Jump to content
Killersites Community
Andrea

I think my Wordpress site was hacked....

Recommended Posts

I got an email form my host, letting me know my site's been temporarily taken down due to suspicious activity.  Apparently, 3 files are affected:

/wp-content/wpspl-load-compat.php

/wp-includes/wpspl-load-compat.php

/wp-includes/wpn-sops.ph

Nothing comes up when I google those file names, and since I still haven't learned PHP, I also don't really know what's going on - but mention of backdoors and such really makes me wonder. And entering a mentioned url - packetstormsecurity.org and seeing Putin.....

I'm just not clear if I can just delete the entire file - below is what's in the compat file inside the includes folder - or do I need to just clean something.

And after that? As far as I know,  I'm running the latest WP version and my password should be pretty solid, too. 

I got an error message trying to include the content into <> - maybe because it's so large, and it was also too large to attach the file, so here it is:

PHP Code in Notepad Doc

Share this post


Link to post
Share on other sites

Ok - I cannot get my code uploaded, and it's too big to attach here.....

Trying to figure something out.

 

Share this post


Link to post
Share on other sites

Hi I clicked the link but it redirects me to the 404 page.

Here is a list of the stock wordpress file https://core.trac.wordpress.org/browser/trunk/src.

The files from wp-includes, I am pretty sure you can just delete them. Your site content and theme are stored in wp-content.

If you don't have experience with WP developement, I recommend that you install this plugin and run a full scan https://ro.wordpress.org/plugins/wordfence/.

If you still want to upload the code to this forum just upload the files to your Google Drive, make them public and put the link in this thread, so that we can take a look.

Share this post


Link to post
Share on other sites

Thanks, Anadar. I'll look into it.

I did delete the three offending files, and things seem to work fine. That tells me that the entire files were somehow added to my server, instead of the hackers adding malicious code to an existing file.

I was not able to upload the txt file (no idea why that would not work), so you guys can see what they put there, but I was able to PDF it and that uploaded.

Anybody have any insights what this was supposed to do?

Infected File (pdf format)

 

Share this post


Link to post
Share on other sites

testing....

Share this post


Link to post
Share on other sites

Ok --- testing worked, I tried to thank Anadar for the excellent recommendation, and it somehow caused a disturbance in the force.....5a4aa5d20eab5_Screenshot-1_1_20184_14_16PM.png.872c46d5d39a918caff3cbe9b9a2be3f.png

 

got 

  • Upvote 1

Share this post


Link to post
Share on other sites

I would recommend you a good plugin for improving WP Security, something that would prevent malicious code from being uploaded to the server, but I don't know any free ones, that impresesssed me.

If you work with Wordpress a lot I recommend that you get a WPMU Dev subscription, they have a lot of great plugins. For security https://premium.wpmudev.org/project/wp-defender/ .

Share this post


Link to post
Share on other sites

I'm not a WordPress user but I found some interesting articles about your issue.

The main advice was to delete unused/archived/old themes. And the concern about security vulnerability in poorly coded plugins.

Seems that themes, plugins are located in wp-content directory, which you mentioned.

Are you going to reinstall your site? Can you backup all your posts/comments and upload the content with a fresh install?

The articles i read are

"How to Find a Backdoor in a Hacked WordPress Site and Fix It"

"Beginner’s Guide to WordPress File and Directory Structure"

Share this post


Link to post
Share on other sites

In the future you might try renaming them before deleting the files. If nothing breaks you can then delete them.

Sorry for the delay, I was on vacation (at home) for 12 days and refused to touch a computer.

You will want to check if you are using any of these plug-ins:

Another idea luv, would be to check if your credentials for the wordpress site come up as being compromised. If not listed here, you are still rather secure:  

Have I been pwned? https://haveibeenpwned.com/

Share this post


Link to post
Share on other sites
On 1/2/2018 at 9:58 AM, MNS45 said:

I'm not a WordPress user but I found some interesting articles about your issue.

The main advice was to delete unused/archived/old themes. And the concern about security vulnerability in poorly coded plugins.

Seems that themes, plugins are located in wp-content directory, which you mentioned.

Are you going to reinstall your site? Can you backup all your posts/comments and upload the content with a fresh install?

The articles i read are

"How to Find a Backdoor in a Hacked WordPress Site and Fix It"

"Beginner’s Guide to WordPress File and Directory Structure"

Thanks - it seems that deleting the three bad files did the trick, but I will read the articles you pointed out.

 

Share this post


Link to post
Share on other sites

Hi LSW,

I made copies of the files before I deleted them.

I'll be busy reading all the recommended info over the weekend.

 

 

Share this post


Link to post
Share on other sites

Have fun... all I really do now is read cybersecurity articles to keep abreast and watch for vulnerabilities in our servers and machines. It is not quite as romantic as it sounds.

Cheers luv!

Share this post


Link to post
Share on other sites

Follow these WordPress security best practices:

  1. Always update WordPress core, themes, and plugins right away.
  2. Back your site up daily; either via your host or one of the many trusted WordPress backup plugins such as VaultPress, BackupBuddy, BackWPup, BlogVault, etc.
  3. Never use the default “admin” username.
  4. Create a unique and difficult password that contains upper-case and lower-case letters, numbers and symbols.
  5. Secure your wp-config.php file.
  6. Hide your username.
  7. Limit login attempts.
  8. Disable file editing in the dashboard by adding the following to your wp-config.php file: define( ‘DISALLOW_FILE_EDIT’, true);
  9. Always use SFTP when logging in to your site via an FTP client or your hosting panel.
  10. Or, if you’re up for some advanced DIY security, check out this definitive guide to WordPress security.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×