Fixing hacked wordpress

  • Hello everyone,

    I’m the guy hosting this website I have problems with, it was build in 2014 and I think it wasn’t updated since than ?? I just notice the idiot creating this website used a very simple password for mysql (I don’t think the website was hacked through mysql, but anyway .. he used “webserver” as the password)

    Now a few days ago I got an email from maldet software running in my server notifying me it deleted a few files (see bellow), I also seen the server queue was increase by a huge number of emails (the server limited this account from sending emails after reaching ~50 deffered emails) 

    FILE HIT LIST:
{HEX}php.generic.malware.441 : /home/laculv/public_html/wp-content/themes/wpnation/option-tree/includes/ot-functions-docs-page.php => /usr/local/maldetect/quarantine/ot-functions-docs-page.php.28541074
{HEX}php.generic.malware.441 : /home/laculv/public_html/wp-content/themes/twentytwelve/category.php => /usr/local/maldetect/quarantine/category.php.23919545
{HEX}php.generic.malware.440 : /home/laculv/public_html/wp-content/uploads/2013/mmwjklqe.php => /usr/local/maldetect/quarantine/mmwjklqe.php.266181249
{HEX}php.generic.malware.440 : /home/laculv/public_html/wp-content/uploads/2016/01/myhesxqe.php => /usr/local/maldetect/quarantine/myhesxqe.php.287985517
{HEX}php.generic.malware.440 : /home/laculv/public_html/wp-content/plugins/nation-booking/languages/zpgbcmyk.php => /usr/local/maldetect/quarantine/zpgbcmyk.php.694413817
{HEX}php.generic.malware.441 : /home/laculv/public_html/wp-content/plugins/contact-form-7-style/cf7-style-feed-box.php => /usr/local/maldetect/quarantine/cf7-style-feed-box.php.974326954
{HEX}php.generic.malware.440 : /home/laculv/public_html/wp-content/plugins/contact-form-7-style/images/kezbqbqc.php => /usr/local/maldetect/quarantine/kezbqbqc.php.2747219766
{HEX}php.generic.malware.440 : /home/laculv/public_html/wp-content/plugins/adminer/pocrxtru.php => /usr/local/maldetect/quarantine/pocrxtru.php.273676614
{HEX}php.generic.malware.441 : /home/laculv/public_html/wp-content/plugins/adminer/inc/plugins/version-noverify.php => /usr/local/maldetect/quarantine/version-noverify.php.2558219946
{HEX}php.generic.malware.441 : /home/laculv/public_html/wp-content/plugins/advanced-custom-fields/core/controllers/location.php => /usr/local/maldetect/quarantine/location.php.277533188

    The client is in a vacation and so far he couldn’t send me the admin password, I did what I could by other ways, like changing the cPanel password and check the files through FTP, I deleted a few files.

    What was curious for me, al the infected files seemed to have a created date now about 2 years ago, in 2015, for example /wp-content/themes/wpnation/languages/upgacubb.php

    This is a file that is still being accessed now, as I monitor the access.log, I’m curious how those robots find the random name files, as in Google cache there are no such files, also there are some links that don’t exists in google cache but are accessed constantly by googlebot , like “GET /dissertation-almanya-224-baron-mc-serdar HTTP/1.1” I will try to remove the link using Google Webmaster Tools, but I just setup the webmaster tools for this domain, and I don’t have any informations about google cache in there.

    173.254.28.13 - - [09/Oct/2017:10:19:02 +0300] "POST /wp-content/themes/wpnation/languages/upgacubb.php HTTP/1.0" 404 17174 
66.249.66.83 - - [09/Oct/2017:10:19:28 +0300] "GET /dissertation-almanya-224-baron-mc-serdar HTTP/1.1" 301 - "-" "Mozilla/5.0 (compatible; Googlebot/2.1; +https://www.google.com/bot.html)"
66.249.66.154 - - [09/Oct/2017:10:19:28 +0300] "GET /dissertation-almanya-224-baron-mc-serdar HTTP/1.1" 404 31808 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; +https://www.google.com/bot.html)"
188.165.199.98 - - [09/Oct/2017:10:20:12 +0300] "POST /wp-content/themes/wpnation/languages/upgacubb.php HTTP/1.0" 404 17206 
164.132.182.113 - - [09/Oct/2017:10:22:05 +0300] "POST /wp-content/themes/wpnation/languages/upgacubb.php HTTP/1.0" 404 17206 
185.182.56.16 - - [09/Oct/2017:10:22:36 +0300] "POST /wp-content/themes/wpnation/languages/upgacubb.php HTTP/1.0" 404 17174 
184.168.46.188 - - [09/Oct/2017:10:23:23 +0300] "POST /wp-content/themes/wpnation/languages/upgacubb.php HTTP/1.0" 404 17174 
123.57.30.19 - - [09/Oct/2017:10:26:10 +0300] "POST /wp-content/themes/wpnation/languages/upgacubb.php HTTP/1.0" 404 17174

    There ware also 2 important files (wp-config.php and wp-settings.php) that had injected code like this :

    [ redacted ]

    How to decode this string to see what actually it was including?

