Backdoor site hack, how to fix?

I had to clean all muy websotes with plugins Wordfence and Anti-Malware and Brute-Force Security by ELI, both plugins are neede to get rid of the infection. It is time consuming, buy worth it.

As all my websites use this plugins, it took like almost three days to complete the task (rechecked and scan everything twice).

I did a dowmgrade to version 4.3.72 to keep using the plugin. The only change I made was those suggested for 3.5+ compatibility. Beides that, now the websotes are fine.

I hope this helps.

Regards

Carlos

Thank you for your response!

I did scan with Wordfence & Anti-malware and Brute-Force security.

I already deleted the infected files, so both plugins couldn’t find any malware.

But my website isn’t like it was before the attack.

Please take a look at: https://www.fitnesswayoflife.nl and see the results.

I can’t get the footer working anymore and I have errors all over my website.

What can I do? I’ve installed the file from the backup from a week ago.

Thank you so much!

In the meantime I installed a new installation of wordpress and used the existing database.

But I still have some strange problems:
See: https://www.fitnesswayoflife.nl

– The images in the directory Uploads can’t be found on the website.
But when I download an image with ftp, I can see it without a problem.

– The text editor doesn’t work. Only the html works.
The wysiwyg editor looks like a blank field.

Please help me out!
I’m struggeling with this for days now.

Do I need to repair my database as well?
How can I do that?

My site was hacked too –

Hello,

We have received a report regarding malicious files located on your account. After investigating this report, we found that an improperly secured file upload script on the account was exploited and used to upload malware. This script does not properly verify uploaded file types and/or content prior to saving the file. We have removed all of the malicious content from the account. We recommend updating this script to the latest version which may include security updates designed to prevent this type of abuse. If you have any questions, or if anything is not working properly, please let us know.

Please keep in mind that it is your responsibility to ensure the security of your account(s). If we detect another account compromise or you request for us to scan the account for malware within 6 months of this notification, we reserve the right to assess an Account Cleanup fee before performing any scans or removing malware from the account. In cases where a 3rd party reports malicious content or actions to us, we also reserve the right to disable the site to protect the integrity of our network.

The abused file below appears to have been removed. Please ensure this is not re-activated or uploaded unless it is an up to date and secured version.
/home4/ionscorp/public_html/wp-content/plugins/wp-special-textboxes/stb-uploader.php

Apache logs:
78.85.226.26 – – [08/Oct/2014:14:56:01 -0500] “POST //wp-content/plugins/wp-special-textboxes/stb-uploader.php HTTP/1.1” 200 9 “-” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)”
62.76.187.163 – – [09/Oct/2014:16:58:40 -0500] “POST /wp-content/plugins/wp-special-textboxes/lib/404.php HTTP/1.1” 200 62343 “-” “Mozilla/5.0 (Windows NT 6.1; WOW64; rv:18.0) Gecko/20100101 Firefox/24.0”
62.76.187.163 – – [09/Oct/2014:16:58:43 -0500] “POST /wp-content/plugins/index.php HTTP/1.1” 200 17 “-” “Mozilla/5.0 (Windows NT 6.1; WOW64; rv:18.0) Gecko/20100101 Firefox/24.0”

@djfryslan the following (auto translated) text explains the issue.
In SHort: Check your .htaccess – files and delete the plugin directory
I also had to reset the permalinks-settings

[Source: https://plus.google.com/+OleAlbers/posts/8NjCKKGkZgB%5D

* This WordPress plugin “Special Text Boxes” was hacked! *

Theoretically it is also possible that the authors have even introduced, but I will ever run out of the good in people …

* Symptoms: *
First of all, you realize actually in the normal browser nothing of the attack. It will be in the background but all htaccess accessible from the WordPress Installation – files manipulated. This will include a redirect, which is only visible when using a mobile device (smartphone, tablet).

* As it fell on? *
Mir is noticed because my htaccess files suddenly change a date from 14.10. had. I then scoured all directories, if other files are affected for these “date”. Find anything I am then in the directory _ “wp-content / plugins / wp-special-text-boxes” _
In this directory are for me two zip files. One contains a 404.php, which served a clear to allow the file download, the other two php files where the code is clear to find modify the htaccess file.

* Credit: *
Two zip files in the directory of the plug-ins. In my case the file name “bil.zip” and “lib.zip” were, but I can imagine that the file names are possibly generated randomly.

* How to get rid of? *
Check ALL htaccess files for the following items:
% {HTTP_USER_AGENT} _RewriteCond android | AvantGO | BA_ …
Overall, are the five lines, which then point to a spam site. For me it was luxury [something] com [url changed, will not also still advertise], but of course this can be dynamic.

Is there a htaccess exclusively from these lines, delete the files. If the content is extensive, remove only those rows. They are always at the top of the file.

Following the plugin DELETE. And completely not clear away the code.

* The good news *
I was reasonably happy that no one had cracked my password, but “only” a plugin has changed a few files. (The code is relatively easy to analyze, much more happened not there)

* The bad news *
The modification allows to download and execute arbitrary theoretically ANY file. It is probably only a matter of time, make up infected more installations to redirect than a few website hits. So quick get away with the crap!

* The moral of the story *
Automatic updates are not always a security feature ….; (

[Update]
* Check *
I have written a small PHP script that checks whether the system is affected (yet). Simply as “detect.php” Run directly in the plugin folder. Once a call, then delete it if everything is OK is.

https://pastebin.com/WMQjB7bY

The file named “stb-uploader.php” was removed from the latest version of the plugin almost a month ago.

It is important that you keep your plugins up-to-date and always run their latest versions.

That’s a bit ironic, because the backdoor came through an update. Currently my advice would be do DISABLE automatic updates and wait at least a few days to check whether the update has a trojan inside.

And the last post was “almost a month ago” (and just one day after the malicous version came out)