They weren't lying.

THE SAGA CONTINUES!

As I've been working on straightening everything out as per this thread, turns out I am still hacked / hacked again, and this time it's something different yet again.

Update from before...they admitted they should have been proactive and noticed that the email was hacked before giving me the green light that everything was all good. In situations like this, that goes a long way. Just admitting it. So I appreciated that. I just want to know what went wrong and how we can make sure it doesn't happen again. Anyways...

This time, anybody visiting my site via an inbound link is being redirected to some sort of survey offers. The links from other sites look normal, but clicking them redirects my traffic. Talk about a fuckin' traffic leak!

I mentioned it to WiredTree, who told me "Yes, it looks like this site has been compromised for quite a while."

Despite the fact that after both previous hacks, they gave me the green light that it was all good. I was going to have the email logs looked at by somebody, but they deleted them. I was going to have the rest of the files looked at, but they told me they overwrote them so the "last edited" dates would be useless. The three stooges over here pretty much!

The icing on the cake was being told "Nobody here should have told you that your site was fixed after the last hacking, because nobody here is qualified to know that."

Nobody at my fucking web host is qualified to know whether or not my site is still infected, or how it happened (because they edited files and deleted the logs.)

I was supposed to get a follow-up from an admin. Never happened. They were supposed to scan the site again a few days after saying it was all good last time, never happened. The reason I noticed this is because a visitor to my site told me.

I need to make it clear I'm not blaming WiredTree for my site being hacked, that's definitely not their fault. It's also not their job to help me, since their definition "fully managed" servers cover the server and any software that comes pre-installed, which doesn't include Wordpress. Fair enough. They told me I would need to spend $180-$270 for a VPS that was managed enough to have somebody qualified enough to not tell me it's all been secured when it hasn't been.

It would have been cool if they told me from the get-go that they are not qualified at all to do anything in regards to security (besdies a malware scan), then I wouldn't have taken them at face value when they told me the issues had been fixed. Like, if it's against your policy to help with this stuff because you aren't qualified, maybe let people know so they don't accept your help and get a false sense of security when you tell them their site has been secured again. And again. And again.

I really want to emphasize that I'm not blaming them. This is all my bad. I'm not pissed off (Okay, maybe a little bit), I'm typing this with a grin on my face like "Really?! What's next!"

They definitely aren't short on time tho, every response today has ignored my questions and issues and instead gone into great depth explaining how this isn't their fault at all, and how they aren't qualified to handle this, and how rare it is for any of their other customers to get hacked. They told me that they have TONS of clients who aren't hacked, so this is my fault.

And fair enough! I'm running Wordpress, I know the risks of running Wordpress, and they couldn't possibly be on top of every potential security flaw that opens up. I was using the wrong host for a wordpress site, they said I need to get a Wordpress host for $180-$270 per month if I want managed wordpress hosting, not just managed hosting. That isn't wiredtree's fault at all. I had some out of date plugins, or SOMETHING, that started this whole mess in the first place, and that's 100% on me.

Anyone reading this by now is probabally like "WTF dude, switch hosts already..." I am. I definitely am. I just wanted to share this, and my venting in this thread has opened the door for some of the real bright people here to share some amazing tips for security, and hopefully inspired a few other people to double-check to make sure their fortresses are in order. So all in all, it's a net positive for sure.

Wiredtree's first recommendation when finding out my site was (still or) hacked again, was to buy a Sucuri plan. With all of the money I'm going to save on my hosting bill after switching to Knownhost, I just may do that.

This wasn't even a hosting plan for any of my sites that are making money... which I guess is ultimately a good thing haha.

Anyways,

Thanks for reading, hopefully there's more in here that helps somebody else from making the same mistakes I've made, try not to judge me too hard lol.
 
Last edited:
PS is there anyone here who can help with a malware cleanup?
 
Here is the reality -

If #1 You aren't willing to pay to have a security guy come in and clean up your wordpress nor your servers what do you expect? I know dozens of people on this forum that can help you clean up your wordpress, I know I CAN, I know people in this thread can and I've hired people in this thread for server related issues, problem is you actually NEVER gave the impression you wanted to "hire" someone to do that.

#2 moving hosts WILL NOT SOLVE YOUR PROBLEM. It will exacerbate the problem. I've cleaned up several wordpress installs, I know every single place the cracker put a their base64 php files that's running to continuously infect your wordpress. They have several variations within your wp/upload folder inside each potential img upload folder's subfolders, and within your theme, within your wp-admin, etc.

You LITERALLY need to download your whole site onto a local machine and search for modified files and uploaded files, and that takes a long time. You are looking at minimum 5-20 hours worth of work. A Good security guy will charge $50-$200 an hour for work mate. Estimate $250 to $4000 for the mathematically-challenged - but if the project/business can't even afford that, why bother keeping it around?

