alexalready

I tried the exploit scanner plugin but it doesn’t seem to work for me

What I ended up doing:

1) uploaded fresh WP install via FTP to new.domain.com
2) downloaded the images from wp-content/uploads to a local hard drive
3) re-uploaded all the images to the /uploads folder on new.domain.com
4) configured the new wp-config.php in new.domain.com to connect to the same database as the current site
5) renamed domain.com folder to old.domain.com
6) renamed new.domain.com folder to domain.com
7) installed fresh theme files and fresh plugins
8) installed better WP security and followed as many recommendations as possible https://bit51.com/software/better-wp-security/

So far this SEEMS to have resolved the hack. However, if the back door is in the Database – we may get hit again.

Since I’ve done this i’m getting 10 – 15 emails a DAY from Better WP security saying that many different IPS are being banned because they are trying to login multiple times – so I guess we are still under “attack”. The emails look like this:

A host, 24.114.255.3(you can check the host at https://ip-adress.com/ip_tracer/24.114.255.3) has been locked out of the WordPress site at https://braisedandconfused.com until Tuesday, July 2nd, 2013 at 1:33:29 pm UTC due to too many attempts to open a file that does not exist. You may login to the site to manually release the lock if necessary.

They keep using different IP addresses so the ban doesn’t seem to solve the issue. Not sure what else I should be doing to prevent this from happening again. I changed all of our passwords to very secure codes and followed better WP security recommendations

@songdogtech

Thanks for your help.
I’m working with dreamhost on it, they helped me identify some files i should remove.

I found a couple of posts around asking me to search the db for specific files I should delete but my database didn’t have any of those. Can you confirm what resource I should consult about cleaning the database?

thanks!

Within the last 11 months I fixed the first hack and now I’ve been hacked again. Every post on my site has meta-data linking to viagra sites and I’ve been notified by google webmaster tools about it.

I’ve paid for Securri and they were not able to fix the issue. I have a dozen different blog posts with ideas on how to fix it and none of them reproduce the same hack that I have.

I’m currently trying to delete as much from my server as possible and do a fresh wordpress install to connect to my database.

From what i understand, this might not even solve the problem because the vulnerability could be in the database itself.

This has been a totally demoralizing experience.

Update:

I found out on another forum that my hosting provider (dreamhost) is able to support fixing the pharma hack

I emailed them last night and they have run an automatic scan of all my files.

They also quarantined the files that were clearly hacked – giving me the final say to delete them.

Looks like they found and removed most of it and have listed off all possible entry points and which files i need to remove myself!

So lesson is: check with your hosting provider they may save you a lot of time and trouble!

Hey Matt,

I really like the way the pearsonified tutorial is written – easy to understand. However I think it may be outdated as I was not able to find any of the naming conventions he mentioned in my plugins folder, nor was I able to find the values he mentioned in my database.

I thing I don’t understand is: if the file mods can have any naming convention and I simply have to look for ANY php file that looks “innocent” and suspicious – doesn’t this search become next to impossible? And how can I verify once i open a suspicious php file that it is indeed a hack? The examples he posted don’t even have the base64 or eval calls.

looks like it’s going to be a long process =(

thanks for posting – let me know if you find anything new

Hey Matt,

Sure. Here is a list of my plugins – let me know what you find.

Active plugins:

Akismet
Flickr Gallery
Google Analytics Tracking Code Embeder
Lightbox Gallery
Post Thumbnail Editor
SEO Facebook Comments
Social Slider by ARScode
Twitter Facebook Social Share
WordPress SEO

Inactive plugins:

AJAX Thumbnail Rebuild
All in One SEO Pack
blibahblubah
Facebook Comments for WordPress
fbLikeButton
Hello Dolly
Lightbox 3
Open external links in a new window
Picasa Album Uploader
Random Redirect 2
Taxonomy Dropdown Widget
Twitter for WordPress
WP Photo Album
WP Picasa LightBox