Mobile app version of vmapp.org
Login or Join
Debbie626

: Wordpress site hacked numerous times Because of the identity of the website, I don't want to give too much identifying information about the actual organization, but I can try to provide as

@Debbie626

Posted in: #Hacking #Wordpress

Because of the identity of the website, I don't want to give too much identifying information about the actual organization, but I can try to provide as much server background information as possible.

I am managing a Word press site and all seemed to be going well until this past August when the site first got hacked. Because of the quantity of compromised files, it appeared that there was some sort of vulnerability that allowed a robot to mass inject code into all of the php files. Before each opening <php? tag, there was a block of encrypted code that I have shown here.

The above link shows the tidied up php code, depicting the workflow of the script. If I further attempt to decode the strings, it becomes more legible, but it seems very difficult to discern exactly what it does.

Here is a bit decoded with unphp's "Eval + gzinflate + Base64" tool and here is a but decoded with unphp's "Recursive De-Obfuscating" tool that seems to be an html advertisement for someone else's website.

The contents, though, is relatively unimportant. After this initial hack, I restored from a back up on github and made sure the site was clean of any script. I also made a new user with a new password and changed the domain's root file to this new user.

I thought this solved the problem, but the website has been hacked in a very similar fashion 2 more times. Each time I've resorted a back up from Github and made sure the directory was clean.

At first I thought maybe the hacks correlated with Word press updates and they were Wordpress vulnerabilities, so I made sure I kept the site up to date in terms of Plugin and Wordpress updates. In the end, that is seeming like it wasn't the problem.

OS: Debian 3.1.9

Hosting Provider: Dreamhost

It is also worth noting that I inherited administration of the site from someone, so there is a lot of legacy code that is kind of sloppy.

tl;dr My question is how can I diagnose this? What steps can I take to find the source of the vulnerability? I am really at a loss right now and really frustrated that this keeps happening.

Thank you for any advice or support you can offer, I am desperate at this point.

UPDATE:

In the time since this post, I attempted a restore. About two hours afterwards the site was compromised in the same way. The differences this time around are that I had secured all file permissions and deleted a suspicious user from the wp_user table. Clearly, neither of those things seemed to help.

10.04% popularity Vote Up Vote Down


Login to follow query

More posts by @Debbie626

4 Comments

Sorted by latest first Latest Oldest Best

 

@Gretchen104

Several things to check/consider when self-hosting WordPress:


Are your plugins safe? Did you get them from the wordpress.org
repository or elsewhere? If elsewhere are these known-good
developers (e.g. Gravity Forms) or something off Envato/Themeforest?
Same questions about your theme. Where did it come from? Has it
been checked thoroughly for security problems with the Theme Check
plugin and other tools?


The two questions cover the majority of WordPress-generated security problems. It's almost always a poorly coded plugin or theme (or sometimes one with a deliberate backdoor) that is the vector for the attack. Aside from not just installing any random theme and plugin and really researching everything else, I strongly recommend installing BruteProtect (soon to be bundled with Jetpack) and WordFence. Both are free and will help keep you protected. If you are willing/able to spend money, a subscription to Sucuri (especially their firewall product) or StopTheHacker will go even further in preventing drive-by style attacks.

As the other answers indicate, it could also be poor server security that gets you. If the attacker can compromise a shell user, all sorts of nastiness ensues and WordPress, by virtue of its popularity, becomes the target for script-based attacks because you are virtually guaranteed to get the most effect out of a script targeting WordPress. If your server gets nailed over and over again, perhaps it is time to consider a switch in hosting? The dedicated WordPress hosts (including Dreamhost's own offering, WP Engine, Rackspace, Page.ly, Synthesis) will handle security for you in return for an increased monthly fee and for some people, that's really the best option.

10% popularity Vote Up Vote Down


 

@Reiling115

I've had WordPress sites on Dreamhost get hacked as well. I was using their shared hosting package, and I'm assuming you are as well. The hackers got in by compromising another user on the server, then reading my wp-config.php (which had 0644 permissions, so world-readable), accessing the database and creating their own admin user in the wp_users table. Once they're an admin, it's a lot easier for them to find a way to run PHP code as your user (installing plugins, writing to the theme files, etc).

Since Dreamhost runs under suEXEC/suPHP (as your user that you use for FTP), you can change the permissions on the wp-config.php to 0600 or 0640. I would also change the permissions on your home directory to disallow any user to list the contents of it, which is probably how they found it in the first place. So chmod 710 ~. You may notice Dreamhost has similar permissions on the /home directory since you can't do ls /home. The hackers can however do cat /etc/passwd to get a list of users to target, which is probably how they found yours. You should also check to see if there are SSH keys installed in ~/.ssh/authorized_keys (there was for me, which is how they got in a second time).

10% popularity Vote Up Vote Down


 

@Chiappetta492

There is a good chance the problem has nothing to do with a user/login, but with the permissions set to the files. If one php-file has too many rights, and they know how to abuse it, you've got a breach like you've described.

In normal settings, directories should be 0755 and files 0644.
Directories which have changable content (need to put files in it) 0777 and files 0666.

Also, make sure all files have the proper owners (eg: NEVER root).

Some (maybe) handy commands for the commandline/shell:

find -type d -exec chmod a+x -R {} ; // set dirs +excecute
find -type f -exec chmod a-x -R {} ; // set files -excecute (only dirs are exce.)
find -type f -exec chmod a-w -R {} ; // set files -writable/changeble
chmod a+rw -R ./somedir // will set all files and dirs (read- and) writable
chown username.username -R ./somedir // will set ALL owners to username


Also, there are various tools and sites describing how you lock up you WP-site, which files are vulnerable, etc. I'm not a WPer myself, but we host some WP sites.

10% popularity Vote Up Vote Down


 

@Jamie184

Honestly, there may be a true virus on your site. These exist solely to hack Wordpress websites and no amount of re-installing and re-deploying will stop it short of a complete anti-virus scan including rootkit and possibly wiping the hard drive and starting over if necessary.

As well, make sure that ALL of your software is fully up to date especially Wordpress. Wordpress is the single most hacked software there is. None come close. Also, make sure that all unnecessary services are stopped and there are no open ports except the ones you intend. FTP and DNS are particularly dangerous because of reflection attacks. This does not mean that you cannot use them, just make sure you have them in "jail" if possible and up to date.

10% popularity Vote Up Vote Down


Back to top | Use Dark Theme