I've been hacked so installed Defender - still seeing issues and need help tracking down

So, about a week or so ago, my hosting provider started emailing me that something looked suspicious on my site, and indeed something was SO bad, that I had the white screen of death. I removed all plugins, copied a new version of WordPress in, changed my hosting and mysql passwords, and installed Defender.

Last night's scans showed more files altered - I'm attaching a screenshot of what Defender says. I honestly haven't even reenabled most of my plugins, so many things on my site are actually "broken" right now (shortcodes that have no definitions) while I try to figure out what's up.

Is "guest" really doing something here, or is it that I already have compromised files that are replicating nefarious stuff?

Thanks!

Danita

  • Predrag Dubajic

    Hey Danita,

    Sorry to hear you got hacked, that's always stressful thing to deal with :slight_frown:

    I had a look at the screenshot of the report and I'm afraid that your WordPress files are compromised, not your theme and plugin files.

    What you should do is download fresh version of WP and replace everything except for wp-content folder and .htaccess and wp-config.php files.

    You can get WP files here: https://wordpress.org/download/

    After you restore original WP files perform the scan again and let us know if there are any reports left.

    NOTE: I suggest having a full backup ready before overwriting any files, this way you will stay on safe side and will be able to quickly restore your site in case anything goes wrong in the process.

    Best regards,
    Predrag

  • Adam Czajczyk

    Hello Danita!

    The "Wiki" plugin has been retired as well as some other. You'll find the full list of them here:

    https://premium.wpmudev.org/retiring-our-legacy-plugins/

    You'll also find direct links to GitHub where you'll find these plugins. Please note that they are no longer developed and supported by us. They've been given to the community and everyone is free now to develop/build-upon them.

    Best regards,
    Adam

  • Predrag Dubajic

    Hi Danita,

    This is indeed one of the Defender files but it's most likely modified somehow because it doesn't report it on my installation.

    Can you access that file via FTP or cPanel, download it, zip it and then upload it to any file sharing service, after that post the download link here so we can have a look at the file, compare it to original and perhaps we can find out what caused that report.

    Best regards,
    Predrag

  • Danita

    Okay - today there were a lot of them. You can find them at caledonia.net/files/hack.tar.gz

    Today I've reset all administrator users passwords in wordpress, changed the mysql database password, reset the ssh password on the hosted site. Oh joy :slight_smile:

    The items in this file were found in the following folders:

    /home/danzan2/caledonia.net/wp-admin/css/colors/light/menu54.php
    /home/danzan2/caledonia.net/wp-content/themes/weaver-ii-pro/weaver-ii-pro/search.php
    /home/danzan2/caledonia.net/wp-content/plugins/akismet/wrapper.php
    /home/danzan2/caledonia.net/wp-content/plugins/wpmudev-updates/template/gallery52.php
    /home/danzan2/caledonia.net/wp-content/uploads/2008/diff.php
    /home/danzan2/caledonia.net/wp-content/uploads/2012/10/inc.php
    /home/danzan2/caledonia.net/wp-content/uploads/2014/05/ajax.php
    /wp-content/uploads/2014/06/info.php
    /wp-content/uploads/js_composer/footer44.php
    /wp-content/uploads/memberlogs/template.php
    /wp-includes/rest-api/endpoints/class-wp-rest-revisions-controller.php
    /caledonia.net/wp-includes/class-wp-widget-factory.php
    /caledonia.net/inc5.php

    The only folder I copied in adhoc was the uploads folder. Is it possible that there were already some questionable files in there, and that they are "reactivated"? I will go through the uploads directories and make sure there are no files in them that could be a problem before I copy them back. For now, I've put a notice on the site that we have an "issue" and I'm going to move very slowly now in replacing everything!

    Thanks.

  • Adam Czajczyk

    Hello Danita!

    Thank you for sharing these files. Actually, I cannot even check them because Defender scan on Windows doesn't let me download the archive that you shared - it immediately detects malicious software inside an archive.

    That, however, leads me to some other, though not particularly good, conclusion. If that was about some malicious php code the file would not be blocked because that code is not automatically executed in Windows and would be considered potentially harmless. If an archive causes anti-virus scan to remove it automatically, that suggests that the file has been infected and - in turn - that also suggests that it might actually be an issue with your computer being infected.

    Have you run anty-virus/security scans on it? The issue reported by Defender is named "Backdoor:stuck_out_tongue:HP/Small.ID" and it's apparently a PHP script prepared to be automatically executed buy built-in server to give attacker control over your PC. It can be run on your computer or on server - actually on any machine that does include a web server.

    My suggestion would be to double-check your machine first and if nothing is detected there then most likely files in /wp-content/upload would be infected.

    Best regards,
    Adam

  • Danita

    It's not "my" server per say. It's a hosted server at Dreamhost, and I have about a dozen other domains on the same server node that are not affected. Thus I don't believe it is an OS issue. So I'm assuming it's the wp-content/upload directory. I'm going to recursively delete any php files in that folder (and look to see if there are other executable type files) and do another copy to see what happens!

    Thanks.

  • Adam Czajczyk

    Hello, Danita!

    What I mean by "OS" issue is that it's either infection from some computer that was used to interact with files on the site or even site itself. Checking /wp-content/upload folder is a good idea and hopefully that will help.

    If it does not, however, I'd suggest checking all the machines that were ever used to access the site's backend, FTP and/or server's management panel (probably cPanel) against viruses/malicious software.

    Kind regards,
    Adam