sahdes Posted August 24, 2016 Posted August 24, 2016 username: sahdesserver: Steviedomain: sahdes.heliohost.org / sahdes.org No idea why. Thank you.Plus, I cannot access my CP either (I got the renew pw mail but the sent code doesn't work).
Byron Posted August 24, 2016 Posted August 24, 2016 Your account was suspended for causing high server load. I have unsuspended your account, but please try to limit the load you put on our servers as it slows down not only your site, but the sites of all other HelioHost users sharing your server. If you still see the suspended page, please clear your cache. According to your home page, your site was hacked. I can reset your password if you need me to.
sahdes Posted August 24, 2016 Author Posted August 24, 2016 Now the site's online again but it's been hacked by some terrorists!! I'm working on it That may have caused the high server load... update: I just updated wp and everything went back to normal
wolstech Posted August 24, 2016 Posted August 24, 2016 Wordpress is notorious for its terrible security and for being hacked...in fact, it's one of the leading cause of hacked sites on our service. Usually, the issue is caused by the use of "free" themes and extensions from dubious websites (they're "free" because the criminals distributing them make money using the malware/backdoor built into them to abuse websites for spam or phishing). It's also common for people to forget to install the security updates for WP and the extensions.
sahdes Posted August 26, 2016 Author Posted August 26, 2016 I know, and I've installed wordfence to avoid those issues. But it's weird. This time, eveyithing within WP was intact, they just changed index.php, and it doen't seem have been done trhough the WP editor, as if they had gained access to my CP and replaced it there...
wolstech Posted August 26, 2016 Posted August 26, 2016 They probably used a backdoor or known vulnerability in WP to do it. When the malware in a theme or extension is used by the attacker, it's not generally accessed through any of the "normal" admin interfaces, so changing passwords won't fix it (and in fact, depending on the malware, it could just get the new password stolen). Very often, such malware is accessed through some hidden URL arguments or by doing something on a C&C server and waiting for the malware to receive the instructions (in both scenarios, the initial malware that accepts these arguments or talks to said server was unknowingly installed by you as part of an infected free addon). The malware's capabilities generally allow attackers to create/alter/delete files and in some cases read/edit your database as well. The reason I recommend against WordPress is because it is difficult-to-impossible to fully secure (especially if you use themes or extensions/plugins), and it needs a lot of maintenance to keep secure. As a result, it is often vulnerable and (based on my experiences dealing with abuse reports and suspensions) is a leading cause of hacked websites here at Heliohost.
Krydos Posted August 26, 2016 Posted August 26, 2016 Since you guys keep talking about it I got curious. Check out /home1/sahdes/public_html/wp-content/aa.php What that file means is anyone who wants to can send as many phishing scams or spam through your account they want to, bypassing all of your passwords and plugins that you installed. Overwriting your index.php definitely didn't fix everything. Like wolstech said it is best to wipe it all and start over fresh. Who knows what else is hiding in there. It took me about 30 seconds to find that file. If the hackers actually put some effort into it it would be much harder to find.
sahdes Posted August 31, 2016 Author Posted August 31, 2016 Thank you for your information. As you said, the site's heavily hacked, down again, and having changed the passwords was useless, I've even lost access to my CP. Now, when I try to reset password it doen'st work. I receive the mail, enter the code, and nothing happens, it keeps asking for the code. Direct link neither works. What can be done?
wolstech Posted August 31, 2016 Posted August 31, 2016 That's because it's suspended for high server load...again. You need to reinstall everything using clean, up to date versions (and then keep them updated), or not use WordPress. Almost every hacked site we see is hacked WordPress, so not using it will probably significantly lower your odds of getting hacked. If I unsuspend you, do you agree to immediately delete everything in the public_html folder (except the cgi-bin folder, which should be empty)?
sahdes Posted September 1, 2016 Author Posted September 1, 2016 (sorry for my bad english) If you can, just please give me a couple of hours to try to get the site clean, whithout losing years of posts. I have the wordfence plugin which is pretty good on that. I have to use WP because it's for a non-profit NGO blog, I have to rest in some patform that allows the team to post stuff without depending on me. But I keep it always updated, with just a few and well known plugins and this wordfence to keep it secured, I don't know what happened. If I don't manage to clean it at first, I will erase everything. Let me know if that's possible.
wolstech Posted September 1, 2016 Posted September 1, 2016 Escalating. @Krydos/Byron: He already tried and failed to clean this once...and we all know the story with WP. What do you think?
sahdes Posted September 1, 2016 Author Posted September 1, 2016 Sorry, a clarification: I didn't try, I just updated WP and everything looked ok, my bad. This time I will. I've run this site for years and it had never happened something like this. UPDATE: I've found a backup from a year ago. If I fail to clean the site as it's now, I'll just restore that one.
Byron Posted September 1, 2016 Posted September 1, 2016 Your site is unsuspended. Go ahead and clean it up.I renamed /home1/sahdes/public_html/wp-content/aa.php to /home1/sahdes/public_html/wp-content/aa.txt just in case.
sahdes Posted September 2, 2016 Author Posted September 2, 2016 Done. Meanwhile (before you renamed aa.php), on an automatic scan wordfence had found this [sep 01 22:35:46] Adding issue: File appears to be malicious: wp-content/aa.php [sep 01 22:35:46] Adding issue: File appears to be malicious: wp-content/isis.php So it's effective, it was me that missed the alerts. Sorry about that, henceforth I'll be on guard. Both deleted, a new scan produced Congratulations! No security problems were detected by Wordfence. So all should be OK. Thank you very much.
Recommended Posts