Results 1 to 4 of 4

Thread: Found an ingeniuos WordPress hack today

  1. #1
    root Array Harold Mansfield's Avatar
    Join Date
    Aug 2008
    Location
    Las Vegas
    Posts
    9,374
    Likes (Given)
    1016
    Likes (Received)
    946

    Default Found an ingeniuos WordPress hack today

    One of my clients called about her site being hacked. Granted I have all of the security on it possible, but I have no control over weak server security which is where I'm positive it came from. 3rd time now on this site.

    This was a run of the mill code injection, where they edit your theme files or add a file to cause havoc and either redirect your URL or place porn, pharmaceutical or Cheap Ugg Boots links all over your site. The links were appearing one minute and then they weren't there the next. You could see them on some browsers and not others. The one place that it was consistent was the log in screen, even though it was hidden.

    I'm usually pretty good at finding them, cleaning them out and protecting against it happening again, but this one had me and tech support at the hosting company stumped. Seriously, they had nothing other than what I'd already done the day before so I was on my own.

    Finally I started going file by file in wp-content and saw a plug in that wasn't showing in the dashboard. Turns out it was a fake named "xcalendar" that was somehow in the plug ins folder. I imagine they could name it anything. I kept over looking it because we did have a calendar plug in installed so I imagine they could name it anything to seem legit when glancing at your files.

    When I called that company's tech support back to tell them what I found and ask how someone gained access to the server, they really had no answer and proceeded to up sell me ( or rather my client) additional security...which to me says they've given up trying to protect your site and now it's up to you to buy additional services to make up for their weak ass security.

    Anyway, that was the first time I'd seen a fake plug in installed on the server so I thought I'd share the experience. Frustrating and not exactly rocket science, but kind of ingenious hiding in plain site like that.

    I don't want to call out the host publicly, but if you've read any of my posts about hosting questions it's not hard to figure out who I think is the weakest host in the business and THE ONLY ONE that I get consistent "I've been hacked" calls from people who are hosted there.
    Last edited by Harold Mansfield; 12-28-2014 at 07:46 AM.
    WordPress Support WordPress Security Blog | Seeker.One
    Doing everything right doesn't guarantee success. Not trying does guarantee failure.

  2. #2
    Member Needs New Keyboard Array
    Join Date
    Aug 2008
    Posts
    4,939
    Likes (Given)
    88
    Likes (Received)
    213

    Default

    Harold, do you have a way of detecting new files or altered files on a site? It seems to me like a cron job looking for this would detect a lot of hacks??

  3. #3
    root Array Harold Mansfield's Avatar
    Join Date
    Aug 2008
    Location
    Las Vegas
    Posts
    9,374
    Likes (Given)
    1016
    Likes (Received)
    946

    Default

    Quote Originally Posted by billbenson View Post
    Harold, do you have a way of detecting new files or altered files on a site? It seems to me like a cron job looking for this would detect a lot of hacks??
    Yes I do. That's what helped me track it down. The date that the .htaccess file was changed and knowing that it wasn't me or the client. The logs also told me that they didn't come in via the admin panel which is what caused me to start going file by file on the server.
    WordPress Support WordPress Security Blog | Seeker.One
    Doing everything right doesn't guarantee success. Not trying does guarantee failure.

  4. #4
    Member Needs New Keyboard Array Brian Altenhofel's Avatar
    Join Date
    Sep 2012
    Location
    Oklahoma
    Posts
    900
    Likes (Given)
    109
    Likes (Received)
    180

    Default

    And that's why I stay far, far away from shared hosting.
    || VMdoh - Drupal development, consulting, and support

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •