Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


My website was hacked
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

My website was hacked

Today I came to know that my WordPress blog was hacked. And not just one but all three which are on same VPS. It got hit with "Japanese SEO hack" which seems to be quite common. The hack works like this that when you visit your website, you will not notice anything as all pages will appear normal. But when you look at Google Search Console, then you will start to see errors and pages that don't exist.

Basically, it shows normal website when visited by user. But when Google bot visits then it shows a Japanese website.

What I find surprising that all tutorials and articles about it are generic ones where they say check your files, clean them, take backup bla bla bla. I thought the hack being common, someone must have laid exact steps to get rid of it.

I checked VPS auth.log but found nothing suspicious. I think they found some exploit in WordPress file like improper file permissions or some buggy plugin. And since all three sites use www-data user hence they were able to hit all of them. Or may be they actually got access to VPS....in which case......where to I check? Everything seems to be normal.

Found two PHP files which contain hacked code. Stopped php-fpm and nginx, then I deleted one of them as it was not part of WordPress and replaced the other one with original but after restarting php-fpm and nginx, both files came back. Looks like code is also present somewhere else.

Also checked database but found nothing suspicious. Or may be because I just skimmed through it as it is difficult to go through all lines in database in Notepad++ as it is huge.

«1

Comments

  • LeviLevi Member

    So, you have Wordpress with massive collection of un-audited plugins. Please hire competent security audit firm and/or person to help you with your sores.

    Thanked by 1PineappleM
  • aliletalilet Member

    No, I don't use many plugins. Plus, they are all updated. One of the sites is more than 2 years old and the other one is 2 months old. Last one is 4 days old on which I just created and installed some plugins but website is not in use yet as I haven't written any posts.

  • ahnlakahnlak Member

    @alilet said:
    No, I don't use many plugins. Plus, they are all updated. One of the sites is more than 2 years old and the other one is 2 months old. Last one is 4 days old on which I just created and installed some plugins but website is not in use yet as I haven't written any posts.

    It's still most likely to be a vulnerability in one of those plugins; WP Core is (relatively) secure (unless you've set your admin password to password1, of course)

    Rather than trying to spot files with "hacked code", you'd be better off with a clean WP install and audit your plugins carefully.

  • kasodkkasodk Barred

    Are you using a controlpanel or is it a manuel server installation?

  • aliletalilet Member

    Installed Debian 11 using template by provider. Rest of the installation, nginx, mariadb, ufw etc. was done manually.

  • kaitkait Member

    @LTniger said: So, you have Wordpress with massive collection of un-audited plugins. Please hire competent security audit firm and/or person to help you with your sores.

    Better suggestion would be not to use Wordpress, it has so many holes (especially the plugins)

  • aliletalilet Member

    Installed WordFence and ran a scan and it found 285 infected files.

  • kasodkkasodk Barred

    It would be a good idea to use a control panel such as cloudpanel.io
    It adds some security, and you can isolate your websites with it.
    As somebody else wrote, it is a good idea to back up your database and make a fresh installation of WordPress and the plugins.
    And use Wordfence or another security plugin.

    Thanked by 1sgno1
  • aliletalilet Member

    How do I delete .htaccess files from all folders and subfolders of current directory?

    Tried the following and none of them worked. It does print on screen the name of .htaccess file but doesn't delete it.

    find . -type f -name ".htaccess" -exec echo rm {} \;

    sudo find . -type f -name ".htaccess" -exec echo sudo rm {} \;

    sudo find . -type f -name ".htaccess" -exec sudo echo rm {} \;

  • fazarfazar Member
    edited June 2023
    1. setup maldet scanning for newly modified or uploaded files.
    2. schedule daily PHP malware scan using 3rd party scripts/scanner.
    3. disable access to direct .php files (should be easy using nginx rule)
    Thanked by 1alilet
  • aliletalilet Member

    As a first step, I deleted all malicious .htaccess files using:

    find . -name ".htaccess" -exec sudo rm -rf {} \;

  • LisoLiso Member

    @alilet said:
    How do I delete .htaccess files from all folders and subfolders of current directory?

    Tried the following and none of them worked. It does print on screen the name of .htaccess file but doesn't delete it.

    find . -type f -name ".htaccess" -exec echo rm {} \;

    sudo find . -type f -name ".htaccess" -exec echo sudo rm {} \;

    sudo find . -type f -name ".htaccess" -exec sudo echo rm {} \;

    find . -type f -name ".htaccess" -exec rm -f {} +

  • kaitkait Member

    @LTniger said: So, you have Wordpress with massive collection of un-audited plugins. Please hire competent security audit firm and/or person to help you with your sores.

    Better suggestion would be not to use Wordpress, it has so many holes (especially the plugins)

  • fazarfazar Member

    @alilet said:
    How do I delete .htaccess files from all folders and subfolders of current directory?

    Tried the following and none of them worked. It does print on screen the name of .htaccess file but doesn't delete it.

    find . -type f -name ".htaccess" -exec echo rm {} \;

    sudo find . -type f -name ".htaccess" -exec echo sudo rm {} \;

    sudo find . -type f -name ".htaccess" -exec sudo echo rm {} \;

    as far as I know, .htaccess not supported by nginx, except you use apache as backend and nginx as reverse proxy.

  • aliletalilet Member
    edited June 2023

    @fazar said:

    @alilet said:
    How do I delete .htaccess files from all folders and subfolders of current directory?

    Tried the following and none of them worked. It does print on screen the name of .htaccess file but doesn't delete it.

    find . -type f -name ".htaccess" -exec echo rm {} \;

    sudo find . -type f -name ".htaccess" -exec echo sudo rm {} \;

    sudo find . -type f -name ".htaccess" -exec sudo echo rm {} \;

    as far as I know, .htaccess not supported by nginx, except you use apache as backend and nginx as reverse proxy.

