Website was previously hacked and need to clean it up

[Connie S Owens]

My site was attacked, dbase injection.  All users id’s changed to admin, etc.  Scan deactivated, etc.

I paid for the protection, only to lose my site.

I have changed plugins for now.  I am using a different one.

I had all the security features set.  My wp-config was continuously quarantined as was the error log for a week.  I could not get access to my site because of it.  The hosting techs have been diligent about helping me, but….

I now have to begin again.  All their scans showed my site clean, my security was suppose to prevent this.  It has not.

Not sure what to do now.  Thank you.

[AITpro Admin]

Hey Connie – BPS Pro is pretty much impossible to beat.  So yeah either your website/hosting account was already hacked, which is the case 9 times out of 10 or you installed something that allowed your site/hosting account to be hacked and then there are some other possibilities like someone stole your WP password or FTP or web host control password.  All bummers of course so yeah I understand how upsetting this situation is for you and would be willing to fix the problem.  I’m going to send you an email shortly requesting specific things I need to figure out and fix this problem.

[Connie S Owens]

Thank you for your email exchange and assisting me in my ongoing education.  Thank you for reviewing the dbase and letting me know there was no back door or malicious code.  The techs at my hosting company suggested it was Oxygen, a plug in that was inactive, that allowed for them to install the back door.   I posted to them, have not heard back, but won’t let it go.  They need to fix it.

I thought someone had gotten my pw, etc.  No.  I had changed it four times in a matter of days to be sure, but hacked three times.  They were even kind enough to sign their work once, “hacked by medo”

Again, thank you for checking my dbase for my one site I do appreciate it.  And for the information to further my education.  It was one thing to lose two of my sites, but to threaten my income and then to have to communicate with techs who could not “understand” or ignored my questions and requests.

I appreciate your assist.

[AITpro Admin]

Hey Connie,

I checked the Oxygen site when you originally mentioned that the Oxygen plugin may have been the origin of the hack and found that older versions of Oxygen dating back to 2016 did have some serious security vulnerabilities.  The Oxygen plugin folks did release a new version back then that fixed the vulnerabilities, but unfortunately once a hacker has successfully compromised your hosting account you need to delete all files and reinstall all files (WP Core, Plugins and Themes) and restore your WP Database to be 100% sure that there are no leftover hacker files (backdoors, etc).

So yeah rehashing the direct emails I have sent you, your website/hosting account was most likely hacked for years, which is a very unsettling thought in itself, but we see that fairly often unfortunately.  Most likely the defacement hack “hacked by medo ” came many months/years after your sites and hosting account were already hacked.  Typically higher level hackers do not expose/give away that they control your hosting account and then kiddie scripters come along later and use “Google Dorks” to find hacked websites and do dumb stuff like website defacement.

So yeah I’m totally ok with continuing to help you get all your sites up and running and would be happy to check everything to make sure that the hack does not return.  Regarding our direct email contact I cannot stress how important it is that you do not restore any old backup files.  So just generally follow the steps in this help forum topic > https://forum.ait-pro.com/forums/topic/wordpress-hacked-wordpress-hack-cleanup-wordpress-hack-repair/  You are not losing years of work since you can restore your old WP DB backups, but yeah it’s going to take a few days of doing installations to get all your sites up and running.  Glad to help in any way I can.

[Author]

Posts