wpv-expert

Hello Everyone,

Hacks by their very nature are insidious and cannot be second guessed in any way.

I have seen code embedded in .gif files that were then extracted using base 64 to run the code pulled from the .gif file. How crazy is that?

Here is the best way to fix issues for a hack that does not seem to have a particular clean cut resolution that anyone can follow. For your own sanity this is the most reliable way to be absolutely sure your hack is gone.

You will need to ask your Host to open a new account and apply whatever money is left for hosting of the current (hacked) account to the new account.

STEP 1
Perform a new install of WordPress (latest version).

STEP 2
Make sure all re-installed plugins are freshly downloaded from their source and compatible with the latest version of WordPress.

STEP 3
Export your database from WordPress using the xml database export tool from WordPress.

STEP 4
Download all image content to your local drive to FTP up to the new account later.

STEP 5
Make sure you recreate all folders you may have had in the old site in the new site. Put all content in it’s respective place. Take extensive notes for each plugin as to their configuration, as well as all WordPress specific settings, i.e. anything you need to know before leaving the old site behind. Be very methodical in this step otherwise you will create more work for yourself.

STEP 6
Import your database (previously exported) into the new WordPress site.
Put all image content where it goes in it’s respective location/folders.

If you made accurate notes and copied everything down from the old site, it will be nothing more than a logistical exercise.

FINAL NOTE:
Always make your website as secure as you can with best practices.
Long passwords . . . changed every 6 months without fail. Including your FTP account p/w’s.

Install the Login lockdown plugin, WSD Security plugin and follow their instructions.

Never leave the Default “Admin” account in place. Always create a new “Admin” account with the name Admin. Better yet do not use any word in any language for the user name. Make your User name and password 25 characters in length using all valid upper lower case as well as special characters accepted by WordPress.

You are now equipped to weather the storm, and keep those passwords rotated out every six months if you have to schedule software to remind you to.

Granted this is not fun if you have many sites like many people but it does work.

If this post were deleted I would not miss it, unless of course part of my punishment is for it to remain. ??

Peter,

Man I am feeling like you know what about now. You are correct and I should have done more homework before posting in the plug-in repository about the wp-contact-form.

The plug-in in question in fact is not even in the WP repository.
Below is the data from our copies of the plug-in.
Please accept my sincerest apologies for this case of mistaken identity.

This text was cut copied and pasted from the php file of the plug-in:

Plugin Name: Contact Form ][
Plugin URI: https://chip.cuccio.us/projects/contact-form-ii/
Description: Contact Form ][ is a drop-in form that allows site visitors to contact you. It can be implemented easily (via QuickTags) within any post or page. This version is *specifically* for WordPress 2.x only.
Author: Chip Cuccio
Author URI: https://chip.cuccio.us
Version: 2.0.13

I am not sure if this helps much Peter but we were seeing in our emails where the form plug-in was being over-run with “[email protected]” jibberish type emails. I mean hit really hard from many different IP’s. The email addresses were of course not valid nor the domains they were affiliated with. It seems to have been some sort of injection attack. The code was very sophisticated and definitely pointed to this particular plug-in. It kept re-infecting until the plug-in was removed with all the code it had injected.

This plug-in was just trash left over from previous management at the site that I inherited to clean up. I noticed it was old and was fixing the site up along with trying to de-hack it. Suffice it to say, that it was a learning experience just like this post has been . . .

I am bent over awaiting my fifteen lashes.