    Yes nginx doesn't support .htaccess but files were there so I deleted them all. Here's what I did:

    1. Stopped php-fpm and nginx
    2. Deleted all .htaccess files from all subfolders
    3. Deleted xit-3x.gif which was in images folder
    4. Replaced following files from original
      index.php
      wp-includes/template-loader.php
      wp-includes/plugin.php
      wp-includes/general-template.php
      wp-includes/cron.php
      wp-includes/functions.php
    5. Did chmod 444 on these files. Previously it was 644
    6. Applied above steps on all 3 sites
    7. Restarted VPS.....boom.....everything is fine now! (but how long.....this is what needs to be seen)

    I need to isolate all these sites though and see if there are other checks I can place.

  • You can install ImunifyAV, which is the free edition. However, please note that it does not remove the detected files automatically.!

  • fazarfazar Member

    wp-cli will come handy. you can check wordpress core integrity. its also have ability to force reinstall core, themes, or plugins from official wordpress repository.

    if everything is okay, you'll need to wait google bots to done his reindexing job :)

  • ArkasArkas Moderator

    Hopefully you keep regular backups or snapshots. Compare the latest known good working site to the one that is hacked. All differences should be the infected files. Locate the culprit and when you revert, disable that plugin, or re-secure whatever was infected so it doesn't happen again.

  • TimRooTimRoo Member

    @kait said:

    @LTniger said: So, you have Wordpress with massive collection of un-audited plugins. Please hire competent security audit firm and/or person to help you with your sores.

    Better suggestion would be not to use Wordpress, it has so many holes (especially the plugins)

    As I've said before, people who host WordPress - and all its flaws - absolutely have to be security experts obsessed with updates. It generally attracts the opposite.

    Not saying that's you OP, but that's just the reality of using WP.

    Thanked by 1kait
  • rcy026rcy026 Member

    Wordpress plugin.
    Not that Wordpress is perfect but one should keep in mind that most of the bugs are actually not in Wordpress itself. They have like 60.000 third party plugins available, naturally there will be bugs in some of them.

    Wordpress gets a lot of shit, and yes, sometimes it deserves it. But then again I've seen Wordpress sites with 100k visitors per day run for decades without ever being hacked, so clearly it's not just Wordpress.

    Thanked by 1ahnlak
  • emghemgh Member

    No, the issue is plugins, themes & shared access

    Set up a WP site on a seperated user, install 0 plugins, and enable auto updates, and it won't be hacked

    Have 30 plugins with some not updated for a year, 3 inactive old shitty themes and share the same www-user for each, and yes, they'll obviously end up getting hacked

    All it takes is ONE bad plugin on ONE site and then it's spread to every site you got and missing just 1 file when cleaning could mean it's now spreading once again

    Keeping WP updated and minimal is important

    But even more important is fully seperating websites

  • aliletalilet Member

    It has been more than an hour since I fixed files and all websites are working fine. Will definitely isolate websites. Plus, I have deleted a few plugins which were not in use.

  • I facing the same issue pass few weeks and help my clients fixd them all. All keywords ranking are going back now.

    After long investigation, I found the main issue are caused by two of elementor addons. Some of them already report critical vulnerability by Sucuri back in May.

    Thanked by 1alilet
  • aliletalilet Member

    I have isolated one of the sites and now no hacker in the world can hack it. Not even NSA, FBI, CIA, ISI, NASA!!

    Thanked by 1plumberg
  • davidedavide Member

    Have you tried to power it off and on again?

  • rustelekomrustelekom Member, Patron Provider

    WordPress is popular CMS and will stay popular. It is mostly free, simple and provide many features even in base setup.

    As any other software WP need to be updated to actual version in time manner, as well as his plugin and templates.
    If you do not download plugin or templates from suspicious sites and update WP in time manner, use strict password, then you will not have any problem with WP.

    Most likely your site was hacked by uploading malicious content. Therefore you may need check your nginx or apache access logs for POST requests. Also you may need check ftp and ssh logs. In most case such hack happen because hacker upload to site shell script and then use it to complete his hack attempt. This is most popular technique in automated hacking bots.

  • xespoxespo Member
    edited July 2023

    Wordpress is garbage, and a huge security risk once you decide to start customizing it with skins and plugins. I've run websites for almost a decade and the only ones that would ever get hacked were the wordpress ones.

    Thanked by 1sgno1
  • risharderisharde Patron Provider, Veteran

    I think the key here is being careful with Wordpress plugins and it's something most people have said for ages. However just giving someone advice to stay away from Wordpress when the core is usually fairly safe (I hope) is kind of like saying don't buy chicken if the condiments are spoilt.

  • xespoxespo Member
    edited July 2023

    @risharde said:
    I think the key here is being careful with Wordpress plugins and it's something most people have said for ages. However just giving someone advice to stay away from Wordpress when the core is usually fairly safe (I hope) is kind of like saying don't buy chicken if the condiments are spoilt.

    people get hacked through third-party themes listed on their site as well. there's almost no point to wordpress if just using the default theme and no plugins.

    for a comparison, people do not get hacked through mediawiki themes and plugins for the most part. Why? I don't care, but I know the results and the results show using wordpress is exposing yourself to an enormous landscape of threats for little benefit. Maybe the best benefit of wordpress is it's collaboration feature, but you get get that with better security with dokuwiki, mediawiki or tons of other similar programs with almost no security risk.

Sign In or Register to comment.