#3 moving hosts won't do anything but move the infected files.

#4. Deleting log files by the hosting company - WTF is that shit? That's a bit insane. Actually that's really insane.

#5. There is a reason those wordpress hosting companies charge more AND restrict you on what you can do, install, etc. It is because most people just install random plugins that are fucked in the first place.

j a m e s said:
PS is there anyone here who can help with a malware cleanup?
Click to expand...

Yes there are but you aren't saying "I NEED TO HIRE A SECURITY GUY - EXCHANGING MONEY FOR THEIR TIME AND EXPERTISE, PLEASE PM ME WITH QUOTES!"

I always see these types of threads and questions and when I approach people they want me to do shit for free or barter or some other non-sense, so unless it's explicitly stating they want to hire someone, you aren't going to get anyone to do anything, that's why even though there are security experts helping you in this thread no one is bothering to respond cause it doesn't SOUND like you want to "hire" someone in exchange for money.

If you are serious why not open a thread in Human Resources. It's impossible for you to not get quotes for this IMO.
 
Definitely! I figured paying was implied when I asked if anyone could recommend a security service, and again when I followed-up by saying that I had yet to find anyone to hire. I think it's a bit unfair to imply that I was looking for a freebie, but my apologies to anyone who took it as such.

Other than that, I agree with your message @CCarter, I had actually requested to have my previous rant removed because I realized about an hour after posting it that it wasn't reasonable and I wanted to take a more productive stab at it after getting this all sorted out, but the edit window had closed by then. I wasn't sure how much longer the window for BuSo Pro members was, so I probabally should have just upgraded and tried that.

Anywoo, it's all part of the journey that I'll keep documenting here if anyone's interested.

Where I'm at now is that I've shut off the ability for my server to send emails at all, because during the last 2 days, other accounts on the server had started sending out spam. I've restored my site from a backup since it broke while trying to add a security plugin, and (shoutout WT) are currently in the process of helping me remove the current malware as a courtesy, which is definitely a courtesy. I really can't overemphasize that this is my fault and not theirs.

Also, chrome is giving the big red malware message when visiting the site now, so it'll be interesting to see how long it takes for that to go away once the malware is removed.
 
Last edited:
First thing I'd do is set up a brand new install of Wordpress, export my content in the Wordpress dashboard with their XML tool I think it is, then import it into the new install. I'd put a clean install of my theme on the new one. I'd reinstall any plugins fresh. Block all traffic, zero access to the site in .htaccess except for your IP and the IP of the security guy. I'd do all this before hiring anyone or you're wasting money.

Have them look through your wp-content folder for anything funky in the image folders, etc before porting that over. One piece at a time until you have a brand new, clean install ready to rock. Then have them investigate each plugin for vulnerabilities and get rid of any you can do without. Then the theme. Then add all the security measures to the site.

Then I'd take all of that and tell WiredTree to shove it up their ass and I'd grab a Knowhost VPS, because their support team is 24/7 with less that 3 minute response time, and capable, willing, and knowledgeable. They won't leave you hanging, because that's what fully managed means.

After that, I'd have asked the security guy to document all he looked at and did, and I'd study that report to learn all I could.

Also, I'd get in the practice of taking rolling backups of the whole site once a month or whatever, and then just dumps of the database and wp-content daily. So next time you find an issue you can quickly get live again with an old full site backup and new database and wp-content, while investigating how my site was penetrated.
 
Thanks @Ryuzaki, I guess chances are a lot more slim that the infection will be in the actual data of my posts, and much more likely that it's in some random wordpress file or even somewhere deeper in the server (Since it's effecting multiple sites now, over the past couple days other domains have been sending out spam, too.)

So that makes sense to export the content, add it to a new WP install, boom. Of course, under the watchful eye of an expert.

The other domains sending out spam were using the same theme initially (One that's a pretty big target, very popular themeforest theme), but the main site has a new theme install since all this started, yet the vulnerability is still open so they're probabally balls deep in my server by this point. (Assuming they got in via the theme, who knows.)

Also good call about just allowing the two IP addresses. I'm really interested in getting to the bottom of this and seeing how it's actually happening. Even with all the time and cost, it's a cheap intro to website security in the grand scheme of things. I'd rather get this all under my belt on a site that's more "sentimental/potential" rather than one that's paying my rent.

