My WordPress website was hacked

[ikkeben]

Dear Sir,

Thank you for your advice.

How can I get log file? via SSH or in DA's control panel?

Cheers

My honest advice if you don't know that, please pay for support here to help you. ( i don't have time also no experience with WP things) but some in forum here are, that is their job and earning money with.

Explaining all and hoping you do things (100% ) right is i think here not the way togo for your solution, you can pay also DA for support and if you think / are sure DA has BUG then they are glad to

 

[LawsHosting]

After reading the first post, I immediately thought, "are you using Wordpress?"...... scrolled down, and, bingo, I was right.....

Why are you being hacked? You use Wordpress - a bad theme/plugin/etc....

 

[DirectAdmin Sales]

Topic changed for accuracy (and not to create panic):

DirectAdmin control panel is easily hacked --> My DirectAdmin server got hacked

The original topic is a bold statement and should be confirmed before such a claim is made.

 

[Richard G]

My DirectAdmin server got hacked

And most likely it's only the Wordpress which got hacked.

 

[Johnws2022]

My honest advice if you don't know that, please pay for support here to help you. ( i don't have time also no experience with WP things) but some in forum here are, that is their job and earning money with.

Explaining all and hoping you do things (100% ) right is i think here not the way togo for your solution, you can pay also DA for support and if you think / are sure DA has BUG then they are glad to

Ok, thanks. That is not the community stands for.

Cheers

 

[ikkeben]

Ok, thanks. That is not the community stands for.

Cheers

Sorry but in my view that is to give the best advice concerning then given information and own ( mine) and experience.

You can search the forum, there are lot more advices pointing out to payed support or else advice to make tickets at DA!

I think myself that is the most important thing for a Support Forum / community, if one thinks make no sense to give such advice as soon as possible.

Then also others could react if there is still (hope) but..

 

[Richard G]

Ok, thanks. That is not the community stands for.

Neither is the community to give lessons for people calling themselves admins and not even knowing the basics of the system.
Unless it's only hobby admins.

The community stands for helping you with system problems, and also a bit with other problems. It's not like community's give a "do this and execute that" solutions to get rid of hackers or 3rd party applications.

Anyway, the logfiles can be found via SSH, like in /var/log and /var/log/httpd and /var/log/httpd/domains.

And again, try some tips already given. I've only seen you asking things, but until now I didn't see you install maldetect and the results of a scan with that free tool for example.

If you want instant help and fix and don't know the system yourself and you have customers, that is not were a community is for, that is when you pay somebody to fix it for you. If it's hobby, it takes some more time and a bit of a learning curve.
But we also are only volunteers and this is not a DA issue, so DA most likely won't fix this for you.

 

[ikkeben]

And again, try some tips already given. I've only seen you asking things, but until now I didn't see you install maldetect and the results of a scan with that free tool for example.

Yup and so more.

My WordPress website was hacked

Dear Sir, My DirectAdmin control panel is easily hacked even I have implemented 2FA using: 1. Google Authenticator 2. Security question together; the hackers still manages to enter my server and modify my core website's files. Is there any way of stop the hackers completely. Many thanks in...

forum.directadmin.com

You also didn't use the forum / support rules, while you didn't post your OS and versions used, the versions of DA and the versions of the APP as WP ( and plugins) you using and where the hacking takes places at the first time.

While this says nothing about used versions and used plugins so vage:!

Hi,

I can confirm that all plugins and theme are uptodate.

Thanks

Also if he has given some userrights as 777 on data / files to get things working then poef.

 

[zEitEr]

Hello,

When we investigate hacked WordPress cases, we use malware scanners for checking content of public_html and all nested folders. We list all PHP scripts and check them for suspicious code (inserts/includes) using automated scripts and visually read their content. When we find modified files we check their modification date, and then read all related logs from Apache/Nginx/Litespeed/OLS. But here you might face an issue, by default webserver logs are stored by Directadmin only 5 days. It's OK for users, it saves their disk space. But it might be a pain for server admins if they need to read logs for more days.

As of checking PHP scripts for suspicious lines, you need at least to read and understand basics of PHP scripting. It's a requirement.

As of reading logs for suspicious actions, you need to understand the web-server format of logging. That's another requirement.

