So im pretty sure I could be the 5 millionth person to post something like this but I couldn't find any other posts to answers my questions. I have a website (danramosd.com) that got hacked into today. I was curious how I can go about seeing how they hacked the website, and what I need to do in order to patch it. I'm assumin I can start by looking at my log files? I'm pretty clueless from there, any help would be appreciative.
First of all make sure your WP is up to date, you can get a plugin to change the "WP" prefix to something else and a plugin to scan your wordpress blog for security issues. I would also recommend editing the .htaccess file to Block all IP's except yours from connecting to /wp-admin (make sure you don't have a dynamic ip). Remove any unused plugins you have. In response to your question about finding out what happned: What type of hosting do you have?
I have been in the same situation, but also you should check for viruses your pc, there are some trojans thatt steel your credential that you are using to connect to your websites ftp, especially if you are using TotalCommander. And from there they are injecting your Wp with hidden iframes. You should solve the cause not only the effect I hope that this helps
Many websites are hacked by using stolen FTP login credentials (username and password). These login credentials are stolen by a virus on PC that has FTP access to the infected website. The virus works in a variety of ways. The two most common are: stealing the information from a plain text file and "sniffing" the FTP traffic. First, many free FTP programs like FileZilla store the saved credentials in a plain text file on the PC. If you're using FileZilla on Windows XP, look in: C:\Document and Settings\(user)\Application Data\FileZilla\sitemanager.xml (user could be administrator or whatever user you sign in as) In there you'll see each of the sites with the username and password stored in plain text. The virus finds this file, reads it and sends the information to a server which then logs in to each site, downloads files, infects them and uploads them back to the website. Many of them also then monitor the website to see if the infection is still there. If it's been removed, it tries logging in again using the same valid credentials and re-infecting the website. This server often times also puts various "back-doors" on the website so it can re-infect the website after the passwords have been changed. These back-doors are usually .php files that include the string: eval(base64_decode(... but there are many others as well. The second method, where the virus "sniffs" the FTP traffic is also commonly used. Since FTP transmits all data in plain text, including username and password, it's easy for the virus to see and steal the credentials this way as well. I have a YouTube video showing this: http://www.youtube.com/watch?v=oYI1kssrrbc What can be done? First, I would switch from using a free FTP program to using WS_FTP by Ipswitch. I wish I could send everyone to an affiliate link, but I can't. But I do like their product because it does save the login credentials but it's encrypted which makes it more difficult (not impossible) for the hackers to use this information. I would also see if your hosting provider supports SFTP or FTPS. These two protocols are encrypted so they can't be easily sniffed. Of course, the hardest part about this whole scenario is convincing people that they have a virus. Everyone always says, "I use XYZ anti-virus so I know I don't have a virus." However, these viruses learn how to evade detection so often times a different anti-virus program is needed in order to find and remove the virus. Many have had good success with Avast, Kaspersky or Vipre. This is just my experience but I have cleaned over 20,000 websites - and counting.
Thank you to everyone for the responses, very informative. I'm actually running on a Mac and don't believe ive accessed the site via a windows box. I use mediatemple as my hosting. I found a pretty good amount of information on how to prevent attacks in the future but I guess im more curios on how this attack occurred. Is there a way to tell by log files or another method as to where and how the attack happened. My website really doesnt get many visits, maybe a handful a day, so I think it might be a little easier to determine the IP of the attacker. I find it kind of ironic that this happened to me considering I JUST started getting into security and purchased a hacking/security book the day before it happened. Once again thank you for all the help
I was asking because depending on what privileges you have on the server would depend on what logs to look at, if you google linux security logs (if you are linux hosted) this will tell you how to view your logs(if you can). Being wordpress it could be a multitude of things, maybe look out for c99 or r57 scripts and/or modified code in php files. PS. If your site is about Computer security you make your site a HUGE target.
One of the best ways, after the fact, is to be sure your FTP logs are activated. I know a lot of shared hosting plans have FTP logging turned off by default. What I recommend is to create a separate FTP account for each user. If it's just you, then create a separate FTP account for each computer if you have more than one. Then be sure FTP logging is activated. Then if your website gets infected again, you can look in the FTP logs to see which files were uploaded to your site and which user account was used. Then you know which computer or at least which user is infected.
You must know what is normal and what is not normal. For example This is normal. This is not normal because in.php is not a wordpress file and not something wat i'm have been uploaded. This is good But this is bad You must also understand return codes http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html Most commonly you have first a lot of error messages and then success.