Thankfully I had some backups, unfortunately they were all still tainted haha, so yeah, monthly rolling would be a good idea to have in there for sure. I will say, Wiredtree has done more for me than their definition of "fully managed" requires them to, which is nice, but I will still be switching to a host with a wider definition ultimately.
 
j a m e s said:
I think it's a bit unfair to imply that I was looking for a freebie, but my apologies to anyone who took it as such.
Click to expand...
It really isn't you specifically HOWEVER based on my experience AND based on other people's experience from these type of threads 99% of the people want the fix done for free. So when we see these type of threads, and you still aren't getting a response THAT is the reason.

I think we've all been in the "you work with computers all day can you fix my computer... For free?" scenarios- probably once a week if not daily. I just tell then to go to Geeksquad, and usually their next comment comes along the lines of me doing free work cause "Geeksquad charges". Give me a fucking break. You don't take your car to a mechanic for free, so why should I fix your computer, wordpress, or your computer's pop-up viruses for free. It just really "implied" with computers and shit for some reason. So no it's not you @j a m e s - its a reflex of the industry we are in, cause we've all experienced it at some level. So yeah "free" seems to be categoricaly implied unfortunately in our online industry unless you state you want to give people money, especially for "fixes", and THAT is why you hadn't received any replied if you think about it.
 
Sorry if I missed it but how many pages of content are we talking about? Less than a few hundred?

If so, take Ryuzaki's advice and just export the content with a brand new install of Wordpress. Sign-up with a competent host like Knownhost or Liquid web. It's far easier starting over with a fresh install than spending a ton of time and $$ debugging.
 
Heya @backwoods, it's really not that many pages. Around 100? Even copy pasting it over and just redoing the images (In case there is something sketchy in the image folders) is really just an afternoon or two of work, especially since some of those older pages could use a little TLC and aren't interlinking with any of my newer articles.

---

Have restored from recent backups and had the site break immediately twice, so it seems like maybe there's something going on that's deeper than just being on the Wordpress level, since it was originally functioning at the time those backups were made. Other sites of mine on the same server had been sending out spam now too, so I don't know if that's just because they're using similar Wordpress installations so they also got picked off, or if there's more going on behind the scenes that we haven't been able to detect with a malware scanner yet.

Update: Have been informed by host that it's not possible that the root of the server is compromised, and the fact that multiple sites were sending out spam emails is just due to those sites getting hacked independently.

I managed to find a backup from about a month ago, so right now I'm leaning towards just getting the site to a point where I can login to the admin area, and copy/pasting all of my article titles and texts from the HTML tab to a new version of the site on the new server. This would essentially be what Wordpress's built-in export does, right? Except I'd lose the dates. Is there any chance (Or, likelihood...) of an infection carrying over through Wordpress's export? I may lose a handful of more recent articles if they aren't in the Wayback machine, but it could be worse.

Also I'm being more proactive about finding somebody to hire that can help with this, even if I decide to rebuild it from 'scratch' manually. I wonder if by waiting to just rebuild it, I'm just delaying the inevitable?
 
Last edited:
At the risk of over-complicating things, Ryuzaki's response is spot on. Also, another potential future consideration is getting into the habit of local builds, version control with something like Git, possibly even using a code repo like GitHub, and something to connect it all (there's a ridiculous number of cloud-based services for this). The idea being, build locally, maintain good version control, push to production when ready. should anything problematic occur, you're still fine locally and still have a good code repo (I'd do a private one on GitHub, personally). Then just reorient that "deathstar" towards a new server, if necessary, and kill off the problematic one. Obviously you'd need some server setup to do that. Though, there could be some cool and efficient potential with that sort of build process and something like Digital Ocean, where you can basically create clone droplets from a snapshot, apparently. Don't take my word on that, as I haven't quite gotten there yet.
 
On your WP sidebar, go to Tools, and there will be an Export option under that. You can then choose what exactly you want to export. This will simply generate a single XML file with all of your text content, meta data, and links to any media content. It won't actually "export" any of your media files.

The idea behind the WP Export tool is, you then use that XML file with the Import tool, and it imports all of your text content into its appropriate place. As far as media content, I honestly forget how that's handled, as it's been awhile since I've used the tool. Last time I did it, I seem to remember having to manually download all of the images, then simply doing a find and replace on the exported XML file, and ensuring I uploaded the images to the correct location on the new server.

