SitePoint Sponsor

User Tag List

Results 1 to 12 of 12
  1. #1
    SitePoint Member
    Join Date
    Jul 2012
    Posts
    3
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    My Site's Been Hacked!

    Hello everyone, I'm really hoping someone can help me.

    I run a WordPress website that was hacked yesterday. My theme uses phpThumb, which is apparently very insecure. Someone used this insecurity to put random files on my website. I think their intention was to use my server to send out spam emails.

    Very early yesterday morning, I was looking at my Google Analytics and noticed someone had accessed this page twice:
    /wp-content/themes/my_theme/scripts/phpThumb/properties/index.htm. Of course I thought this was strange, but I really don't know a lot about web development. It was 2 am at this point and I was exhausted so I decided to look at it again in the morning.

    By 9:20 am, I received an email from my hosting company (1&1) telling me my site had been hacked and listing the malicious files. I immediately deleted these files, and I deleted phpThumb and uploaded the newest version which is supposed to be more secure. I looked at the other files in my site but I didn't notice anything else suspicious (though I admit I know very little about this stuff). I then changed my admin password.

    My site is completely unchanged. No new content, no new users, etc. However, I realize that doesn't mean that there's not something wrong with it. This morning I looked at Google Analytics again and noticed that someone has accessed that same page 3 times already. I cannot actually find that index.htm file anywhere.

    I really don't know what to do and don't have anyone that can help me. phpThumb is necessary for my theme. Without it, my homepage just displays a bunch of broken links. I worked for weeks on this theme; I really can't change it. This is not just a hobby site this is for my job. My boss doesn't know about the hack yet. Is there anything I can do?

  2. #2
    It's all Geek to me silver trophybronze trophy
    ralph.m's Avatar
    Join Date
    Mar 2009
    Location
    Melbourne, AU
    Posts
    24,299
    Mentioned
    460 Post(s)
    Tagged
    8 Thread(s)
    Hi brite78. Welcome to the forums.

    Sorry to hear about your situation. Do you have a full backup of the site (database and all)? If so, you could perhaps restore an older version of the site from before the attack, and then do the update again and change passwords etc.

  3. #3
    SitePoint Member
    Join Date
    Jul 2012
    Posts
    3
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by ralph.m View Post
    Hi brite78. Welcome to the forums.

    Sorry to hear about your situation. Do you have a full backup of the site (database and all)? If so, you could perhaps restore an older version of the site from before the attack, and then do the update again and change passwords etc.
    I have a copy of the site files but I was never able to successfully back up the database/content. I tried for several hours a few weeks ago and I just wasn't able to do it. I am serving as the writer/editor, web developer (despite zero training, learning as I go), graphic designer, online marketer, and administrative person at my job. I feel like an idiot for not learning how to back it up but I have a lot going on. That will definitely be priority number 1 if/when this gets fixed.

  4. #4
    It's all Geek to me silver trophybronze trophy
    ralph.m's Avatar
    Join Date
    Mar 2009
    Location
    Melbourne, AU
    Posts
    24,299
    Mentioned
    460 Post(s)
    Tagged
    8 Thread(s)
    There are various ways to back up a WP site, but if your web host has a control panel like CPanel, it's a one-click operation to generate a full backup of the site, including the database, emails—everything. And a one-click operation to restore it.

    Anyhow, that's for later. Good luck with the current situation. (I'm afraid it's not really my area, so await other replies.)

  5. #5
    Avid Logophile silver trophy
    ParkinT's Avatar
    Join Date
    May 2006
    Location
    Central Florida
    Posts
    2,343
    Mentioned
    192 Post(s)
    Tagged
    4 Thread(s)
    Quote Originally Posted by brite78 View Post
    My site is completely unchanged. No new content, no new users, etc. However, I realize that doesn't mean that there's not something wrong with it. This morning I looked at Google Analytics again and noticed that someone has accessed that same page 3 times already. I cannot actually find that index.htm file anywhere.

    I really don't know what to do and don't have anyone that can help me. phpThumb is necessary for my theme. Without it, my homepage just displays a bunch of broken links. I worked for weeks on this theme; I really can't change it. This is not just a hobby site this is for my job. My boss doesn't know about the hack yet. Is there anything I can do?
    You mentioned that you changed the Admin password. That was a good move. But you should verify there are no OTHER accounts with Admin permissions.
    Depending how old your site is (how long it has been on the Internet), you may be able to retrieve the data from TheWayBackMachine. This is not a substitute for a backup (you must re-enter all the data by hand).
    Don't be yourself. Be someone a little nicer. -Mignon McLaughlin, journalist and author (1913-1983)


    Git is for EVERYONE
    Literally, the best app for readers.
    Make Your P@ssw0rd Secure
    Leveraging SubDomains

  6. #6
    SitePoint Member
    Join Date
    Jul 2012
    Posts
    3
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I made sure there were no other users before changing my password. I also changed my host log in password and FTP password. Anything else I can do? Anyway I can tell if they are still using my server?

    UPDATE: I just checked my email and I received a message from the bank that is being victimized by these hackers. They have reported me to the IC3 and US cert and are telling me I need to shut down immediately. What do I do? Can I contact them with a copy of the email from my hosting company as proof that this was a hack?

  7. #7
    It's all Geek to me silver trophybronze trophy
    ralph.m's Avatar
    Join Date
    Mar 2009
    Location
    Melbourne, AU
    Posts
    24,299
    Mentioned
    460 Post(s)
    Tagged
    8 Thread(s)
    This happened to me once, and the hosting company helped to flush out the code left by the attacker. But I've seen other hosts who just shut down your site and leave you in limbo. Might be worth talking with your host asap to see if they will help.

  8. #8
    SitePoint Member
    Join Date
    Jul 2012
    Location
    kolkata
    Posts
    6
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    WP Security Scan checks your WordPress website/blog for security vulnerabilities and suggests corrective actions you can check it http://wordpress.org/extend/plugins/wp-security-scan/ and another thing what version of WP u r using , if u are using lower version upgrade it to latest one as a tone of fixes were added.I think some plugin in your wordpress file is badly written which could be vulnerable to SQL injection attack, so delete those plugin.You can use after restoring your back up and fresh installation http://wordpress.org/extend/plugins/...roof-security/.

  9. #9
    SitePoint Zealot Spartinman's Avatar
    Join Date
    Nov 2009
    Location
    Florida USA
    Posts
    197
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Sometimes your host may have allowed the hacking attack to happen. Check with who is hosting it and ask them about the security breach. If it is hosting with wordpress then I think you may want to use WP Security... search for it.

  10. #10
    Certified Ethical Hacker silver trophybronze trophy dklynn's Avatar
    Join Date
    Feb 2002
    Location
    Auckland
    Posts
    14,672
    Mentioned
    19 Post(s)
    Tagged
    3 Thread(s)
    I had been asked to review WP Secure for its security. It simply uses an encrypted (eval()) script from an obfuscated file (in the WP directory) which writes a <Files *> to only allow the visitor's IP address to access the WP Admin directory. While the .htaccess code is fine, security by obfuscation (anyone hacking a WP installation would easily recognize a non-standard filename) is only marginally better than no security at all.

    IMHO, you can (SHOULD) do the same thing by hand (upload via FTP using a VERY STRONG password).

    More important, though, keep WP up to date!

    Regards

    DK
    David K. Lynn - Data Koncepts is a long-time WebHostingBuzz (US/UK)
    Client and (unpaid) WHB Ambassador
    mod_rewrite Tutorial Article (setup, config, test & write
    mod_rewrite regex w/sample code) and Code Generator

  11. #11
    SitePoint Zealot 2ndmouse's Avatar
    Join Date
    Jan 2007
    Location
    West London
    Posts
    196
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I had a painful experience last year, when one of my sites was hacked, and couldn’t find anything on the net that would protect against this type of intrusion.

    So, I have written my own script which will detect any file changes on a web site (including file permissions) and send an email notification on detection.

    Although it won’t prevent a site from being hacked, it will act as an early warning system.

    It’s intended to be used as a scheduled task or cron job, run, say, once an hour, and can be set up to monitor 1 or many sites, all remotely. A hacker won’t even suspect that the site is being monitored. I call it SimpleSiteAudit, emphasis on the word 'simple' – it can be downloaded from http://simplesiteaudit.terryheffernan.net

    I’m an amateur programmer, so it’s freeware <snip>
    Cheers
    Last edited by TechnoBear; Aug 2, 2012 at 07:16. Reason: URL delinked & solicitation removed.

  12. #12
    SitePoint Member
    Join Date
    Jun 2009
    Location
    Detroit, MI
    Posts
    6
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    This happens a lot, especially for sites that have out of date plugins or versions of WordPress itself. Unfortunately when an exploit like timthumb comes out it can affect thousands of sites. My advice is not to just fix your site, but find the root cause. You might find our diy guide to fixing your hacked WP blog a good read: http://www.jtpratt.com/how-to-fix-a-...ordpress-blog/
    My name is JTPratt and I'm a working
    Wordpress Consultant.
    I also sell Front Row tickets.


Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •