Solved wp-stream.php hacked site

[xerox]

Hello,

One client wordpress site got hacked and I want to see where it came from to block the IP with firewall.

I dont see any log entry in pureftp.log file exact time when the injected files where modified / and put some code into them, like index.php.

I dont see anything happening the same time at apache log also.

So, I am wondering, what method they can hack the web and put files in the ftp then

 

[xerox]

Also do we have some sort of protection to this types of hacks?

 

[Active8]

Install Wordfence WAF plugin on your WP site , there us an vulnerability with Elementor Plugin , check your site with: https://sucuri.net/

 

[xerox]

Ok, thanks. I was wondering that the elementor could be the issue. They attack the most popular plugins the most.

 

[xerox]

Is there a wordpress malware plugin for directadmin as well which automatically will figure out such hacks?

 

[Max-PH]

ModSecurity will prevent many attacks.

 

[xerox]

FYI I am already using modsecurity with csf.

 

[xerox]

I think this would help:

ConfigServer eXploit Scanner Sales FAQ

www.configserver.com

 

[Richard G]

One client wordpress site got hacked and I want to see where it came from to block the IP with firewall.

Won't do any good, because there are lots of others which might be able to hack.
It's better to find out how they hacked it. Most likely a too easy password or a not up to date or leak script.

Install Maldetect too, also helped our server prevent some isseus with suspicious themes for WP with base64 encoding and backdoors present.

 

[factor]

I think this would help:

ConfigServer eXploit Scanner Sales FAQ

www.configserver.com

If you are on CentOS 7. There is a guide in the how to section I wrote.

 

[xerox]

For the followup, there was a wordpress plugin security hole in elementor plus addon.

Critical 0-Day The Plus Add-Ons Vulnerability Fixed Under 48 Hours | The Plus Addons for Elementor

The Plus Add-ons was Hit With the Cyber Attack recently. Our Development Team immediately started working on the Patch and Launched a completely Secure &

theplusaddons.com

 

[factor]

Thanks @xerox for coming back and letting us know.

if you think it solved please mark solved https://forum.directadmin.com/threads/how-to-mark-solved.63256/

 

[LawsHosting]

I just found out a client hasn't updated their Wordstress site since 2012..... It started sending spam (via a plugin)...... and failed to work on PHP 7.x when switched.... Ah, Wordstress love it!

 

[factor]

client hasn't updated their Wordstress site since 2012

Shut them down.

 

[LawsHosting]

Shut them down.

I did, well, got a colleague to do some maintenance (cleaned, etc) and put an under-construction page on...... Now we have offered them for us to update it all for a fee....

 

[Max-PH]

For the followup, there was a wordpress plugin security hole in elementor plus addon.

Critical 0-Day The Plus Add-Ons Vulnerability Fixed Under 48 Hours | The Plus Addons for Elementor

The Plus Add-ons was Hit With the Cyber Attack recently. Our Development Team immediately started working on the Patch and Launched a completely Secure &

theplusaddons.com

There is live now on how to clean up after this hack here

 

[Richard G]

I just found out a client hasn't updated their Wordstress site since 2012.

OMG. We use Softaculous for this and warn every customer to keep their stuff up2date. Softaculous sends notifications of updates automatically. And if users do not update their stuff and it gets too old, they are also warned we upgrade it via Softaculous and issues arising after the update will be for their own responsibility.
We don't take any risks anymore with old Wordpress or Joomla stuff.

 

[factor]

We use Installatron and do the same thing.

 

[LawsHosting]

Well, the server it was migrated from (6 months ago) did have Installatron, but not sure if it was updating....... After migration, Installatron is blank for this account, so I guess the site setting details for Installatron do not get backed up? ?‍

 

[xerox]

Thanks @xerox for coming back and letting us know.

if you think it solved please mark solved https://forum.directadmin.com/threads/how-to-mark-solved.63256/

No, problem, I got mine fixed with a yesterday's backup - ftp files + database needed to recover this. I also got the newest plugin version, so I patched the plugin before I reuploaded the backup files.

Cheers.