1. Advertising
    y u no do it?

    Advertising (learn more)

    Advertise virtually anything here, with CPM banner ads, CPM email ads and CPC contextual links. You can target relevant areas of the site and show ads based on geographical location of the user if you wish.

    Starts at just $1 per CPM or $0.10 per CPC.

New Hack on Wordpress, Sitemap and redirect

Discussion in 'Programming' started by Mehdi.b, Oct 11, 2016.

  1. #1
    Unfortunately one of my clients' websites got hacked but it is something a bit different from the regular Pharma hacks I have seen before so I thought to share it here and see if anyone has any ideas or faced this before.

    Basically the hack was to redirect the website to a Japanese website through some fake URLs (well I mean around 1200 URLs) it made on the site. This was done by adding base64 code to the index.php on the root of the site and a password GET on 404 page code. But what was different was that it created a file called amaps.xml and through the code replaced the actual sitemap with this, so Google crawled this fake sitemap (which only had the fake URLs) and that is how we saw the hack. Visually there was no difference but it was redirecting bots to the other website.

    Another thing was this guy/girl/bot did not have access to server and this was all done through WordPress admin area which is super annoying because in only one site we had "editor" open in the admin area. Although we deleted and restored everything but the index.php was changed again and that made me go all out, take entire thing down, restore to couple of months back including all database and lose a lot of updates but kill that sob.

    Anyway, it was an interesting encounter and I was curious to know if you guys had any experience like this before.
     
    Mehdi.b, Oct 11, 2016 IP
  2. PoPSiCLe

    PoPSiCLe Illustrious Member

    Messages:
    4,623
    Likes Received:
    725
    Best Answers:
    152
    Trophy Points:
    470
    #2
    Nothing that unusual (except maybe the subtlety used) - what has happened is probably a vulnerable plugin, or a bad password for the admin-area. Improve security, demand that passwords are secure, and make sure that all plugins are updated and kept safe as possible (reduce amount to those absolutely needed).

    If someone got into your admin-area, security was bad. That's the gist of it. Yes, Wordpress can be vulnerable, but the latest versions, with proper security set up, aren't much more vulnerable than any other site with an admin-area.
     
    PoPSiCLe, Oct 11, 2016 IP
  3. Mehdi.b

    Mehdi.b Active Member

    Messages:
    353
    Likes Received:
    50
    Best Answers:
    0
    Trophy Points:
    65
    #3
    Agreed, security was missing and client had their passwords stolen and never told us anything. The plugin was Akismet which I love but well this should not have happenned. What was interesting was the way they crippled search results of the website with the site map, still Google, Yahoo, Bing and eve Yandex are crawling the old links and eating up bandwidth.
     
    Mehdi.b, Oct 12, 2016 IP
  4. Jetfire

    Jetfire Well-Known Member

    Messages:
    448
    Likes Received:
    6
    Best Answers:
    0
    Trophy Points:
    130
    #4
    Plugins are really iffy sometimes because it opens your site up with additional attack vectors. One of my sites got hacked by some sort of ISIS/or whatever group related site. That's pretty smart though, what that person did. Not sure if Google can detect cloaking?
     
    Jetfire, Oct 14, 2016 IP
  5. dadaas

    dadaas Well-Known Member

    Messages:
    1,298
    Likes Received:
    17
    Best Answers:
    0
    Trophy Points:
    160
    #5
    Yes we did encounter similar things. Once you are hacked you need to clean everything because first rule of a hackers is create backdoors. Backdoors can be inside files, hiden, or in database. So you need to check all and if the site is big this is extremely hard job to do.
     
    dadaas, Oct 15, 2016 IP
    Mehdi.b likes this.
  6. Einheijar

    Einheijar Well-Known Member

    Messages:
    539
    Likes Received:
    13
    Best Answers:
    3
    Trophy Points:
    165
    #6
    Look for files with eval or base64_decode.
     
    Einheijar, Oct 15, 2016 IP
  7. Mehdi.b

    Mehdi.b Active Member

    Messages:
    353
    Likes Received:
    50
    Best Answers:
    0
    Trophy Points:
    65
    #7
    Yeah the first Eval was in an 404 page which was blissfully convenient to access. Found out something else, that the xmlrpc.php is also a good gateway once they have access to the site. Personally I did not know much about it (I'm not a developer) but apparently that was also another point of entry to manually add code into posts and pages.
     
    Mehdi.b, Oct 16, 2016 IP
  8. Zoti Media Group

    Zoti Media Group Notable Member

    Messages:
    1,598
    Likes Received:
    113
    Best Answers:
    2
    Trophy Points:
    265
    Digital Goods:
    2
    #8
    There are planty of plugins that are uploaded by hackers and no-one check them for security issues.
    The best way is to rename the wp-login.php and rename it when you want to login.

    Mod_security with comodo rules can help in this case.
     
    Zoti Media Group, Oct 16, 2016 IP
    Mehdi.b likes this.
  9. Mehdi.b

    Mehdi.b Active Member

    Messages:
    353
    Likes Received:
    50
    Best Answers:
    0
    Trophy Points:
    65
    #9
    Funny you mention that, I was using itheme security plugin, quite a good one in this case. Changed all the login pages and suddenly the attempts changed to 404 pages. It is funny to see failed attempt but quite a bit. In this case he/she/it is still hitting the pages for about 110 times a day. I suspect a bot.
     
    Mehdi.b, Oct 17, 2016 IP
  10. Einheijar

    Einheijar Well-Known Member

    Messages:
    539
    Likes Received:
    13
    Best Answers:
    3
    Trophy Points:
    165
    #10

    Plenty of people scanning for older versions of wordpress.

    https://github.com/sparklemotion/mechanize is a good tool to start building your own automated scannner :)
     
    Einheijar, Oct 17, 2016 IP
  11. Karly_C

    Karly_C Peon

    Messages:
    18
    Likes Received:
    2
    Best Answers:
    0
    Trophy Points:
    3
    #11
    Not easy to clean up a site at all. Good thing you had backups to fall back on. There are numerous entry points for injecting exploit code including xmlrpc.php and wp-login.php, so protection on your website needs to be automated as much as possible. Have you got a web application firewall or any other kind of security services in place? You can still see how attacks are being attempted against your site except that all these attempts are being blocked. That's my favorite part.
     
    Karly_C, Oct 25, 2016 IP
    Mehdi.b likes this.
  12. Mehdi.b

    Mehdi.b Active Member

    Messages:
    353
    Likes Received:
    50
    Best Answers:
    0
    Trophy Points:
    65
    #12
    Thanks, yeah I now have Sucuri on all websites or iThemeSecurity on most of Wordpress ones. Very helpful and it shows the points of attack as well as vulnerabilities which helps tremendously. I like when I changed the login page and it suddenly changed from failed login to 404 attempts, that was satisfying.
     
    Mehdi.b, Oct 26, 2016 IP
  13. Walerian

    Walerian Greenhorn

    Messages:
    1
    Likes Received:
    0
    Best Answers:
    0
    Trophy Points:
    11
    #13
    I've also experienced this hack. In january I removed code insertions from php files, and now there showed up a sitemaps.xml file with 8000 redirects and Google Search Console verification file (which made an account for Google Search Console and submitted a sitemap). I have removed that. Have you noticed any changes in your database? Mine looks OK, but I don't want any further surpise. I have installed iThemes Security as well All in one WP security and Antivirus. But If there is something left in my files I could still have problems.
     
    Walerian, Feb 11, 2017 IP