Need Help

Discussion in 'Off Topic' started by studio6x, May 18, 2016.

  1. studio6x

    studio6x New Member

    Messages:
    6
    Likes Received:
    0
    Trophy Points:
    1
    Hello my website as been hacked I have a plugin called wordfence I created htacess login only by my ip but they still manage to put a malware script on the header theme.

    Any ideas
     
  2. reptille

    reptille New Member

    Messages:
    13
    Likes Received:
    0
    Trophy Points:
    1
    if you have any backups revert to them before they hacked in
     
  3. caftpx10

    caftpx10 Well-Known Member

    Messages:
    1,515
    Likes Received:
    112
    Trophy Points:
    63
    Is your WordPress installation the latest?
    What plugins are enabled in your installation (include the version of them if possible)?
    Was the password complex enough (web host account, FTP [if additional users are set], WordPress login)?

    Even if a backup could be restored, it can quickly end up in the same state if the method of entry is not sorted out.
     
  4. studio6x

    studio6x New Member

    Messages:
    6
    Likes Received:
    0
    Trophy Points:
    1
    I have very larges passwords for wp login and ftp login and I forgot to metion I have 7 websites on that server all of them had the same malware script all wordpress with the latest 4.5.2 update only the joomla website was not attacked.
     
  5. caftpx10

    caftpx10 Well-Known Member

    Messages:
    1,515
    Likes Received:
    112
    Trophy Points:
    63
    Alrighty. Sounds like the entry might be to do with WP.
    What plugins do you have installed on all your WP installations and which versions are they on? Perhaps one is vulnerable.
     
    Last edited: May 19, 2016
  6. studio6x

    studio6x New Member

    Messages:
    6
    Likes Received:
    0
    Trophy Points:
    1
    all plugins are up to date and worpress as well I even changed the theme they still managed to put the same script again on the header php file yesterday[​IMG]

    do you think maybe is the hosting server
     
  7. essellar

    essellar Community Advocate Community Support

    Messages:
    3,295
    Likes Received:
    227
    Trophy Points:
    63
    Okay, they're the latest versions. That means nothing, really. You were asked (by somebody who wants to help and just may have some knowledge, or even just some more advanced Google-fu) which plugins you're running. The latest version of something with a known vulnerability just means that you're using the most up-to-date vulnerability.
     
  8. studio6x

    studio6x New Member

    Messages:
    6
    Likes Received:
    0
    Trophy Points:
    1
    the plugins that im using are
    Askimet
    Aspexi Facebook Like Box,
    Coming Soon Page & Maintenance Mode by SeedProd
    Hello Dolly
    Jetpack
    LayerSlider WP
    Wordfence Security
    W3 Total Cache
    WordPress Importer
    Shortcodes Ultimate
    Revolution Slider
    MOJO Marketplace
     
  9. caftpx10

    caftpx10 Well-Known Member

    Messages:
    1,515
    Likes Received:
    112
    Trophy Points:
    63
    It looks like Revolution Slider (2.4.1) could be allowing this according to the exploit EDB-ID 35385 (Google it, not linking to the site with the details just in case).
    'Hello Dolly' looks to have some dodgy history so that might also need looking at.
     
  10. studio6x

    studio6x New Member

    Messages:
    6
    Likes Received:
    0
    Trophy Points:
    1
    do you think they may have access to the ftp details because all wordpress websites that are on the hosting im using all of theme were attacked only the joomla website was not attacked
     
  11. essellar

    essellar Community Advocate Community Support

    Messages:
    3,295
    Likes Received:
    227
    Trophy Points:
    63
    It's easier to look for an installation of WordPress (or whatever) with an exploit than it is to try to brute-force FTP logins. With an exploit available, you just need to fetch a bunch of web pages looking for a particular string or two of text; you don't much care which site(s) have the exploit as long as you can get your malicious code out there somehow, to as many places as you can. A script kiddie can hit a few thousand sites in a day with a bot they found online. With the FTP thing, it means throwing some resources at a particular site/server; if you happen to stumble across an easy login, great, but unless you have a particular site you want to deface it's usually more trouble than it's worth to take that approach. Changing your password might be a good idea, but it's far less likely that FTP was their way in.
     

Share This Page