Might been hacked - HELP

Hi

Please advice.

All of my pages shows the same jpeg image, i am confident that this is some sort of a hack. I have wordfence and defender on but they have not detected anything. My host SiteGround is looking into the issue as well.
But i know i have the experts here.. man i am freaking out...
Site is http://www.bilverdy.dk
I can still get via wp-login.php

  • Adam Czajczyk

    Hello Hamid,

    I hope you're well today and thank you for your question!

    I checked the site and it it looks like there's just some "placeholder" index.html file in the main folder of your site. Could you access your site using FTP (or cPanel's "File Manager") tool and in a main folder of your WordPress installation (where you see "wp-admin", "wp-content" and "wp-includes" folder) look for files like:

    index.htm
    index.html
    start.htm
    start.html

    If they are there, remove them. There should be no files with ".html" extension there and the the only "index" file that may exist there is the "index.php" file (so that one, as well as ".htaccess", "xmlrpc.php" and all the files that start with "wp-" and folders - should stay intact).

    Give it a shot please and let me know if that helped.

    If it works, the question would be how that file got there. Does the image tell you anything? Did you - or anyone that's got an access to the site - uploaded anything to it? Let me also know please what your host said.

    Kind regards,
    Adam

  • Hamid

    I am in FTP now, and i do NOT see those files in main folder.

    SiteGround Tech says it is back up but it is completely a mess now...

    Here is what they said:

    It seems the configuration of the website was altered and the application was set to load a different tables using the 0_ prefix. When exactly did the website worked as intended? I think a backup restore in this case is the best possible option to bring the website in working condition.

  • Adam Czajczyk

    Hello Hamid!

    I tried to visit your site again but not there are errors. Do I correctly understand that they restored the site for you from backup? Did you request them to do so?

    As for the database. Defender scans your install against WP Core integrity (meaning whether the WP core files are as they should be), against known plugin and theme voulnerabilities (meaning checking them against a huge database of patterns/codes known to cause issues/be malicious) and against suspicious code in files.

    It does also log activities on site but that's not equal to identifying database changes.

    I do however suppose that since you are using Defender you might have previously tried to use "Change the default database prefix" Hardener option, did you? That could explain why the database from restored backup's got different table names.

    However, I think at this point the case got too complex for both sites - us and your host to take care of that at the same time as it might lead to a bigger "mess" than it's now. If your host suggests any solutions let them do their job or let us work on that but I think you'd need to make a decision so we didn't get your host in a way and vice versa :slight_smile:

    Best regards,
    Adam

  • Hamid

    Thank you Adam

    From the mail i got and also send to you, it sounded like they recommended a restore. I only replied to them if they could confirm that i have a valid backup no earlier than 9 hrs ago. And apparently they went ahead with a restore phase. They have not yey replied, but they are pretty good to write back.

    To be hournest, i dont recall if i played with the "Change the default database prefix"..

    I agree, we let them do their part to finish, then I get back to you with an update.

    It is 0130 AM here in Sweden, so I will soon turn in.

    If / When they restore site again, can i finetune Defender for something like this?
    I also run Wordfence. Should i not be good with those two plugins?
    Besides taking backups of course.

    Thanks again Adam..

    /Hamid

  • Adam Czajczyk

    Hello Hamid!

    Thank you for your replay.

    It's nearly 2am here so I'll be ending my shift for today in a few minutes but I'll be of course back tomorrow. Hopefully, SiteGround will be able to come up with something by that time. I think now it would be best to wait for them and see how this ends up.

    If they are able to "bring the site back from the dead", you should then double-check entire site if everything's okay. If so, then we'd think what to do next :slight_smile:

    Keep me updated please.

    Best regards,
    Adam

  • Hamid

    Hi Adam

    Ok so site is back up. They restored from the 6th of april. So i only lost 2-3 post and a plugin installation.

    So far by navigating the site it looks good. I have changed all passwords, tuned on Defender and Wordfence, but i am not sure if that is enough, maybe the hacker left a backdoor or somethning.

    What is the next step i should consider?

    Also please look at the screendump from Audit logger Defender, is it safe when it system/wordpress modified the wp-config.php? I dont like it says guest in right colunms

  • Adam Czajczyk

    Hello Hamid,

    Thank you for your replay. I can see that you site now seems to be working fine.

    In order to make sure if it was indeed a hacking attempt you'd still want to work with your host as they are able to check server logs and should be able to detect any unusual/malicious activity that already happened. While Defender and other security plugins may suggest/"suspect" some activities on the site, only a solid review of server logs may confirm (or deny) an attack and identify the way it happened.

    As for wp-config.php modification. That file usually should not be modified in other ways than by your - as an admin of the site - manually but there are some cases when this is fine. For example, Defender may modify it if you run database prefix change "hardener" option. Some other security and cache plugins might do this as well (e.g. W3 Total Cache modifies it because it needs to add some definitions there).

    There's an IP shown on a screenshot and that IP seems to match other activities such as Hummingbird's minification groups creation so that would suggest that this comes from your server. You might want to review "wp-config.php" file to check if you can see any "suspicious looking" entries there but I think this particular case should be fine.

    Best regards,
    Adam

  • Hamid

    Thank you Adam.

    I will continue to investigate with my host.

    Glad that you explained things to me. If indeed like you said yesterday that you thought it might have been a index/start file in the root, if someone had access to upload that, what else could they have access to?? I really thought i was secure with all the plugins, the host and other small mofifications to avoid this...

    If someone uploads a file to my root will defender catch that during a scan?

    Br Hamid

  • Adam Czajczyk

    Hello Hamid!
    '
    The clue here is to find out how this happened in first place. If your host will be able to help you with that, then we could asses possible consequences. For now, we only know that this happened and if that was indeed a matter of just a file (or some redirect), it may be a full range of reasons for that starting from just some temporary server "glitch" (where somebody else hosting his site on the very same server uploaded the file to his/her own account and server just "went mad"), through an access via some security glitch in WordPress or one of its plugins, up to full access to FTP.

    If your host will find out how that happened, let me know please and that should possibly help me give you better response :slight_smile:

    Best regards,
    Adam

Thank NAME, for their help.

Let NAME know exactly why they deserved these points.

Gift a custom amount of points.