3

I have a dedicated server running WordPress and have recently noticed that its been hacked and PHPShell a remote web server controller has been uploaded. This has let the hacker view and edit files including my database!

I have since deleted the PHPShell folder. Changed all possible passwords (database, user accounts, FTP, turn off SSH etc) and he's recently gained access again!

However I think he was originally able to upload this through Akismet plugin after checking my logs:

xx.xxx.208.130 - - [05/Feb/2014:02:18:29 -0600] "GET /phpshell-2.4/ HTTP/1.0" 403 1431 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/32.0.1700.107 Safari/537.36"

xx.xxx.208.130 - - [05/Feb/2014:02:17:47 -0600] "POST /wp/wp-content/plugins/akismet/.!31.php HTTP/1.0" 200 17503 "https://example.com/wp/wp-content/plugins/akismet/.!31.php" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/32.0.1700.107 Safari/537.36" .!31.php

Going off the details above it seems he was able to upload this PHPShell through Akismet plugin. I contacted their devs and I was informed /akismet/.!31.php was not part of their original package and that the hacker could have created this as a decoy. Before I deleted the Akismet plugin and went to https://example.com/wp/wp-content/plugins/akismet/.!31.php you were able to upload and execute files to the server, through my firewall!

I HAVE to get this hacker off my server. I have run timthumb scanners and it found nothing. Where else do I start?

schroeder
  • 125,553
  • 55
  • 289
  • 326
user40132
  • 41
  • 3
  • @KnightOfNi - WordPress compromises are common enough and the solution is generic enough that I think this will be helpful in the future. – AJ Henderson Feb 15 '14 at 20:10
  • For more details on protecting your site after you clean up, check out [How can I protect a WordPress installation?](http://security.stackexchange.com/questions/477/how-can-i-protect-a-wordpress-installation) – AJ Henderson Feb 15 '14 at 20:11
  • 2
    Perhaps a bad idea to post your website URL here, if you don't clean up successfully script kiddies will find this page and have another go. – Gerve Feb 17 '14 at 18:05

2 Answers2

11

When compromised, the best bet is to nuke it from orbit. Remove all files from your site, reload from a known clean image. If you don't have a known clean image, re-install fresh and migrate over the DB records after verifying that they are valid. Move image assets and any custom assets after careful review that they have not been compromised.

Make sure to keep your server patched and only use reputable plugins. Make sure that your folder permissions are set correctly so that the public can not write to your wp-content folder.

It is also probably worth using the WordFence addon as an added security mechanism. While it won't catch everything, it will scan popular plugins to make sure they have not been altered. This would likely have detected your second compromise, but it is not as sure as nuking from orbit or manual code review. It will also help provide notification when WordPress or an Addon is out of date.

AJ Henderson
  • 41,896
  • 5
  • 63
  • 110
4

I will focus on the second part of the question:

and prevent future attacks?

Basically, what can you do in order to prevent from future attacks is:

  • keep your Wordpress up to date

consider using automatic updates, by adding this peace of code in wp-config.php

add_filter( 'auto_update_plugin', '__return_true' );

or automatic update for all themes:

add_filter( 'auto_update_theme', '__return_true' );

More info about automatic updates you can find here: https://codex.wordpress.org/Configuring_Automatic_Background_Updates

  • pick a strong password, and change your username if it's admin
  • limit login attempts, by using some plugins or I like to use fail2ban
  • consider using two factor authentication for better WordPress security
  • clean your Wordpress site, by deleting unused themes or plugins
  • ensure file and folder permissions are correct

Here is how to set permissions correctly:

find /path/to/your/wordpress/ -type d -exec chmod 755 {} \;
find /path/to/your/wordpress/ -type f -exec chmod 644 {} \;
  • use SSL for your login page (you can use self-signed or free one from letsencrypt)

http://www.wpbeginner.com/wp-tutorials/how-to-add-free-ssl-in-wordpress-with-lets-encrypt/

And consider security options from your server-side:

  • secure your php, by disabling dangerous PHP functions
  • install a web application firewall (Modsecurity)
  • backup your website
Mirsad
  • 10,075
  • 8
  • 33
  • 54
  • 2
    The only things I've had hacked are Wordpress sites that I've left unmaintained. Putting up a wordpress site is a commitment to keep it updated, so making sure you're always on the latest version of Wordpress is absolutely the first thing one should do when securing a Wordpress site. – Anna Apr 19 '16 at 20:20