Hacked again

  • Resolved lekjaz

    (@lekjaz)


    5 years, 8 months ago

    A tip from a customer revealed that the company website was hacked. I installed WordFence Wednesday evening, and so far it’s been really good so far and I’m very happy with it.

    Wednesday night’s 1st scan: a half-dozen infected files. All but one could be repaired within WF, and I manually edited the last file. I made sure WordPress, all themes, and all plugins are updated and removed all themes/plugins that are not being used.

    Yesterday I ran a few scans during the day and the site was still clean.

    This morning I scan and there are a bunch of new infected files (all repaired). How were they able to get through again? What can I do besides scan multiple times per day? The firewall is still in “learning mode” until 4/3. Is that my problem?

    • This topic was modified 5 years, 8 months ago by lekjaz.
    • This topic was modified 5 years, 8 months ago by lekjaz.

    The page I need help with: [log in to see the link]

Viewing 6 replies - 1 through 6 (of 6 total)

  • Hi @lekjaz,

    Can you post which files were infected, and some examples of what was changed within those files?

    In the worst situation, the attacker may have access to the host directly, and can login at will to change files.

    Another case might be that the attacker gained entry to your site from a plugin exploit. What plugins do you have activated on your site?

    Dave

    Thread Starter lekjaz

    (@lekjaz)

    I already repaired all the files. I don’t see in the logs where to pull out infromation about the hack and any repairs done.

    This came in my email just a few moments ago:

    Critical Problems:

    * File appears to be malicious: wp-settings.php

    High Severity Problems:

    * WordPress core file modified: wp-settings.php

    I believe the malicious code contained @include

    Thread Starter lekjaz

    (@lekjaz)

    And I was hacked again this afternoon. Caught it quick, but not before taking some screen shots

    https://i.ibb.co/rt7ygcK/capture1.png
    https://i.ibb.co/GdCJ1rm/Capture2.png

    Hi again,

    I think an attacker may have FTP or direct access to your host. This explains how they are able to edit your wp-settings.php file at will. I might be wrong, and they are somehow editing your settings file with the help of a plugin exploit on your website.

    However, these are the steps I would recommend taking…

    1- Change the access password to your host
    2. Do a clean install of WordPress, you can choose to reimport your database, but do not use a backup of your website
    3. After you have a clean install, install Wordfence, followed by any plugins you want to have

    Dave

    Thread Starter lekjaz

    (@lekjaz)

    I checked the FTP logs in my cPanel hosting account and there are no records of anyone accessing the site through FTP. Could this be part of a MySQL injection attack?

    • This reply was modified 5 years, 8 months ago by lekjaz.

    Hi again,

    I believe this is related to the recent exploit found in WP Email. This allowed attackers to modify certain settings within the database.

    Dave

Viewing 6 replies - 1 through 6 (of 6 total)
  • The topic ‘Hacked again’ is closed to new replies.