«

Being Hacked: Part V & VI: Epilogue?

%A %B %e%q, %Y

Parte V: One against the other

In this third part of  Being Hacked  I made a small list of words to search in all account:

backdoor
fx0 //rare to find
get_current_user //too many matches
gzinflate
base64_decode
gzuncompress
secureroot 

After cleaning all the webshells I found, I restarted the search. To my surprise, I found another new files installed less than one  minute ago!. Believe it or not, the hacker was spreading new webshell copies along the account… and this time he wasn’t very careful at all. He started overwriting wordpress files all over, such admin.php (if you log into wordpress you will go directly to this file (!)) Apparently he had noticed the ‘disappearance’ of the webshells installed and taking one of the last remaining, he started ‘farming’ again.

Finally, I solved the problem with three steps:

  • Deactivating the plugin which started the problem
  • Deleting all the webshells
  • Updating all WordPress sites.
After few revisions, the hacker got out of the system.

Part VI: Epilogue(?)

Checking the log of that day, I could see that in some moment, I was repairing the account while the hacker was using the backdoor. I was lucky: the hacker wasn’t a destructor activist, he simply accessed the account to take advantage without being noticed. But from the moment he installed their phishing sites, it was detected by Google (who sent me an email) and Site5.

The very next day, there were six attempts to register in the site where the vulnerable plugins was running (first deactivated, later updated). That confirmed the entry point who started the problem.

I think I was lucky, but it would probably change in the future. That’s why you have to prevent this problems.

Site5 sent me a step list to better protection to the site, what is welcome of course. (that would be a matter for another post)

What I learned:

  • You can follow all the security recommendations and your site will as strong as your weakest link: a vulnerable plugin.
  • Without knowing the real problem, the best solution could be useless (except radical solutions like ‘formatting’ your account…)
  • Sometimes is good to know if your plugins have a known vulnerability checkin http://securityvulns.ru/ or http://www.exploit-db.com/
Go back from start?: You have been hacked

Related posts:

  1. Being Hacked: Part III y IV – Cleaning the house   Part III: cleaning up the mess From the first...

Related posts brought to you by Yet Another Related Posts Plugin.

Posted in Uncategorized

Leave a Reply

«
Language
Twitter

Designed by wordpressready-v1.1.