New Hack After Scan

Did my plugin find the new hack that was placed on that site or is there still a malicious script at large / undetected?

What you need to find out is how that hack was put on your server. With 80+ sites
on the same account that is not going to be easy and you might need your host to help.

You need to know the exact time of the infection so that you can check your access_log files to see if you can find any evidence of how it was added.

No the plugin told me the site was clean, that was last Friday. Then today I got the email from my host telling me that they had been contacted with the information that this site was being used (again) as a phishing site.

My host is not being of much help, they tell me that it’s my responsibility to keep my individual sites clean.

I have a security guy looking at the quarantined files over the next couple of days. I’m hoping he can shed some light on this.

There had to be something, either in this site or my other sites (I am on a shared server) that allowed them back in. I’m on a mission to find out how they got back in.

Any ideas you have would be greatly appreciated.

Ok, so the plugin told you the site was clean last Friday. Then today you got the email from your host telling you that they had been contacted with the information that this site was being used as a phishing site (note that without dated evidence in their email to you the notification that they got could be old and could be referring to a threat that you have already removed).

You should run the Complete Scan again on that site to see if it turns up any new threats or if it’s still saying that the site is clean.

Also, ask you host for the details of the phishing site complaint to confirm that it was related to activity occurring after you cleaned the site.

My host quarantined the entire site, so I can’t run the scan again. But I did look at the quarantined files and could see that there was a folder that was added on Monday (ran the scan on Friday, got the notice of phishing on Wednesday) that was clearly infected, it contained php files and files that pointed to credit card sign up pages. None of those pages were there before; which tells me that the hackers had something in that site that allowed them back in. Right after the first hacking incident happened – before I installed your plugin – I made sure the site was running the most recent version of WP and all the plugins, I deleted any plugins that were not in use, I changed all of the cpanel passwords, I changed all of the WordPress passwords, I verified that there was only one user account within the WP site (mine), I made sure there were to other FTP users. I’m not sure what else I could have done. The only thing I can think that happened is that there was still something within that site that allowed the hackers an open door back in.

I’m working with a security expert and he asked me to have the hosting company zip all the site files and email them to him; which I have done. He hopes to be able to identify the file(s) that allowed the hackers in. I’d be happy to send you that zip file if you are interested. Perhaps you could see what happened, or what was missed.

It sounds like you have been very thorough and you are doing everything you can to get this situation under control. I agree with you that there must be some back-door or un-patched vulnerability that let these hacker in again (also consider what might have let them in the first time, it could still be vulnerable).

You can certainly send those zipped files to me if you like and there is a chance I might spot something but it sounds like there is going to be a lot in there and I can’t spend a lot of time going through it. That is definitely the hard way to find a threat. It is much easier to follow a hacker’s trail with direct access to the infected server because you can do real-time searches and comparisons with the untainted filesystem (like stat the timestamps of the modified files and grep the access_log files for activity at those time, etc.).

If you wnat to contact me directly my email is: eli AT gotmls DOT net

Aloha, Eli

If this is any help:
I run into similar situation several weeks ago when this attack began
I run the plugin repeatedly on all my sites, on some of them it takes 4-6 hours to complete. Every time it found problems, we deleted them completely. Then they reappeared again

Finally, examining the file structure, we found the attacker being able to upload whole ZIP files from where extracted complete 2-3 various direcotires with malware plus many files in the main WP directory, plus infecting actual WP files. These had to be deleted by hand. Is this issues planned to be addressed by the plugin in the future and if so how?

If there are ever any malicious files that you find that my plugin failed to detect then you can send those files to me directly and I will add them to my definition updates so that they can be automatically fixed in the future.

I run the plugin repeatedly on all my sites, on some of them it takes 4-6 hours to complete.

Did you block an access to all your websites sharing the same hosting account in time of scanning? You should.

Did you find and secured the vulnerability? You have to: if someone uploaded/modified files, deleting/restoring them does not help if he will be able to upload them again

We believe it was done either through the MailPoet plugin or WP core
Both have since released new updates
The XMLRPC Access was also patched