Hacked wordpress website, hacked again the day after showing as clean with wordfence.

Forums › IT Pro and developers › Hacked wordpress website, hacked again the day after showing as clean with wordfence.

martyyn

1971 posts

Uber Geek

ID Verified

#209107 13-Mar-2017 11:25

I was asked to look at a site last week which had been hacked and shutdown by their hosts. Neither Wordpress, their themes, nor any of the 20+ plugins they use had been updated for months, if ever.

So I did the basics. Updated WP to 4.7.3, deleted unused themes, changed all user passwords, kicked out anyone still logged in, updated all the plugins (I don't know what is used and what isn't so didn't delete any) and after installing Wordfence I spent the afternoon running multiple scans to clean it all up and then checked again with Sucuri. All was good.

But Wordfence showed compromised files again the next day so it was rightly shutdown again.

So I'm looking at it now. Wordfence does show a couple of files, which I've cleaned again, and I'm wondering what the next step is. The domain was clearly sending out spam via email addresses which don't exist with the host, so where do I look next ?

An interesting thing I noticed was one of the users was logged in but I know for a fact they haven't logged in at all because I haven't given out any of the new passwords. So I've changed that password again and set all users (other than me) to subscriber. I'm not sure it that will help but I'll also delete those not needed.

Wordfence has just run again and found nothing.

Any suggestions and what I can check for next ?

1 | 2 | 3

20589 posts

Uber Geek

Trusted

Lifetime subscriber

#1735633 13-Mar-2017 11:30

Change all hosting passwords. Check all other software or scripts on the server to see if it's compromised. Don't trust plugins as authoritative. Change passwords for every user associated with it - ssh, ftp, control panel, and for every other piece of software on the box.

Maybe check the web server logs to see if you can see anything suspicious.

If that doesn't fix it, I guess you need more information. Moving hosts could be one mitigation, it would at least rule something out.

ubergeeknz

3344 posts

Uber Geek

Trusted

Vocus

#1735637 13-Mar-2017 11:32

What plugins do you have? Eliminate any you don't need. Same for themes. Use very strong passwords. Remove privileges from the account called "Admin" and create another admin account. Configure Wordfence's automatic blocking. Deny access to RPC unless it's needed. And the advice above. Good luck!

timmmay

20589 posts

Uber Geek

Trusted

Lifetime subscriber

#1735646 13-Mar-2017 11:41

Actually delete the account named "admin", after transferring all the information to other users. You could also put a WAF / IPS / IPD in place. CloudFlare would help a bit and has a free plan, but you'd have to block connections that don't come from CloudFlare at your firewall.

xpd

Geek @ Coastguard NZ
13769 posts

Uber Geek

Retired Mod

ID Verified

Trusted

Lifetime subscriber

#1735686 13-Mar-2017 12:13

Change passwords, disable all plugins - only add plugins as theyre really needed.

Have seen one install that literally had 60 plugins installed, with only about 12 actually being used.

Gavin / xpd / FastRaccoon / Geek of Coastguard New Zealand

LinkTree

muppet

2571 posts

Uber Geek

Trusted

#1735691 13-Mar-2017 12:18

If it's running on Apache and you can control that, mod_security with the OWS ruleset.

timmmay

20589 posts

Uber Geek

Trusted

Lifetime subscriber

#1735692 13-Mar-2017 12:20

mod_security with the OWASP ruleset actually blocks a lot of stuff and breaks websites. If you do that you need to monitor it closely.

martyyn

1971 posts

Uber Geek

ID Verified

#1735696 13-Mar-2017 12:24

I've changed the hosting account and ftp passwords. Created two new WP accounts, one admin for me and one as an author and I've transferred all content to that author. All user accounts have new passwords and are set to subscriber whilst I find out who can be deleted.

Set Wordfence to immediately block anyone using an obvious username (admin, domainname, etc), anyone using an invalid username, including forgotten password attempts, etc.

No I'm off to check the logs and go through the plugins. Only ever use 5-6 on any site I've built so seeing 24 is something new !

Sharesies

Trade NZ and US shares and funds with Sharesies (affiliate link).

amanzi

Amanzi
1301 posts

Uber Geek

ID Verified

Trusted

Lifetime subscriber

#1735699 13-Mar-2017 12:30

I've seen this before... sounds like you have malware installed on the server, possibly something like "Linux/Mumblehard". Check your cron jobs to see if there's a script set to run on a schedule and delete any cronjobs you don't recognise along with the scripts being executed. Download clamav and run a full scan on the server. Also, check your directory permissions on the Wordpress site. Ideally you don't want the user account that the webserver is running as (e.g. www-data) to have write permissions to the wordpress directories, except for specific directories like uploads, etc. The directories that are writeable by the webserver account, make sure there aren't any php files in there - should only be media files. Also note, that changing these permissions will break the built-in Wordpress updater, so you'll need to figure out a new process to install updates - either change file permissions just before and after an update, or update manually by download the zip file and extracting into the Wordpress install.

