hacked site, altered php files, revslider

  • I have multiple sites which seem to have been hacked similarly. When you login or make a page change, some % of the time it displays the correct page, like the dashboard, but will also launch an alternative malicious spam page, like the ones warning you that your PC is infected and you need to hire someone to fix it.

    I have been unable to find the hack and multiple WP security programs don’t detect the altered php scripts.

    Recently for a different issue, I installed CXS to monitor the server and it has started to find things that must be related to the issue. Here are some examples:

    Web upload script path : /home/friedges/public_html/wp-admin/admin-ajax.php
    Web upload script URL : https://friedgeslandscaping.com/wp-admin/admin-ajax.php
    Remote IP : 104.197.168.171
    Deleted : No
    Quarantined : Yes [/home/quarantine/cxscgi/20170427-042407-WQG4t63AfiIAAAusbREAAAAb-file-3m54DJ.1493285048_1]

    ———– SCAN REPORT ———–

    TimeStamp: Thu, 27 Apr 2017 04:24:08 -0500

    (/usr/sbin/cxs –nobayes –cgi –clamdsock /var/clamd –defapache nobody –doptions Mv –exploitscan –nofallback –filemax 10000 –html –ignore /etc/cxs/cxs.ignore –mail root –options mMOLfSGchexdnwZDRru –qoptions Mv –quarantine /home/quarantine –quiet –sizemax 500000 –smtp –ssl –summary –sversionscan –timemax 30 –nounofficial –virusscan /tmp/20170427-042407-WQG4t63AfiIAAAusbREAAAAb-file-3m54DJ)

    ‘/tmp/20170427-042407-WQG4t63AfiIAAAusbREAAAAb-file-3m54DJ’
    (compressed file: revslider/db.php [depth: 1]) Known exploit = [Fingerprint Match] [PHP Exploit]

    Web upload script path : /home/wurdeman/public_html/blog/wp-content/plugins/wp-symposium
    Web upload script URL : https://wurdemann.org/blog//wp-content/plugins/wp-symposium/server/php/index.php
    Remote IP : 163.172.108.226
    Deleted : No
    Quarantined : Yes [/home/quarantine/cxscgi/20170427-032336-WQGqiK3AfiIAACJtGeQAAAAC-file-rXTbsU.1493281416_1]

    NOTE: This alert may be a ModSecurity false-positive as /home/wurdeman/public_html/blog/wp-content/plugins/wp-symposium does not exist

    ———– SCAN REPORT ———–

    TimeStamp: Thu, 27 Apr 2017 03:23:36 -0500

    (/usr/sbin/cxs –nobayes –cgi –clamdsock /var/clamd –defapache nobody –doptions Mv –exploitscan –nofallback –filemax 10000 –html –ignore /etc/cxs/cxs.ignore –mail root –options mMOLfSGchexdnwZDRru –qoptions Mv –quarantine /home/quarantine –quiet –sizemax 500000 –smtp –ssl –summary –sversionscan –timemax 30 –nounofficial –virusscan /tmp/20170427-032336-WQGqiK3AfiIAACJtGeQAAAAC-file-rXTbsU)

    ‘/tmp/20170427-032336-WQGqiK3AfiIAACJtGeQAAAAC-file-rXTbsU’
    Known exploit = [Fingerprint Match] [PHP Shell Exploit [P0324]]

    ****************
    NOTE: In the above case, it looks like it installs a plugin and note the “//” directory link. It appears to install a plugin, run it, and then delete it. I have no such wp-symposium plugin.

    Can the whole wp-admin directory be replaced? Is there any install altered files in that directory. I don’t know if that will fix it, but I am going nuts. Thanks!

Viewing 6 replies - 1 through 6 (of 6 total)
  • Moderator James Huff

    (@macmanx)

    It’s safe to replace all files with the following exceptions:

    1. The files under /wp-content/uploads/ are all of your uploaded media. The problem could be in there, but save nuking that for last, you don’t want to lose all of your images and other media.

    2. The wp-config.php file is the only core file that should be modified itself (that’s where your database connection details are stored, along with some filters or defines for settings that aren’t covered in the UI.) If necessary, you can manually “re-build” it using the wp-config-sample.php file.

    Carefully follow this guide. When you’re done, you may want to implement some (if not all) of the recommended security measures.

    Hello,

    We got the same email alert from cxs about the attempt of uploading some exploit via admin-ajax.php.

    Web upload script path : ~wp-admin/admin-ajax.php
    Web upload script URL : https://our_site.com/wp-admin/admin-ajax.php
    Remote IP : 46.246.61.20
    ‘/tmp/20170602-155521-WTFuSS4VY54AAEzxM1sAAAAP-file-DV4IeU’
    (compressed file: revslider/herewgo.php [depth: 1]) Known exploit =
    [Fingerprint Match] [PHP Exploit]

    We have configured the basic authentication for our_site.com/wp-admin URL but allowed access to the admin-ajax.php file.

    Our question: How is it possible to upload an files via admin-ajax.php file?

    Thank you.

    • This reply was modified 7 years, 5 months ago by allywhz.

    We have exactly the same issue!

    Anyone that can help with this?

    By the way, we do not have the revslider plugin installed at all, we have tried checking the plugins folder but still can’t find anything strange.

    Thread Starter linkup

    (@linkup)

    It seems every day a new site on the server reports this problem. I think the total is close to 20 sites now, all sharing this same problem. It is still mind boggling that there isn’t more known about this issue or anyone who can fix it. I have hired two “experts” and they were clueless.

    I can’t devote this much time dealing daily with site after site falling to this problem. I will quit hosting if this can’t be resolved.

    @linkup

    I have faced this type of hacking today. all websites that had the same database User where infected.

    I could trace this back to a few PHP files that where added to the include folder, they where loaded from post.php

    the hack i faced included lines of codes at the beginning of each function.php file no matter how much themes where installed.

    One suggestion for everyone that might face this same issue.

    If you have backups compare them in terminal with dif and look for modified files.

    I learned my lesson well, never use the same database user for all your websites.

    Thread Starter linkup

    (@linkup)

    Most if not all of my domains were set up with the dbase user being admin, however all of the passwords were not ones you would guess and none were the same.

    I have yet to find how they are getting in and I routinely get hacks reported by CSF. At least the infected files are being quarantined, at least those recognized as containing malicious code. I also manually block all IPs that the hacker is connecting from which at least slows him/them down.

    I still don’t understand how with multiple layers of security, that they are able to write to and execute the PHP files.

Viewing 6 replies - 1 through 6 (of 6 total)
  • The topic ‘hacked site, altered php files, revslider’ is closed to new replies.

Tags