Site hacked 3 times with Wordfence (free) enabled

I’m not affiliated with Wordfence – just a longtime user – but from what you describe it would seem that the hackers have previously installed a backdoor on your site – possibly even at the server level – allowing them access regardless of WF or any other security firewall.

If they already have a “skeleton key” to the site as it were, it doesn’t matter what kind of firewall or scans you run or have in place – they can get in.

Depending on your technical abilities, you may want to engage WF for professional site clean-up, as finding any backdoors can be difficult and time-consuming if you’re not familiar with the process and what to look for.

• This reply was modified 7 years, 10 months ago by bluebearmedia.

Thanks for the advice @bluebearmedia.

I am an experienced PHP developer (since 2003) and have manually compared the files on the compromised server with the files of a clean installation with all the same extensions. No unexpected differences. I have also analysed the apache access logs and there are only entries related to valid WordPress ULRs.

I am as sure as I can be that there are no file-based backdoors on the hosting account. The only backdoor I think they may have is if they have compromised the entire hosting server. I have requested that the hosting company do an analysis of the entire server, but they are not very cooperative.

I am waiting for the website owner to decide if they want to get Wordfence involved. Would be happy to hand this over to them, but it’s in the website owner’s hands.

Thanks again,
Gareth

Makes sense – hope you can get it sorted!

Hi Gareth,
it’s always hard to guess based on a description but judging by the information you have shared here it does sound like they are gaining access via a vulnerability in the hosting environment rather than the WP install itself. The fact that the host is not cooperative is unfortunately not unusual, but always a red flag to me. One thing you could check for if you haven’t already is to see if there is any reference to wp-config in the access logs. Also, did you check the access logs for any requests matching the IP that logged in as admin?

I understand that, and thanks for the response and advice on what to check. I do appreciate it.

Earlier in December there are two references to wp-config.php in the access logs, but both resulted in a 404 and the IP address is 178.137.83.166 which is owned by Kyivstar GSM a Ukrainian mobile phone operator. Both where an attempt at directory traversal which clearly failed: GET /wp-admin/admin-ajax.php?action=revslider_show_image&img=../wp-config.php HTTP/1.1

Slider Revolution is not installed on this site and I believe Wordfence blocks this attack anyway as I’ve seen it in the attack reports often on most of the sites I maintain.

Every time the site was hacked, there are logs related to the relevant IP address. The first time, the relevant IP address visited the home page, then /wp-login.php, then POSTed to /wp-login.php and was authenticated. Once authenticated they accessed /wp-admin/theme-editor.php and POSTed to it, probably to deface the site. There are no other logs related to that IP address.

The most recent time it was hacked, seemingly by a different hacker (different signature was left on the site) was similar: straight to /wp-login.php, POSTed to it, was authenticated and then went to /wp-admin/options-general.php and POSTed to /wp-admin/options.php modifying the website title. Then went to the home page, no doubt to enjoy his victory ??

All of this, in my opinion, continues to strengthen the case that the hackers gained direct access to the database via some other channel and not the website. The hosting company says that they have taken all necessary security precautions and won’t offer any further assistance, in spite of my having provided all this information and having found two other websites on the same shared server that have been compromised in the same way. I am consider asking for permission to run a vulnerability scanner on the IP address, but I doubt they’d consent anyway.

We are trying to convince the website owner to move their site to a different hosting provider who we trust.

Thanks again for trying to help!

Hi again!
It is theoretically possible that they are using another IP to gain access to the contents of wp-config via a vulnerability, then access the database, and then log in to WordPress. It sounds more likely though that they are getting in to the database directly. If the database environment is not secure they could for example have hacked one site and via that gained access to other databases than just the one. One potential access point could be phpMyAdmin for example (on your site or any other site on the server). One thing you could try is to see if you can connect to that database from another server. I’m not a super expert on database security but I know that it should not be possible to do that by default. Also, something the host can do is enable general query logging for the MySQL database (and store those logs in a safe location). Then next time you are hacked it would be possible to figure out where it all began.

No problem, happy to help. Best of luck for now!

Yes, what you’re saying is exactly what I’m thinking. I know that the database connection uses “localhost”, and all the other sites that have databases probably also do, so if they’re able to get elevated access to the database through the server or another website on the server, or if they’re able to get to and read the wp-config.php file via the same, then they’re in.

Hopefully we can convince the client to either get Wordfence in to investigate and either find the hole or confirm my conclusion, or to move to a different provider.

If we do move to another provider, I plan to install WordPress, the theme and all plugins from scratch and then import the content and configuration to make sure I don’t transfer a backdoor that I may have missed somehow.

Cheers,
Gareth

• This reply was modified 7 years, 10 months ago by garethlawson.

I am seeing this type of activity on one of my sites as well. The site has moved hosts 4 different times. Each time the attacker gains access all over again. I have gone as far as removing all but the main administrator and recoding the entire site. The main admin account is not called admin. I started seeing entries in my Word Fence log that showed a certain IP address was blocked. It says:

This email was sent from your website “</title>Hacked By FOXILITRIX EL<DIV style=”DISPLAY: none”><xmp>” by Wordfence plugin…

Several hours later the title was reported back normally instead. Wordfence scan is showing no problems. Nobody fixed the title between the times. What is going on here?

One last note: Foxilitrix El has a series of YouTube videos that show him exploiting WordPress. The videos are not very coherent and whatever he is typing in some of the videos appears to be in Arabic or some other language like that.

Thanks for adding your experience @chowned. Fortunately for me, these attacks stopped shortly after my last post. It seemed to coincide with the release of WordPress 4.7.1, but I am not at all sure, and don’t really believe the change in WordPress version is the thing that did the trick.

Personally, I believe the hosting provider quietly patched an OS vulnerability without saying anything, but cannot prove anything either way. When you say, “recoding the entire site”, what do you mean by that?

Sorry to hear about the ongoing attacks on your site. Hope you can get to the bottom of it and please let us know here if you do.