bernbe01

i found an exploit toolkit that had been uploaded to another site that was allowing this mass exploit with what appears to be a buffer overflow

files to look for if you run into this:
1337w0rm.php
adminer.php
cendol.php
cikree.php
idx_config/*txt
jadi.php
mk (1).php
pler.php
rabbit_grab/*.txt

i am running into this as well. it appears they are only able to compromise sites that have a default table prefix. is this true for you as well?

i think they know a hole in wp that is not yet disclosed….

Marking as resolved

I have switched my slave to be Percona’s drop in replacement for MySQL as it has replication enhancements specifically for this type of issue.

My slave has been fully synchronized since.

I followed this tutorial to do the in-place mysql replacement:
https://www.digitalocean.com/community/tutorials/how-to-install-a-fresh-percona-server-or-replace-mysql

however you are accessing the files currently will work to back up the files. do you have a cpanel? if you’re unsure about the database, a quick phone call to your host and they should easily be able to guide you through that on thier system. for the files, using ftp is generally the most common method, but however you can access them works

yes there are tons of back up plugins too but the raw db and file method is preferred by me when the site is compromised

you’re totally right on if the old url is active that it’ll still render

personally, i’d dump my content
re-export from source site, choosing “all content”
re-import

there is an option during import to “download files attached to posts” which should add them to your media

if still no, maybe play around with this plugin, which is old but *might* run, take a backup first ??

try disabling *all* plugins

retest

if successful, enable plugins one at a time until you find the culprit

if still error, with plugins deactivated, change to themes to twenty-twelve or twenty-fifteen

retest

post back please with results and a link to a problem page

no prob! good luck!

please let us know what you find out! it may help a google-er in the future ??

for the client:
-how are they collecting the data?
-what plugins do they use?
-in a perfect world, how would they access this data?
-do they want/need third party integration (i.e. to a crm)?
-what criteria will they have to search the collected data for matched records (i.e. username, email address)?

if you are new to wordpress or to gravity forms (which it appears they use), you’ll likely have an uphill battle as what they are trying to accomplish is not an “out of the box” solution

for you:
-are you familiar with mysql?
-have you considered what @andrew suggested about talking to the company that set it up?

i don’t know if I’ll be able to help as I’m not super familiar with gravity forms, but those are the questions i’d ask to walk the path you think they are trying to go

good luck!

awesome, i’ll try that out tonight and see how it impacts things if at all

thanks for your time

i’m still open to hearing more pitfalls/advantages/approaches

i forgot to add that on the server side i run fail2ban with some custom jails to monitor known exploit URLs and it acts as a backup for Wordfence’s login blocking if wordfence gets munged up

fail2ban has proven to be configurable and accurate at monitoring many apache logs at once

the servers also have timer based scripted permission resets on all files and folders in webdirs to ensure proper permissions regardless of what clients override too. if they need special perms they have to contact me so I can add an exception

the biggest challenges for me are when i take over hacked sites and clean them, the hackers come at the site tenfold as well as when i *have* to run old wp versions for specific accounts

wordfence has a great feature which will hide version numbers so I obviously turn that on for the few older wp’s i have to maintain

i haven’t taken the leap to MFA yet but based on @wslade’s blog article i’m going to be trying stealth login page on some of the dev sites and see whether users report it as tolerable or not.. i suspect many will not mind this

i’m reading the great article on your blog currently. thanks for sharing!

i really appreciate your insights here, thank you

so i’ll take that to mean you always check off high sensitivity scan as well. i’ll have to try that tonight on some sites and see how it affects load. so far wordfence has proven to usually stay under 40 Mb usage at peak on each install

thanks wslade!

in wordfence, do you use any of the optional scan settings?

i.e. scan plugin files against wordpress repo
same with themes
scan files outside of wordpress
treat images as executable

out of paranoia i’ve been turning these on, do you feel these are necessary?

20GT – are you talking about exporting all filled out form data from the gravity forms plugin?

you want to make a list of every entry for every form and aggregate them all into one filterable list?

if this is not what you are asking please link to two sample pages where the data you are after is collected

nice work finding&fixing that!

thanks for updating the thread! feel free to mark it as resolved if you are all set

cheers!