What happened?

Yes, a hacker Shell script can inject/edit files either directly or via URI’s|URL’s that call other scripts that edit files remotely (injection).

Very common website hack pattern/overview:
hacker 1 hacked a website 6 months ago. hacker 1 is a professional hacker so the website owner is not aware that the site is hacked.

“hacker’s” 2, 3, 4, 5, 6, 7, 8, 9…….. do google searches for hacked websites by searching for a Shell script identifier in the Shell script and finds the hacked website and accesses the Shell. “hacker’s” 2, 3, 4, 5, 6, 7, 8, 9…. may or may not be actual “hackers” and may just be curious about hacker Shell scripts and hacked websites or may be looking for easy pickings. They may test copying, editing and other things on a website but do not do anything malicious.

hacker 10 is a defacement type of hacker. hacker 10 does google searches for hacked websites by searching for a Shell script identifier in the Shell script and finds the hacked website and accesses the Shell. defacement hackers let you know a site is hacked usually with bold obvious statements like “hacked by XXXXX”, etc.

If hacker 1 who is the actual hacker who hacked this example hacked site scenario does not find any value in this hacked site then hacker 1 will abandon the site and not bother to hide the Shell, which is then found by “hackers” 1-100 who do google searches for Shell scripts. I have seen some cases where a website is hacked for several years and the website owner does not find out about it until years later when a defacement hacker defaces the site and makes it obvious it is hacked. You could say that the defacement “hacker” is doing the site owner a favor.

In the past (years ago) when I was researching hacker Shell scripts I could find at at least 100 hacked websites using Google searches on any given day and could access the hacker Shell script on those hacked websites and have full control of that hacked website and hosting account. I did notify the owners of the hacked sites early on, but 9 times out of 10 the owner of the hacked site accused me of being the hacker who hacked the site. So unfortunately, it is not a good idea to contact the owner of a hacked website directly and ironically if you want to help that website owner out then doing an obvious defacement to the website will let them know their site is hacked and they will not blame you for hacking the website. ??

Very intresting and useful. Thank you.

A replaced all PHP files of my hacked site, but database remained unchanged. Is it possible that database also have something which allows site to be hacked?

BPS Pro AutoRestore|Quarantine IDPS, which would have prevented the hack from being successful by quarantining and/or autorestoring the hacker files and/or code.

This IDPS would also recognize the hacker code injected via CF7 form?

Be sure to look in every single folder under your entire hosting account for any files that should not be there. If you completely delete and replace all WordPress folders and files then you would not need to look under any of those folders. Example: /public_html/folderX/hacker-shell.php can control your entire hosting account from that hacker-shell.php file.

Usually the database is not messed with, but you should check all of the User Accounts for this site to make sure all User Accounts are accounts that you created.

ARQ IDPS does not bother with checking all the code in all files because that causes a lot of resource usage and is the major flaw in all scanners, which causes both massive resource usage and is very beatable because the scanner is programmed to look for patterns. ARQ IDPS instead makes a good backup copy of all of your website files and compares the backup files with your actual website files. If anything changes in any of your actual website files they are autorestored. If a hacker uploads a file to your website then it is quarantined because a copy of that file does not exist in ARQ IDPS backup. By doing this method ARQ IDPS can monitor 10,000 files every 1, 2, 3, etc minutes and the resource usage is almost nothing. website performance is also not affected by using this method vs looking at all the code in every single file under your website.

ARQ IDPS instead makes a good backup copy of all of your website files

This backup is located in my folders?

Very Important! Since ARQ IDPS uses good backup files to autorestore files that have been changed, edited, tampered with, injection, etc. then it is very important that you know 100% that all of your site’s files are clean/not infected. You want 100% good clean files in ARQ backup files.

/wp-content/bps-backup/ contains the autorestore backup folders, the quarantine folder and DB backup folder. The /bps-backup/ folder and all subfolders are protected with an htaccess file that does not allow anyone to access any files in the /bps-backup/ folder and all subfolders.

Back to the essential security. Hackers may get in to your WordPress in 3 ways:
1. bruteforcing FTP
2. brutforcing WP admin login
3. URL

Against 1 and 2 you can be protect your site by strong passwords and unknown ID.
3 Cannot protect, but you can be alerted by ARQ IDPS.

Am I right?

1. FTP passwords can be cracked just like any passwords. It is just a matter of how long it takes to crack the password and not if it can be cracked. ie if you have a strong password it may take a year to crack. If you have a weak password it may only take seconds to crack. If your FTP password is cracked and a hacker modifies files or uploads files then ARQ IDPS will autorestore and/or quarantine files.

2. Login Security prevents brute force cracking passwords because the number of failed attempts is limited. ie someone can only 2-10 cracking attempts vs 1,000,000,000,000 cracking attempts.

3. Malicious URL’s are protected against by the root htaccess file, the wp-admin htaccess file, the Plugin Firewall, UAEG. If a hacker makes it through all the outer layers of security then ARQ IDPS == Intrusion Detection and Prevention System will stop/prevent the hack from being successful by autorestoring and/or quarantining any files that make it through all the outer security layers.

And yes BPS Pro alerts you about everything when it happens. ie if/when hacker files are autorestored and/or quarantined you will get an email alert. The hack is stopped/prevented, but it is important that you know your website is under attack and especially that a hacker has made it through all the outer layers of security. ARQ IDPS is the last line of defense and is the most powerful security feature in BPS Pro.

The ARQ IDPS Guide is here: https://forum.ait-pro.com/forums/topic/autorestore-quarantine-guide-read-me-first/ You will also find other guides for other BPS Pro security features under the main BPS Pro forum link.

In config php there is the database access code. Which feature of BPS Pro protect this against hackers?

does google searches for hacked websites

If google search includes hacker codes, it should be somewhere in the HTML code. Therefore browser or other program can recognize it.

Or there is another way that Google indexes the hacker codes?