ATTENTION Hacked (additional) Files in regular modules, themes and places a.o.!

Hi all

we are currently investigating in an attack which happened today morning to ona demo site.

It also infected Hummingbird and other files - about 3 - 5 pm GMT +7.

Defender did NOT detect those activities and also not report the accesses. Suggestion for the devs. Please add a way to send a report of the audit file immediately which makes investigation much easier - one day is simply to long as shortest period when serious attacks happen!

The attackers were able to upload and unzip files and execute them as they disabled somehow the setting that php files can't be executed which had been set by defender previously.

Besides inserting files into the main directory of that WordPress site they placed files in several other locations, most with cryptic text and code.

They also went into the .well-known folder of let's encrypt and placed a copy of xml_rpc.class.php here plus a .htaccess and an index file.

The defender log shows login failures for a user named phuket, test, and some other usernames over a longer period of time yesterday evening and today morning until now.

They placed files in wp-content folder and modified the .htaccess with a rewrite rule. Additionally, they went deeper the folder structure and placed similar files often with very common and harmless looking names in subfolders incl. hummingbird and favicon file.
[image pos="5"]
material-admin-theme
hummingbird
really-simple-ssl

... got affected too.

Kind regards
Andi

  • Nithin
    • Support Wizard

    Hi Andi,

    Defender did NOT detect those activities and also not report the accesses. Suggestion for the devs. Please add a way to send a report of the audit file immediately which makes investigation much easier - one day is simply to long as shortest period when serious attacks happen!

    Sorry to know that your website got hacked, unfortunately from the observations made by you, it seems like somehow the Security got bypassed. Did you have Automatic Scans enabled in the plugin? I only see you mention about Audit logging.

    Defender can only detect some intrusion, when you have these options are enabled, and it would have alerted the user.

    Regarding Audit logging, at the moment it seems like it can only send daily reports, I'll have to confirm this with the developer. Have you sorted this issue? Or are you still working on recovering your website?

    I'm bringing this thread into the developers attention, please do let us know if you want us to give a look at any particular instance of your website.

    You might find the following links helpful with recovering your website:
    https://codex.wordpress.org/FAQ_My_site_was_hacked
    https://codex.wordpress.org/Hardening_WordPress

    Kind Regards,
    Nithin

  • Andi
    • The Exporter

    The site is back no problem thanks Nithin. In Defender all options are active. What worries actually most is the fact that they were able to add stuff into .htaccess files and enabled to execute php files. Besides adding their own files with common names.
    Also they were able to access the doted folders of let's encrypt.

    The edited also some functions.php files of themes

  • Kasia Swiderska
    • Support nomad

    Hello Andi,

    Another problem of defender is that when you change settings from default 10 MB to i.e. 100 MB then you can't scan immediately again!

    What do you see on your site when you try that - are there any errors? I tested now on my site: there was scan running, so I cancelled it, then I changed settings (from 10 to 20 MB) and then I run scan again. It started without problem.

    kind regards,
    Kasia

  • Andi
    • The Exporter

    This problem has been solved meanwhile with the new updates of Hummingbird and Defender. Thanks to Kasia and Nithin who helped here.

    SOLUTION: Update to the newest Version of Defender and Hummingbird to solve that specific problem!

    Kind regards
    Andi

Thank NAME, for their help.

Let NAME know exactly why they deserved these points.

Gift a custom amount of points.