sapper6fd

Thanks for the tip Vinayy. I’m going to check out Mail Bank right now.

Oh great! Even better! Why not just put the password on the front page of your wordpress site for everyone to see. You might as well.

I was able to figure out how they got access to the account.

A plugin by the name of N-Media Contact Form with File Upload seems to have been the entry point. It was locked down so only PDF and ZIP files can be submitted (or so I thought). It turns out the plugin is ignoring the settings that determine which file types can be uploaded. I was able to upload a phpinfo script and execute it without any resistance at all.

Two .php scripts were found in the folder where uploaded files are stored. Those files then allowed access and the ability for an attacker to upload a backdoor giving them root access and full control over the hosting account.

I’ve found the malware. Its: spam-seo-suspicious15?web.html.spam-seo.hidden-style.001

Now to find out how to remove it

The reason I think its the theme is because it comes with a number of plugins – quite a few of them. One of which is the Revolution Slider. There have a updates for each of the plugins it comes with over the past year, except for the revolution slider. When I mentioned above that had found files that had been edited, each one of them was in relation to the revolution slider.

If it walks like a duck, quacks like a duck, looks like a duck, I tend to call it a duck until I can prove otherwise. While it may not be the point of entry, disabling that theme (removing it entirely) and replacing it with something else will be a good starting point. There are only two other plugins that I use on this site. One of which is Wordfence and the other is Google Analytic’s by YOAST. Chances are the site was compromised via a plugin. I have a suspicion it wasn’t Wordfence or Google Analytic’s by YOAST unless this is a zero day attack.

I did quite a bit of wordpress hardening when the site was first setup. Deleting unused themes and plug-ins, removing version references, hardening the directories via htaccess, changing the name of the /wp-admin folder and so on…. I guess I’ll have to look into a number of additional hardening techniques as well.

Well I’ve found a backdoor install within my themes folder, and a few php scripts within the themes folder which have been edited (although I’m not sure which ones, but the java code that’s found within the site is appearing within certain sections of the sites code that’s associated with the theme….

Fantastic……

I guess i’m off to find a new theme as this one is up to date and it looks like that’s how the site was compromised.