Website hack cleanup – website was hacked prior to BPS plugin installation

Home Forums BulletProof Security Free Website hack cleanup – website was hacked prior to BPS plugin installation

This topic contains 2 replies, has 2 voices, and was last updated by  AITpro Admin 8 months, 3 weeks ago.

Viewing 3 posts - 1 through 3 (of 3 total)
  • Author
    Posts
  • #33248

    William
    Participant

    Thank you guys so much for helping me out!!!!! It means so much, I feel like I know nothing!

    I’ve copy and pasted the information you have provided for me and I’ll delete the previous post. I’ll work on this more tomorrow.

    https://wordpress.org/support/topic/got-hacked-multiple-times/
    AITpro wrote:

    Please request that a Moderator delete this review by adding the “modlook” tag in the “Tags” text box and stating that you would like to delete this review. Then create a new support topic thread here:  https://wordpress.org/support/plugin/bulletproof-security/#new-post and I will help you get your site cleaned up/dehacked.

    Your site is not being “hacked on multiple occasions”. Once a website is hacked it will remain hacked until you completely cleanup the hacked site and hosting account. In other words, since your website/hosting account is already hacked then installing any/all WP security plugins after the fact is not going to automatically cleanup the hacked website/hosting account. So it appears that your site is being “newly” hacked on multiple occaisons, but in fact your site was and still is currently hacked and will remain hacked until you completely cleanup your website and hosting account of all hacker code and files.

    AITpro wrote:

    One obvious thing that I see using the google “site” operator search for your website: site:williamnicolaou.com is that you have an old post that is being indexed by Google: http://williamnicolaou.com/?kez=paksa+sa+filipino+term+paper. This old post needs to be deindexed using Google Webmaster Tools. This old post was created by the bug in the WordPress REST API in WP 4.7 and 4.7.1 versions, which was patched in WP 4.7.2. The old bug allowed anyone to inject a post on a website by exploiting the bug in the WP REST API endpoint. The Request URI and Query String for that injected post is exactly the format/string/URI that was created by exploiting the bug in WP 4.7 and 4.7.1 versions.

    Once you have deindexed that post in Google Webmaster Tools then Google will probably remove the “this site may be hacked” link under your indexed home page URL in google search results, but most likely your site was hacked more extensively due to the bug in WP 4.7 and 4.7.1, which we have seen in several cases. Unfortunately, the BPS free plugin (and all other WP security plugins) could not protect against that particular WP REST API bug.

    So please have a moderator delete this review and post a new forum topic on our forum site: https://forum.ait-pro.com/forums/forum/bulletproof-security-free/#new-post and we will go the extra mile and get your site/hosting account dehacked/cleaned up for you.

    AITpro wrote:

    Additional Notes for BPS Pro users:  There were several cases where the WordPress 4.7, 4.7.1 REST API bug allowed a hacker to upload files by exploiting the WordPress 4.7, 4.7.1 REST API bug.  BPS Pro AutoRestore|Quarantine Intrusion Detection and Prevention System (ARQ IDPS) quarantined any/all hacker files that were uploaded by exploiting the WordPress 4.7, 4.7.1 REST API bug.  So in each case the website was not hacked successfully since ARQ IDPS did its job and quarantined the uploaded hacker files.  Originally the WordPress 4.7, 4.7.1 REST API bug was only being exploited to the extent of injecting POST content, but for folks who waited a very long time to upgrade to WP 4.7.2 we started getting reports of ARQ IDPS quarantining hacker files, which would mean hackers had discovered an new hacking method of exploiting the WordPress 4.7, 4.7.1 REST API bug in a way that they were able to force upload files into a hosting account.  In any case, none of the websites were successfully hacked since BPS Pro ARQ IDPS quarantined uploaded hacker files and stopped the hacks from being successful.

    AITpro wrote:

    Also I just wanted to point out how a website hack works since most folks do not understand this kind of stuff. Your topic title is not accurate: “Got Hacked multiple times” because your website was probably hacked by in January or February 2017 due to the WP 4.7, 4.7 REST API bug. Unless you completely cleaned up your entire hosting account at some point then your site was only hacked once back in January or February 2017 and has been hacked ever since then. Typically when a website is hacked you will see obvious hacker stuff that someone cleans up, but since the site is still hacked the obvious hacker stuff will keep returning/reappearing since the website/hosting account was never completely cleaned up.

    Here is an analogy of a typical website hack in laymans terms to make understanding a hacked website/hosting account crystal clear: Bank robbers (hackers) are already in the bank vault (hacked hosting account). So the vault security door (website security protection) is no longer a factor since the bank robbers are already in the bank vault.

    In summary, any continued obvious hacking stuff that someone is aware of are still the result of the original hack that was done x months or years ago. The continued obvious hacking stuff is originating internally from the hacked hosting account via hacker files and not originating externally as a new hack. Once a site/hosting account is hacked it will remain hacked until the hosting account is completely cleaned of all hacker files and code.