    If the wp-config file was altered, how safe is to still use the same values for those variables from now on?, should I change them, is there any procedure for changing those variables ?

    define('AUTH_KEY',);
define('SECURE_AUTH_KEY', );
define('LOGGED_IN_KEY', );
define('NONCE_KEY', );
define('AUTH_SALT', );
define('SECURE_AUTH_SALT', );
define('LOGGED_IN_SALT',);
define('NONCE_SALT'

    I modified the name of the wp-login file, I also wanted to modify the name of wp-admin folder, but after that the website is not loading anymore, it shows 500 Internal server error, and it seems on the homepage there is a link to a file located in wp-admin .. is this normal ? Or it’s because of the same idiot that build the website back in 2014 ?

    this is a part of the code in the HTML source of the homepage, should this file be included in the homepage source ?

    [ redacted ]

    Here are the errors in error log after changing the name of wp-admin folder, is this normal too, the website should not function if the name of the wp-admin folder is changed ?

    [09-Oct-2017 06:33:44 UTC] PHP Warning:  require_once(/home/laculv/public_html/wp-admin/includes/class-wp-list-table.php): failed to open stream: No such file or directory in /home/laculv/public_html/wp-content/plugins/wordpress-seo/wp-seo-main.php on line 55
[09-Oct-2017 06:33:44 UTC] PHP Fatal error:  require_once(): Failed opening required '/home/laculv/public_html/wp-admin/includes/class-wp-list-table.php' (include_path='.:/usr/lib/php:/usr/local/lib/php') in /home/laculv/public_html/wp-content/plugins/wordpress-seo/wp-seo-main.php on line 55

    Thank you

    • This topic was modified 7 years, 5 months ago by sibianul.
    • This topic was modified 7 years, 5 months ago by sibianul.
    • This topic was modified 7 years, 5 months ago by Jan Dembowski.
Viewing 6 replies - 1 through 6 (of 6 total)
  • Moderator Jan Dembowski

    (@jdembowski)

    Forum Moderator and Brute Squad

    Please do not post the actual malware code, it’s not necessary and I’ve redacted it. The important fact is that bad people were able to do that at all.

    It’s a old reply but still a good one: Please remain calm and carefully follow this guide.

    When you’re done, you may want to implement some (if not all) of the recommended security measures.

    Moderator Jan Dembowski

    (@jdembowski)

    Forum Moderator and Brute Squad

    if the wp-config file was altered, how safe is to still use the same values for those variables from now on?, should I change them, is there any procedure for changing those variables ?

    I would change those constants as it can’t hurt. But be aware that the attacker was able to read and modify files. Updating that file without successfully delousing your site and hardening it just means you’ll be back here again. Please focus on the delousing parts for now.

    Thread Starter sibianul

    (@sibianul)

    Thank you for the links, what about requests from homepage, to files inside wp-admin ? Is that normal for a plugin to requests files inside the admin folder ?

    How to safely rename the wp-admin folder and still have the website working, without having any links to the new admin folder ?

    Adam

    (@adamlachut)

    @sibanul
    previously posted (and redacted) obfuscated code links to favicon_xxxxxx.ico file (xxxxxx may be semi-random), you may want to search your server for that kind of files
    of course, it’s not graphic file, just check the source

    yes, wp-admin\admin-ajax.php requests are ‘normal’
    no, in general, you can’t rename wp-admin

    additionally please notice that you need to check all domains/directories sharing this hosting account

    Thread Starter sibianul

    (@sibianul)

    The favicon was also deleted by maldet, I remember it was in icon file, I wasn’t curious to get the file out of quarantine to check if it really had malicious code.

    The idea with wp-admin came while reading another blog with suggestions regarding securing wordpress, that one was one of the suggestions, and also protecting the directory with an extra HTTP Auth password, but if you say it’s normal to have requests in the homepage, from wp-admin folder .. than this can’t be done

    Just an observation on this. File save or change dates can be faked in such a way that while the file may show 2015, the file(s) might have been uploaded last week.

    The easiest way to verify this is to look at an older backup to see if the file existed prior.

    • This reply was modified 7 years, 5 months ago by hackrepair.
Viewing 6 replies - 1 through 6 (of 6 total)
  • The topic ‘Fixing hacked wordpress’ is closed to new replies.