Site Getting Hacked

  • Anonymous

    #4656

    Well, I’ve been hacked successfully three times now. Each time, I keep following (most) of the advice in the codex. However, it is obviously not working.

    The malicious code gets inserted into the header.php file… just a few lines down from the top.

    It begins with something like (from memory)… #bf34ce# basedecode64(eval

    It’s approximately three complete lines of text and characters.

    It is ended by the same #bf34ce# at the bottom of it’s code.

    This last one also added a redirect to my .htaccess file in the root directory.

    I have successfully managed to clean each one… but I kind of feel like I’m “skating on thin ice”. I feel like I’ve use “eight of my nine lives”.

    Again, I’ve changed config keys.. adjusted site username and passwords.. etc.

    Any advice on what to do next to take preventative measures?

    Mod

    Kenneth John Odle

    #28795

    Could possibly be coming from a malicious plugin inserting its own code. You can try Googling that malicious code and seeing if any sites with it are running any of the same plugins as you are.

    (You’ve got some null CSS going, btw. Is that supposed to be there, or are you working on something?)

    Anonymous

    #28796

    Could possibly be coming from a malicious plugin inserting its own code.

    Excellent idea. I didn’t even think about that.

    You’ve got some null CSS going, btw.

    Where did you see this at?

    Anonymous

    #28797

    Once your site is hacked, no matter how many times you change salt keys, password, edit config & .htaccess files, there are always some back doors left opened in your site. So, first check for the SQL injection and files affected by base64 encrypted code. Especially the ones in the uploads directory. Because WordPress, themes and plugins gets updated occasionally. So, hackers usually puts malicious code in uploads folder, which is more often neglected by normal users.

    You can SSH and run this command to find out base64 strings in your files,

    grep -R “base64″ *.php | awk ‘{ print $1 }’

    Look for eval(base64_decode(.. in infected files

    Genuine wordpress theme and plugin developers never encrypt their code. So, if you find any base64 encrypted (infected) file, delete it immediately.

    Try using one of these WordPress Security plugins.

    http://wordpress.org/extend/plugins/bulletproof-security/

    http://wordpress.org/extend/plugins/secure-wordpress/

    Mail me if you need any more help.

    Mod

    Kenneth John Odle

    #28798

    Where did you see this at?

    .thethe_image_slider ul.thethe-image-slider-slides{}
    ul.thethe-image-slider-slides li {}
    ul.thethe-image-slider-slides li.show {}
    ul.thethe-image-slider-slides li .thethe-image-slider-image{}

    There’s more, but that’s a sample.

    Anonymous

    #28799

    Thanks Ken. I never looked closely at that code before. It’s from a plugin, which I’ll look into and see what’s going on. Perhaps it is the malicious plugin? — Dun Dun Daaaa–

    Prasanna, forgive my ignorance… but I don’t know what SSH is and how you use it with your site. So I need to do some “googling”. I will post back. In the meantime, I’ll be trying that BulletSoftSecurity. Thanks for the link.

    Anonymous

    #28800

    So apparently it was some kind of script running a password recovery on my admin login page.

    I installed BulletProof Security (Thanks Prasanna), and sat back for two days.

    Then, in my email, I received about 30 notifications alerting me of various IP’s attempting to login to the website (you can control how many unsuccessful login attempts before lockout, COOL).

    I haven’t had any (turning around and knocking on wood) malicious scripts since installing the plugin. I’m going to monitor it for a week or so, as that seemed to be that amount of time between hacks, before I rest more easily at night.

    Thanks also to Ken. Gonna go check out that null css next.

Viewing 7 posts - 1 through 7 (of 7 total)

You must be logged in to reply to this topic.

Do NOT follow this link or you will be banned from the site!