WordPress site got hacked, how to prevent it and how to fix it

One of my WordPress sites was compromised, someone had successfully uploaded a PHP script that provides file system and root access to the server. In this post I am going to explain to you how I found out, how to fix it,  and how to prevent this from happening.

1 – How I found out?

Last week I moved this blog to a new server and while copying files I noticed many folders and files of old plugins that are no longer in use. I took note of it and schedule a maintenance to do the same in all the other WP sites I have, 4 in total.

While doing the cleaning of one of this sites I found something awkward; 2 files 1 called v.php and another one sql.php both on /wp-content/ folder created on september 2014. Never had any performance issue in that machine, never found any weird error or behaviour…

I found it weird that they were on that folder, dropins are placed there….so could be from a plugin or similar….. but size was weird 825b and 250b each, wow, big files….went ahead and opened v.php on the file editor, then in the browser (in my local)…

First line I see:

/* (1n73ction shell v3.1 by x'1n73ct|default pass:" 1n73ction ") */

Whaaaaat?

if( strpos($_SERVER['HTTP_USER_AGENT'],'Google') !== false ) { 
    header('HTTP/1.0 404 Not Found'); 
    exit; 
} 
@session_start(); 
@error_reporting(0); 
@ini_set('error_log',NULL); 
@ini_set('log_errors',0); 
@ini_set('max_execution_time',0);
@ini_set('output_buffering',0); 
@ini_set('display_errors', 0);
@set_time_limit(0); 
@set_magic_quotes_runtime(0);

If you keep looking in the file you can find some nasty stuff that it does such as:

• File editor
• SQL manager
• Root access
• Sell access
• Mail, DDOS (so your server is basically a bot)
• Mostly it’s like a badass cpanel….

2 – How the site got hacked?

I do not have a realistic answer but I have really good guess.

On my wp-config.php I had a horrible line (god knows when was added):

define('WP_TEMP_DIR', ABSPATH . 'wp-content/')

That means that any temp file will be stored on wp-content…that explains why the files are in that folder. Or at least I think so.

But how they got in there? well…my first thought was a vulnerability on wordpress or in a plugin…in that site that is live since 2009 I have tested many many plugins.

So your guess is as good as mine. But my 5 cents go to a plugin issue. Here you have 7 popular plugins that had security flaws. I got at some point 2 of them installed and another old one and this popular one… so 4 in total in last years.

So yes was a vulnerability on the software almost sure…I keep always WP updated and the plugins…but you need to trust plugins authors and their best intentions.

3 – How to fix it?

Or at least I think it’s been fixed xD Luckily nothing important got affected and not any important information was stored since we use the site only as CMS, we do not store users passwords or nothing.

But yeah I did this to feel safer 😉

1. First I got the files removed from the server
2. I made a backup of everything I could.
3. Modified all the MySQL user passwords ‘UPDATE mysql.user SET Password=PASSWORD(‘newpass’)  WHERE User=’USERNAME’;
4. Verified the users on the server ‘cat /etc/passwd’
5. Modified Root password from server
6. Checked for other suspicious files
   • “find /var/www/ -name ‘*.php’ -type f -size +800b” this checks for files bigger than 800b
   • “grep -ril base64 *” this will search files that have base64 which was used in the file and typically used in this kind of files.
7. Check for malicious code on our blog posts and pages…just in case.

   SELECT * FROM wp_xpn46l_posts WHERE post_content LIKE '%<iframe%' AND post_status = 'publish' AND post_type != 'revision'
   UNION
   SELECT * FROM wp_xpn46l_posts WHERE post_content LIKE '%<noscript%' AND post_status = 'publish' AND post_type != 'revision'
   UNION
   SELECT * FROM wp_xpn46l_posts WHERE post_content LIKE '%display:%' AND post_status = 'publish' AND post_type != 'revision'

8. OR check your site with some security plugins like gotmls or tac they seem legit.
9. Do the same in all the installs and all servers…

4 – How to prevent from getting hacked?

Not a security expert here, but I will give the obvious or not that obvious advise.

1. Only install trusted plugins (difficult to see), since months ago I check the code of each plugin, a good indicator could be num of downloads, but that actually makes it more a target.
2. Keep your wordpress and plugins updated.
3. Do daily backups!
4. Change your admin and MySQL password periodically.
5. If you can have WP in separated installations/servers each site.
6. Delete all the inactive themes and plugins.
7. Do not use cracked plugins or themes, first it’s illegal and unfair to the author and second they put it for free because they add this short of files..
8. Activate 2 step verification. Plugin here it works and code is ok.
9. If this is not good for you I recommend you to migrate to Jekyll 😉

I guess this is one of the reasons I do love and hate WP, is so popular that is a target for hackers. Also the plugin market is a nest of bad code, plugins and interested developers selling you shit. Not all plugins have this but I will say most of them are pure spaghetti crap…

Please notice that if someone wants to be annoying / hack your site will be able to do it, with enough resources and time all is possible…from brute force attacks to get your password or a simple DDos to get your site down.

Some nice resources I found while doing research

• https://www.wordfence.com/docs/how-to-clean-a-hacked-wordpress-site-using-wordfence/
• https://codex.wordpress.org/FAQ_My_site_was_hacked
• http://www.wpbeginner.com/wp-tutorials/how-to-find-a-backdoor-in-a-hacked-wordpress-site-and-fix-it/

Ps: Sorry long post and title 😉

Image credit limecanvas.com