Send me a PM if you need any further advice, happy to share my experiences.

martyyn

1971 posts

Uber Geek

ID Verified

#1735700 13-Mar-2017 12:31

I don't have access to any of the mod_sec stuff. I'm basically sitting here with the WP site and a cut down Plesk control panel and that's it.

martyyn

1971 posts

Uber Geek

ID Verified

#1735701 13-Mar-2017 12:34

amanzi:

I've seen this before... sounds like you have malware installed on the server, possibly something like "Linux/Mumblehard".

Hmmmm, initially this morning the hosts said their own servers had been compromised and they had moved everyone to a new server. An hour later then said it was this site which was compromised again. Might need to go back to them I think.

They showed an email being sent from this domain but with an address which doesn't exist in the control panel.

amanzi:

Check your cron jobs to see if there's a script set to run on a schedule and delete any cronjobs you don't recognise along with the scripts being executed. Download clamav and run a full scan on the server. Also, check your directory permissions on the Wordpress site. Ideally you don't want the user account that the webserver is running as (e.g. www-data) to have write permissions to the wordpress directories, except for specific directories like uploads, etc. The directories that are writeable by the webserver account, make sure there aren't any php files in there - should only be media files. Also note, that changing these permissions will break the built-in Wordpress updater, so you'll need to figure out a new process to install updates - either change file permissions just before and after an update, or update manually by download the zip file and extracting into the Wordpress install.

Send me a PM if you need any further advice, happy to share my experiences.

Thanks, I'll have a look at all this as well.

michaelmurfy

meow
13265 posts

Uber Geek

Moderator

ID Verified

Trusted

Lifetime subscriber

#1735706 13-Mar-2017 12:48

Also check the .htaccess file as this is a common target for malware and overlooked. It honestly sounds like you're needing to find a new host if your one keeps getting owned.

Michael Murphy | https://murfy.nz
Referral Links: Quic Broadband (use R122101E7CV7Q for free setup)

Are you happy with what you get from Geekzone? Please consider supporting us by subscribing.
Opinions are my own and not the views of my employer.

martyyn

1971 posts

Uber Geek

ID Verified

#1735708 13-Mar-2017 12:53

michaelmurfy:

Also check the .htaccess file as this is a common target for malware and overlooked. It honestly sounds like you're needing to find a new host if your one keeps getting owned.

Yep, checked that already. Found an interesting @include in the wp-config.php when I first started so I've gone through all the files in that dir. I've also gone through all the uploads directories checking for *.php files and there are none now.

I agree, it's been talked about previously they just never got around to it. It's going to be the first thing I suggest when I get this all sorted.

muppet

2571 posts

Uber Geek

Trusted

#1735807 13-Mar-2017 15:13

timmmay:

mod_security with the OWASP ruleset actually blocks a lot of stuff and breaks websites. If you do that you need to monitor it closely.

The recently released v3.0 of the OWASP is much, much better than the previous. It's much more cautious, you can set a paranoia level and also tell it that a site is a Wordpress or Drupal site.

So yes, I agree with your statement pre the v3.0 ruleset, but I no longer think it's true. I agree you should still monitor closely after deployment, but it's not the nightmare it used to be.

Dynamic

3869 posts

Uber Geek

ID Verified

Trusted

Lifetime subscriber

#1735822 13-Mar-2017 15:33

martyyn: Set Wordfence to immediately block anyone using an obvious username (admin, domainname, etc), anyone using an invalid username, including forgotten password attempts, etc.

Perhaps have this on a timeout if you can.... to avoid a rushed typo locking you out permanently!

“Don't believe anything you read on the net. Except this. Well, including this, I suppose.” Douglas Adams

Referral links to services I use, really like, and may be rewarded if you sign up:
PocketSmith for budgeting and personal finance management. A great Kiwi company.

martyyn

1971 posts

Uber Geek

ID Verified

#1735853 13-Mar-2017 16:30

Finally go to talk to someone at the hosts who a) was happy to talk and b) knew what happened on the weekend.

It turns out the server we are on was compromised by malware and it looks like it infected us again. They have moved us to another server, have made changes to the server to stop it happening again and I've updated Wordfence which was apparently updated over the weekend for this exact vulnerability.

I have Wordfence blocking login attempts from India, Serbia, Croatia, Korea, Italy and Bulgaria at the moment :)

Fingers crossed.

1 | 2 | 3