Network hacked, fixed, still vunerable?

  • So, about a week ago, all the sites on my network were redirecting to porn.

    I went through, installed Wordfence, scanned (inside and outside of the WordPress directory), reuploaded all core files (except wp-content), theme files, plugin files, deleted malicious-looking plugin files and updated everything. I changed everybody’s passwords: FTP, domain/hosting, database, WordPress, everything. I added define(‘DISALLOW_FILE_EDIT’, true) to wp-config.php, revoked everyone’s admin access but me and set Wordfence to lock out users after 5 login attempts. I then found that one of my sites had hidden spammy content throughout all the pages, posts and attachments as well as a new post advertising cheap/free pharmaceuticals. I went through a deleted those.

    Seemingly, I got everything fixed…until today. I got a notification from Wordfence saying that there was a malicious file in my plugins folder. Sure enough, there was a file in the plugins folder that I didn’t put there and a whole bunch of spammy files in my wp-includes folder. I delete those, replace the core files and all plugins again and go through Google’s recommended recovery steps, since now one of my sites says it’s been hacked in Google’s search results. I install Webmaster Tools and add the site for the first time.

    Come to find out, there’s already and authorized user on there who has verified the site using DNS, presumably through the hosting company (GoDaddy). I revoke their access, delete the DNS record, change the GoDaddy password again and enable 2 Step authentication at GoDaddy and install the Google Authenticator plugin for admins on my site (me)

    I then scour the remote files for possible backdoors and look through the database to see if there’s a hidden admin user: wp-includes, uploads, blogs.dir. Nothing.

    Also in the Google recover steps is preforming a site search for spammy keywords on your site using something like “free site:example.com”. Boom. Hundreds of results for two of the sites on the network.

    I don’t even know what to do at this point. I’ve scoured all over the place and can’t find a way that this could be happening. Does anybody have any suggestions? How do my files keep getting messed with????? What else can I do? I’m at my wits end…

Viewing 2 replies - 1 through 2 (of 2 total)

  • I’m sorry to hear that your sites were damaged. Sometimes it is a real challenge to find all the malware in a site. You may want to try adding another server side scanner to your sites. Maybe Anti-Malware and Brute-Force Security by ELI would be an option.

    Thread Starter B1gJ4k3

    (@b1gj4k3)

    Running Brute-Force Security scan now. It’s already revealed quite a few .htaccess modifications on folders that aren’t being used, so that’s good to know. I guess we’ll see what else it comes up with.

Viewing 2 replies - 1 through 2 (of 2 total)
  • The topic ‘Network hacked, fixed, still vunerable?’ is closed to new replies.

Tags