PDA

View Full Version : Found an ingeniuos WordPress hack today



Harold Mansfield
12-27-2014, 05:42 PM
One of my clients called about her site being hacked. Granted I have all of the security on it possible, but I have no control over weak server security which is where I'm positive it came from. 3rd time now on this site.

This was a run of the mill code injection, where they edit your theme files or add a file to cause havoc and either redirect your URL or place porn, pharmaceutical or Cheap Ugg Boots links all over your site. The links were appearing one minute and then they weren't there the next. You could see them on some browsers and not others. The one place that it was consistent was the log in screen, even though it was hidden.

I'm usually pretty good at finding them, cleaning them out and protecting against it happening again, but this one had me and tech support at the hosting company stumped. Seriously, they had nothing other than what I'd already done the day before so I was on my own.

Finally I started going file by file in wp-content and saw a plug in that wasn't showing in the dashboard. Turns out it was a fake named "xcalendar" that was somehow in the plug ins folder. I imagine they could name it anything. I kept over looking it because we did have a calendar plug in installed so I imagine they could name it anything to seem legit when glancing at your files.

When I called that company's tech support back to tell them what I found and ask how someone gained access to the server, they really had no answer and proceeded to up sell me ( or rather my client) additional security...which to me says they've given up trying to protect your site and now it's up to you to buy additional services to make up for their weak ass security.

Anyway, that was the first time I'd seen a fake plug in installed on the server so I thought I'd share the experience. Frustrating and not exactly rocket science, but kind of ingenious hiding in plain site like that.

I don't want to call out the host publicly, but if you've read any of my posts about hosting questions it's not hard to figure out who I think is the weakest host in the business and THE ONLY ONE that I get consistent "I've been hacked" calls from people who are hosted there.

billbenson
12-27-2014, 06:03 PM
Harold, do you have a way of detecting new files or altered files on a site? It seems to me like a cron job looking for this would detect a lot of hacks??

Harold Mansfield
12-27-2014, 06:57 PM
Harold, do you have a way of detecting new files or altered files on a site? It seems to me like a cron job looking for this would detect a lot of hacks??

Yes I do. That's what helped me track it down. The date that the .htaccess file was changed and knowing that it wasn't me or the client. The logs also told me that they didn't come in via the admin panel which is what caused me to start going file by file on the server.

Brian Altenhofel
12-27-2014, 07:06 PM
And that's why I stay far, far away from shared hosting. :)