    AITpro wrote:

    Here’s a link to a post about how the WP REST API bug was later used to force upload a hidden backdoor hacker file: https://www.bleepingcomputer.com/news/security/wordpress-rest-api-flaw-used-to-install-backdoors/

    Another hacking method that exploited the WP REST API bug in WP 4.7, 4.7.1 that we forensically dissected and that no one else seemed to be aware of is this one:

    Method of attack: A Cookie is being set using a JSON POST Request and is exploiting the WP 4.7, 4.7.1 REST API bug. The JSON POST Request sets a Cookie, which results in the website page redirecting to the hackers website. The Resonse Headers and Cookie contain domain information for the hackers domains.

    Example of currently hacked site using the WP REST API bug:
    hacked site: jmoservices.f9portal.net/corax-the-sophist
    Redirects to the primary hacker site: pwci.pw, which then redirects to this site:superbpaper.com/?cid=1970

    Response Headers:
    Cache-Control max-age=0
    Connection keep-alive
    Content-Length 0
    Content-Type text/html; charset=utf-8
    Date Mon, 29 May 2017 20:39:54 GMT
    Expires Thu, 21 Jul 1977 07:30:00 GMT
    Last-Modified Mon, 29 May 2017 20:39:54 GMT
    Location https://superbpaper.com/?cid=1970
    Pragma no-cache
    Server nginx/1.10.1
    Set-Cookie e5bb0=%7B%22streams%22%3A%7B%2221%22%3A1496089939%7D%2C%22campaigns%22%3A%7B%2210%22%3A1496089939%7D
    %2C%22time%22%3A1496090394%7D; expires=Thu, 29-Jun-2017 20:39:54 GMT; Max-Age=2678400; path=/; domain
    =.pwci.pw
    #33250

    AITpro Admin
    Keymaster

    The Forum Topic Title has been changed to:  Website hack cleanup, since we will be literally cleaning up your hacked website/hosting account for you.  What we need from you in order to do that is:  A WordPress Administrator login to this website and an FTP login account to your hosting account.  Please send the WP Admin and FTP login info to:  info@ait-pro.com.

    Instructions on how to deindex this post in Google Webmaster Tools (GWT):  http://williamnicolaou.com/?kez=paksa+sa+filipino+term+paper
    If you do not have a Google Webmaster Tools account then click this link and sign up for a GWT account:  http://www.google.com/webmasters/tools
    You will need to add your website (Add a Property) in Google Webmaster Tools after you create your new GWT account.  See this link: https://blog.kissmetrics.com/beginners-guide-to-google-webmaster-tools/ for how to add your website in GWT.

    To deindex/remove an indexed URL for your website in GWT click on your newly added website link in GWT.
    Click on the Google Index left sidebar link.
    Click on the Remove URLs link.
    Click on the Temporarily hide button.
    Enter this URL:  http://williamnicolaou.com/?kez=paksa+sa+filipino+term+paper in the text box that is displayed to you and then click the Continue button.
    Leave the dropdown select box setting to:  Temporarily hide page from search results and remove cache
    Click the Submit Request button.

    #33264

    AITpro Admin
    Keymaster

    Your website has been cleaned of all hacker files and code, but since your website is under someone else’s hosting account you should have the owner of the hosting account check for hacker files and code in any other website’s under this hosting account.  The reason for that is if another website under this same hosting account is hacked then that hacked site could reinfect your clean website by cross-site infection.

    Things that still need to be done by you:
    You need to change your WordPress Database password in your web host control panel by using phpMyAdmin.
    You need to change your WordPress Database password in your wp-config.php file and add the new WordPress Database password that you created using phpMyAdmin.
    You need to contact your web host support folks and have them delete all files in your /tmp folder using SSH.

    Hacked Site Forensic Investigation (Screenshots included in the Word Doc that I emailed to you) and cleanup
    Hidden hacker file named messi.php in the Root website folder for this website. The date of this file is: 3-6-2016, which means this website has been hacked since 3-6-2016 – 1 year and 2+ months.
    A total of:  4 hidden backdoor hacker files were found in your website Root folder.  Hacker File Names:  messi.php, lm.php, wp-slider.php and wp-error.php.

    3 hacker plugins were installed on your website and have been deleted. The hacker plugins were disguised as legitimate/real WordPress plugins:

    Akismet3 – disguised as Akismet plugin
    temp-file – disguised as WordPress Database Backup plugin
    wp-db-ajax-made – disguised as WordPress Database Backup plugin

    Your wp-config.php file had hacker code in it, which was deleted.

    Your WP Salts had not been added/created.  Created new WP Salts in your wp-config.php file.

    You had 2 WP Administrator User Accounts that had multiple IP addresses used to login to your website.  Since 1 of the hacker scripts had the capability to access your WordPress Database I created a new WP Administrator User account and deleted the 2 old WP Administrator User accounts. I sent you an email with the new WP Administrator login information.

Viewing 3 posts - 1 through 3 (of 3 total)

You must be logged in to reply to this topic.