badget

Biggest Sale! Special Offer!

Get 30% discount on all of our single themes with this coupon code: #30%SALE

Hurry up! *Limited time offer*

Reply To: Revolution Slider and Site Hack Vulnerability

#19549
m2aini
Participant

Hi stphillips,

I have experienced the same type of malicious hacking on my site (http://lumiere-instant.net). My host provider (ovh.com) has a robot monitoring activities on servers and when detecting a suspicious script, kills the script and changes site permission to 700, making it in effect inaccessible through a browser, but accessible via ftp. THois ahas allowed me to actually clean up my site. This was a long process, and several type I reverted the permissions to allow public access to my pages, only to see my site back to 700, due to another suspicious execution.

I used several tools to clean up my site. One was sucuri plugin, another antivirus. But in the end, the most effective tool was my local avast antivirus. You should install it if, you don’t have it yet (free), and then dowload your whole site via ftp. Avast quarantines each suspicious file and gives you a message. You can then delete those files from your site.

Be very careful, though. If you were attacked in the same way I was, there are two types of infections. 1. Files that are added, with names such as “wp-conf.php” (config files for wp are wp-config.php), or wpextract.php, and others. These files start with a if(isset=x) where x is a complex variable like x334p, for instance, and then have a reg-replace command with a very long hexadecimal chain. These files should be deleted completely.

2. Some legitimate files have lines added to them at the very beginning, that is, before the comment section that gives the version of the script and its function. It is relatively short, and contains the eval command again with hexadecimal code. These snippets must be deleted from the file, but the file itself mustn’t be deleted. Easy because the snippet is in between its own <?php ?>

I also upgraded all of my plugins to their latest version. I activated the firewall offered by my Host provider. If yours doesn’t offer that, you may want to consider Sucuri’s firewall.

Also I activated all of the “hardening” options from the Sucuri plugin.

Also, one important thing. I had other old, demoted, static sites on my servers (non wordpress sites). The hackers had also populated these folders with virus files. You must clean EVERY file from your root directory. Personally, I removed old folder entirely. I also removed the themes I didn’t use. Making your web space as simple as possible will help maintenance and security.

Hope that helps. For now, this is the first morning in a week that my site is not blocked after an attack attempt during the night. So I am thinking that maybe I have succeeded at getting rid of all the malware. But only time will tell if I am not overoptimistic.

Finally, I would strongly suggest that you change your admin and ftp passwords, and make the new one very complex.

Best regards