What I'd recommend is generating the export XML, then spending some time searching through it, seeing if any suspcious URLs or code snippets show up anywhere. Once you're fairly confident the text content/meta data side of things looks good, then it's just a matter of dealing with the images. Just for fun, here's the text instructions in the header of the export XML, if it's of any help:

Code: 
<!-- This is a WordPress eXtended RSS file generated by WordPress as an export of your site. -->
<!-- It contains information about your site's posts, pages, comments, categories, and other content. -->
<!-- You may use this file to transfer that content from one site to another. -->
<!-- This file is not intended to serve as a complete backup of your site. -->

<!-- To import this information into a WordPress site follow these steps: -->
<!-- 1. Log in to that site as an administrator. -->
<!-- 2. Go to Tools: Import in the WordPress admin panel. -->
<!-- 3. Install the "WordPress" importer from the list. -->
<!-- 4. Activate & Run Importer. -->
<!-- 5. Upload this file using the form provided on that page. -->
<!-- 6. You will first be asked to map the authors in this export file to users -->
<!--    on the site. For each author, you may choose to map to an -->
<!--    existing user on the site or to create a new user. -->
<!-- 7. WordPress will then import each of the posts, pages, comments, categories, etc. -->
<!--    contained in this file into your site. -->
 
First off delete that plugin. That's actually a really old vulnerability. Just disabling it or whatever in WP won't do the job.

That will probably get rid of the backdoor, but if they're not lazy it could be somewhere else. Run this to check for suspicious code they might have snuck in elsewhere.

grep -RPn "(passthru|shell_exec|system|base64_decode|fopen|fclose|eval)" /your/www/path

Maybe grep for php mail function calls too, because everything bad that's happening including the mailing is almost definitely being done purely with PHP. There could be some kind of escalation going on but it's highly unlikely.

Unless they're being unusually slick for some reason, this should probably be enough to get rid of any backdoors. Depending on how the spam pages are being served that may or may not be a bitch to clean up. Examples of what the URLs look like would make that a lot easier to diagnose.
 
Flex said:
Also you should be removing as many of the WordPress footprints that you can.
Click to expand...
my 9 to 5 is actually in cybersecurity. i started this venture to get out of work lol so much for that

ultron said:
I'm searching for reliable wordpress theme at the moment..
Some of the themeforest theme looks good but heard that they might have really bloated code..
I've yet to try themes from mythemeshop or Thrive themes. They both seems to get really good reviews.
Click to expand...

I'm currently using the bridge theme from themeforest. did i done goofed? will deactivating/uninstalling unnecessary plugins lower the attack surface significantly? (going to do this anyways just curious.

Potatoe said:
Well, they also seemed to have been sending out tens of thousands of spam emails from a bunch of aliases that they created, and now my domain is blacklisted. Looks like I'll be emailing from brandname@gmail.com now.

So, I've still got over 2,000 spam pages showing up in Google's index, and now my domain is blacklisted from getting any email delivered.

I'm kind of annoyed at my host, even thought it's not their fault this happened. How does a spammer queue up 90,000 emails without raising any red flags? I only noticed this happened because I went to send an email and was told that I was over my hourly limit. When someone hits that limit, hour after hour, for days, shouldn't that kinda raise a red flag? I'm not feeling too confident in this right now: https://www.wiredtree.com/support-services/servershield-server-hardening/ My server is softer than Drake.
Click to expand...

would appreciate some advice from experienced members on preventing this from happening. this seems to be like the worst/best thread to stumble upon as a newbie.
 
turbin3 said:
Password Protect Login

Require a password...before you can even enter your password. In effect, a 2 step login. One additional layer of security. Even better, generate an insane, unique, 500 (or whatever size) character password for

For Apache .htaccess:
Code: 
<Files ~ "^\.ht"> Order allow,deny Deny from all </Files>

<Files wp-login.php>
AuthUserFile ~/.htpasswd
AuthName "Private access"
AuthType Basic
require user thisisyourusername
</Files>
You can use this to generate your .htpasswd file, and store it where your .htaccess file is. You'll now have to enter 2 passwords before you're logged in to your site.
Click to expand...
With essentially 0 experience with programming and no clue what I was doing I was able to get this to work within 30-minutes. It does only ask me to enter the password once, I imagine this is normal? Would be cool to set it up so that it asks each time, that's the next step when I get some spare time.

I'm going to install WordFence anyway (unless anyone advises against), although I imagine a lot of the features are made redundant by this 2-step login. Really appreciate this @turbin3

Great to see people learning from each other and benefiting from different skillsets.
 
Prentzz said:
It does only ask me to enter the password once, I imagine this is normal?
Click to expand...

That's probably browser caching after a successful first step login that causes that. If you try viewing the page in an incognito mode, it should pop up every time I would think. So as far as hackers are concerned, they should always still be seeing the prompt on every hit, unless they actually login through the first step successfully.
 
turbin3 said:
That's probably browser caching after a successful first step login that causes that. If you try viewing the page in an incognito mode, it should pop up every time I would think. So as far as hackers are concerned, they should always still be seeing the prompt on every hit, unless they actually login through the first step successfully.
Click to expand...
Thanks for confirming this, I imagined it was some sort of cookie or something.
 
You must log in or register to reply here.
Back