What you might do is the following:

- Check a list of admins in every wordpress site. They might have an active admin access to a WP site.
- Scan upload directories for files with .php extension. You might most likely find backdoors there.
- Find files with short random names with .php extension recursively under public_html, something like 6-10 random chars: e.g. eferrgcsp.php, lgogidj.php. You might remove them.

But the best thing would be to clean install a WP site and import it's content.

 

[Johnws2022]

Hello,

When we investigate hacked WordPress cases, we use malware scanners for checking content of public_html and all nested folders. We list all PHP scripts and check them for suspicious code (inserts/includes) using automated scripts and visually read their content. When we find modified files we check their modification date, and then read all related logs from Apache/Nginx/Litespeed/OLS. But here you might face an issue, by default webserver logs are stored by Directadmin only 5 days. It's OK for users, it saves their disk space. But it might be a pain for server admins if they need to read logs for more days.

As of checking PHP scripts for suspicious lines, you need at least to read and understand basics of PHP scripting. It's a requirement.

As of reading logs for suspicious actions, you need to understand the web-server format of logging. That's another requirement.

What you might do is the following:

- Check a list of admins in every wordpress site. They might have an active admin access to a WP site.
- Scan upload directories for files with .php extension. You might most likely find backdoors there.
- Find files with short random names with .php extension recursively under public_html, something like 6-10 random chars: e.g. eferrgcsp.php, lgogidj.php. You might remove them.

But the best thing would be to clean install a WP site and import it's content.

Dear Sir,

Thank you for great advice.

I think your advice may help me to solve my issues.

Do you know what the best Malware scanners for Wordpress?

I have implemented 2FA for DA and 2FA for Wordpress Admin using Wordfence plugin, but the files are still modified every a few days. I have also checked logs file in DA's Control Panel, there is no indications that a strange IP has accessed my server's DA.

The only issue may be the previous hackers may place Malware files into my server before I implemented 2FA. Yesterday, all jQuery files are modified again as well as index.php file.

Any advice is very appreciated.

Cheers

 

[ccto]

1. I guess you may have backdoor PHP program inside the website.

2. If 2, or more, websites under different DA users are compromised at the same time with similar symptoms, the server may be rooted/hacked.

---

Also, you may try to locate any malware files, SSH to the server, goto the end-user folder (/home/xxx/domains/yyy.com/public_html/ ) , issue -
(Below are some common functions used by malware. Sometimes WP also used these functions)

find -type f -name '*.php' -print0 | xargs -0 grep -E 'base64_decode' | cut -d ":" -f1 | sort | uniq

find -type f -name '*.php' -print0 | xargs -0 grep -E "eval\(|eval\/|eval\ " | cut -d ":" -f1 | sort | uniq

find -type f -name '*.php' -print0 | xargs -0 grep -E 'gzdeflate' | cut -d ":" -f1 | sort | uniq

It will give you a list of files, you may have a look whether they are malware.
If malware found, you may consider to find some 3rd party malware clean up service.

Simply delete them does not help the issue. It is difficult to locate ALL malware files at a time.

---

2FA does not help with FTP , nor WP core/theme/plugins vulnerabilities

 

[zEitEr]

Do you know what the best Malware scanners for Wordpress?

For automated scanning we use ClamAV (free) + virus definitions from Malware.expert (commercial) + Maldet scanner (free). They might find most of known malware, but the scanners might miss unknown items.

Please note, ClamAV+maldet might cause a server performance decrease, in case you have significant amount of files under /home/*/domains/*/public_html/ and slow HDD.

For manual scanning see the post from user @ccto. The suggested commands might help you to find malware missed by the scanners. But you will need to manually check the found files in order to identify whether they are a real threat.

And yes, already mentioned by many users here, until you remove all backdoors and malware (I assume you still have them) neither 2FA nor strong passwords will ever help you. Backdoors are used to get an access bypassing password/key authentication on a server.

 

[Johnws2022]

1. I guess you may have backdoor PHP program inside the website.

2. If 2, or more, websites under different DA users are compromised at the same time with similar symptoms, the server may be rooted/hacked.

---

Also, you may try to locate any malware files, SSH to the server, goto the end-user folder (/home/xxx/domains/yyy.com/public_html/ ) , issue -
(Below are some common functions used by malware. Sometimes WP also used these functions)



It will give you a list of files, you may have a look whether they are malware.
If malware found, you may consider to find some 3rd party malware clean up service.

