brite78 — 2012-07-13T11:42:20-04:00 — #1
Hello everyone, I'm really hoping someone can help me.
I run a WordPress website that was hacked yesterday. My theme uses phpThumb, which is apparently very insecure. Someone used this insecurity to put random files on my website. I think their intention was to use my server to send out spam emails.
Very early yesterday morning, I was looking at my Google Analytics and noticed someone had accessed this page twice:
/wp-content/themes/my_theme/scripts/phpThumb/properties/index.htm. Of course I thought this was strange, but I really don't know a lot about web development. It was 2 am at this point and I was exhausted so I decided to look at it again in the morning.
By 9:20 am, I received an email from my hosting company (1&1) telling me my site had been hacked and listing the malicious files. I immediately deleted these files, and I deleted phpThumb and uploaded the newest version which is supposed to be more secure. I looked at the other files in my site but I didn't notice anything else suspicious (though I admit I know very little about this stuff). I then changed my admin password.
My site is completely unchanged. No new content, no new users, etc. However, I realize that doesn't mean that there's not something wrong with it. This morning I looked at Google Analytics again and noticed that someone has accessed that same page 3 times already. I cannot actually find that index.htm file anywhere.
I really don't know what to do and don't have anyone that can help me. phpThumb is necessary for my theme. Without it, my homepage just displays a bunch of broken links. I worked for weeks on this theme; I really can't change it. This is not just a hobby site this is for my job. My boss doesn't know about the hack yet. Is there anything I can do?
ralphm — 2012-07-13T12:07:32-04:00 — #2
Hi brite78. Welcome to the forums.
Sorry to hear about your situation. Do you have a full backup of the site (database and all)? If so, you could perhaps restore an older version of the site from before the attack, and then do the update again and change passwords etc.
brite78 — 2012-07-13T12:34:49-04:00 — #3
I have a copy of the site files but I was never able to successfully back up the database/content. I tried for several hours a few weeks ago and I just wasn't able to do it. I am serving as the writer/editor, web developer (despite zero training, learning as I go), graphic designer, online marketer, and administrative person at my job. I feel like an idiot for not learning how to back it up but I have a lot going on. That will definitely be priority number 1 if/when this gets fixed.
ralphm — 2012-07-13T12:37:58-04:00 — #4
There are various ways to back up a WP site, but if your web host has a control panel like CPanel, it's a one-click operation to generate a full backup of the site, including the database, emails—everything. And a one-click operation to restore it.
Anyhow, that's for later. Good luck with the current situation. (I'm afraid it's not really my area, so await other replies.)
parkint — 2012-07-13T13:06:40-04:00 — #5
You mentioned that you changed the Admin password. That was a good move. But you should verify there are no OTHER accounts with Admin permissions.
Depending how old your site is (how long it has been on the Internet), you may be able to retrieve the data from TheWayBackMachine. This is not a substitute for a backup (you must re-enter all the data by hand).
brite78 — 2012-07-13T13:08:00-04:00 — #6
I made sure there were no other users before changing my password. I also changed my host log in password and FTP password. Anything else I can do? Anyway I can tell if they are still using my server?
UPDATE: I just checked my email and I received a message from the bank that is being victimized by these hackers. They have reported me to the IC3 and US cert and are telling me I need to shut down immediately. What do I do? Can I contact them with a copy of the email from my hosting company as proof that this was a hack?
ralphm — 2012-07-13T20:11:33-04:00 — #7
This happened to me once, and the hosting company helped to flush out the code left by the attacker. But I've seen other hosts who just shut down your site and leave you in limbo. Might be worth talking with your host asap to see if they will help.
jeet25 — 2012-07-21T03:31:21-04:00 — #8
WP Security Scan checks your WordPress website/blog for security vulnerabilities and suggests corrective actions you can check it http://wordpress.org/extend/plugins/wp-security-scan/ and another thing what version of WP u r using , if u are using lower version upgrade it to latest one as a tone of fixes were added.I think some plugin in your wordpress file is badly written which could be vulnerable to SQL injection attack, so delete those plugin.You can use after restoring your back up and fresh installation http://wordpress.org/extend/plugins/bulletproof-security/.
spartinman — 2012-07-25T10:11:16-04:00 — #9
Sometimes your host may have allowed the hacking attack to happen. Check with who is hosting it and ask them about the security breach. If it is hosting with wordpress then I think you may want to use WP Security... search for it.
dklynn — 2012-07-25T18:24:03-04:00 — #10
I had been asked to review WP Secure for its security. It simply uses an encrypted (eval()) script from an obfuscated file (in the WP directory) which writes a <Files *> to only allow the visitor's IP address to access the WP Admin directory. While the .htaccess code is fine, security by obfuscation (anyone hacking a WP installation would easily recognize a non-standard filename) is only marginally better than no security at all.
IMHO, you can (SHOULD) do the same thing by hand (upload via FTP using a VERY STRONG password).
More important, though, keep WP up to date!
2ndmouse — 2012-08-02T07:42:10-04:00 — #11
I had a painful experience last year, when one of my sites was hacked, and couldn’t find anything on the net that would protect against this type of intrusion.
So, I have written my own script which will detect any file changes on a web site (including file permissions) and send an email notification on detection.
Although it won’t prevent a site from being hacked, it will act as an early warning system.
It’s intended to be used as a scheduled task or cron job, run, say, once an hour, and can be set up to monitor 1 or many sites, all remotely. A hacker won’t even suspect that the site is being monitored. I call it SimpleSiteAudit, emphasis on the word 'simple' – it can be downloaded from http://simplesiteaudit.terryheffernan.net
I’m an amateur programmer, so it’s freeware <snip>
jtpratt — 2012-08-15T13:18:08-04:00 — #12
This happens a lot, especially for sites that have out of date plugins or versions of WordPress itself. Unfortunately when an exploit like timthumb comes out it can affect thousands of sites. My advice is not to just fix your site, but find the root cause. You might find our diy guide to fixing your hacked WP blog a good read: http://www.jtpratt.com/how-to-fix-a-hacked-wordpress-blog/