these days), the only way you're every getting penetrated is by opening an exe, pdf, doc, xls you cannot trust, or running Java Applets / Flash in your browser on websites you cannot trust.
    - The moment you are in a position where your files are being read, is the same moment you're victim to a keylogger that reads your keystrokes (so typing in your password manually is no protection), and your clipboard is being read too, so when you copy/paste something, it's being added to the log sent to the hacker.
    - Open-source password manager KeePass (and it's derivatives like KeePassX) goes to great lenghts to encrypt both it's files and even memory, and there are still known vectors against it considering the attacker is capable of reading files/memory on your PC :)
     
    • Thanks Thanks x 1
  13. seoguy81

    seoguy81 Senior Member

    Joined:
    May 18, 2011
    Messages:
    1,014
    Likes Received:
    252
    Occupation:
    Donkey balls
  14. Count Dracula

    Count Dracula BANNED BANNED

    Joined:
    May 9, 2017
    Messages:
    96
    Likes Received:
    49
    Gender:
    Male
    They left a backdoor , that's why you'll need another hacker or security specialist to find it.
     
  15. starki

    starki Power Member

    Joined:
    Jul 17, 2012
    Messages:
    709
    Likes Received:
    235
    What soccerlover said, additionally I'd change the FTP login in case someone got access via your computer instead of the site itself. Some FTP clients save username/password as a plain text file!

    As far as the theme is concerned: Just because it is in the repository doesn't meant it's following the Codex regarding security. Automattic doesn't screen third party themes in the repository for vulnerablities. Although it's not the most likely way they got in, there is no guarantee that it's not the theme. Same goes for the plugins, as far as I see you are using pretty popular standard stuff only, but I wouldn't want to vouch for the security of any third party plugin.
     
  16. KHer0

    KHer0 Supreme Member

    Joined:
    Mar 22, 2011
    Messages:
    1,343
    Likes Received:
    1,226
    Occupation:
    Architect
    Yup, this is the payload, but you need to find the backdoor cuz It's useless to delete this without deleting the backdoor that creates it.

    Here is a pretty fast work around till you find the backdoor. Instead of deleting the file, empty it. 99% of scripts checks if file exist and doesn't check it's content. So, by deleting the file content, the script won't create a new payload and the hacker won't be able to use this one.

    So, empty the file content and refresh, wait a while and check if a new file is created. If not, then now you have sometime to find the backdoor before the hacker notices he can't use the payload anymore
     
    • Thanks Thanks x 1
  17. Darmor

    Darmor Newbie

    Joined:
    Jun 25, 2017
    Messages:
    25
    Likes Received:
    12
    Gender:
    Male
    The script is doing MD5 hash checks :)
     
  18. seoguy81

    seoguy81 Senior Member

    Joined:
    May 18, 2011
    Messages:
    1,014
    Likes Received:
    252
    Occupation:
    Donkey balls
    Thank you for the recommendation guys. Just changed SQL DB/SQL USER name and Pwd and updated the wp-config files.
    There were also some old emails/users who had guest posting. So changed all of those emails and generated new passwords again.
    @KHer0 I will see if that folder is created once again and this time will delete the contents and keep it as is.
    Siteground as always is useless (and they claim to be experts in WP). They want to upsell the $199 sucuri program. Should've guessed!!

    Will report back shortly if the above changes has helped or not.
     
  19. KHer0

    KHer0 Supreme Member

    Joined:
    Mar 22, 2011
    Messages:
    1,343
    Likes Received:
    1,226
    Occupation:
    Architect
    To tell you the truth, I didn't bother decoding it :D

    Been on PC for too long and don't have the power to read codes.
     
  20. KHer0

    KHer0 Supreme Member

    Joined:
    Mar 22, 2011
    Messages:
    1,343
    Likes Received:
    1,226
    Occupation:
    Architect
    Won't help, they check MD5 of the file. You need to find the backdoor

    Did you check Cron jobs? Search for any file .sh? Check ur .htaccess? Delete the themes, plugins folder and fresh install them and check the upload folder for any file with any extension other than .jpg.