Simply delete them does not help the issue. It is difficult to locate ALL malware files at a time.

---

2FA does not help with FTP , nor WP core/theme/plugins vulnerabilities

Yes, sir, you are right because all my Wordpress website have the same files being modified at the same time. So the issue may be from ROOT where the previous hackers installed malware.

I will try to follow advice from you and zEitEr. If I could resolve I will the community know so that others can use to solve their similar issues.

Cheers

 

[Johnws2022]

Update: I use Wordfence to scan for Malware; it has found sitemap.xml which has malicious software inserted when my server was hacked about 1 month ago; but I did not delete it at all. I have now deleted it and created a new one.

Wait to see if any files are modified in coming days by Malware.

Many thanks for all.

Cheers

 

[Zhenyapan]

"grep" you logs for POST requests - in most cases it will show where inrtuder try to enter

 

[ikkeben]

it has found sitemap.xml which has malicious software inserted when my server was hacked about 1 month ago; but I did not delete it at all. I have now deleted it and created a new one.

That only doesn't help you i guess! ( meaning if this is you only measurement..., and again proof you need extern help on your box)
Content in the WP database.... s user settings user rights and so on.

Yes, sir, you are right because all my Wordpress website have the same files being modified at the same time. So the issue may be from ROOT where the previous hackers installed malware.

And this if it are your websites meaning under one USER (YOU) ?
Then no that doesn't mean user Root is hacked. ( could but no musn't)

And all those things you write in that way, is why i did give you advice to hire someone, and install complete clean new WP as @zEitEr advised he can do some for you maybe..

You didn't even listen to most of advice from them ( users trying to help you here with their time in this topic) to scan with real scanners, "wordfence" is only is so ...

But the best thing would be to clean install a WP site and import it's content.

So it could be there is more time now between yes no hacked sites, but it comes back i am pretty sure about that, if you did only the things you did write here sofar, sorry.

You didn't even post the real complete result malware found in that sitemap .xml file, while there should be more info about that to, for support are such things very important! ( a sitemap.xml for example is very easy to detect yes of no code in it, and with those code it could be more easy to find out about the hack) ( you did as example write you deleted those? if yes all then bad bad, support for making things clean need infected files to know more about hacks)
Oyea probably if sitemap xml is really hacked you also have problem to set the user rights to those needed. ( only guessing here )

And people knowing me, know i am a nice person, so i mean it well for you! my critism..

 

[Johnws2022]

Dear All,

Update: After removing affected sitemap.xml from a Wordpress website, it seems all my WP website on the server using DA control panel are working well.

If someone has similar issues, make sure:

1. Implement 2FA on DA using:
-Google Authenticator
-and Security Question

2. Install & activate Wordfence Security plugin on all your Wordpress websites in your server.

Scan your WP website using Wordfence plugin, if you find any file being modified or affected by malicious codes inserted by the hackers, Wordfence would show them after the scan is complete.

3. Backup your website before you fix or delete (if you think they are new files) those affected files.

You will have good security systems on both DA and your WP websites.

I will also update if my websites are affected by Malware software in coming days or weeks after updating today.

Have a nice day

 

[johannes]

Dear All,

Update: After removing affected sitemap.xml from a Wordpress website, it seems all my WP website on the server using DA control panel are working well.

If someone has similar issues, make sure:

1. Implement 2FA on DA using:
-Google Authenticator
-and Security Question

2. Install & activate Wordfence Security plugin on all your Wordpress websites in your server.

Scan your WP website using Wordfence plugin, if you find any file being modified or affected by malicious codes inserted by the hackers, Wordfence would show them after the scan is complete.

3. Backup your website before you fix or delete (if you think they are new files) those affected files.

You will have good security systems on both DA and your WP websites.

I will also update if my websites are affected by Malware software in coming days or weeks after updating today.

Have a nice day

dont forget to change all your database passwords for those wordpress installs. the attacker could have read the db connection details from the config files. with access to the db, he could become administrator.

 

[zmippie]

DirectAdmin control panel is easily hacked --> My DirectAdmin server got hacked

Here's my request to change the subject to "My WordPress website was hacked", which seems much more accurate reading this thread.

 

[zEitEr]

Here's my request to change the subject to "My WordPress website was hacked", which seems much more accurate reading this thread.

I've updated the title.