18 {{ upvoteCount | shortNum }}
18 {{ upvoteCount | shortNum }}

Website Hacked - Backdoor Trojan

by Mike Hlatky
14 replies
About two or three months ago, I realized that one of my websites was hacked. I didn't really use the site, so I deleted all of the files and thought I would be good to go.

Everything was going fine until about two weeks ago when someone signed up on two of my Wordpress sites as an administrator. He then replaced my Adsense code with his own. I changed all the codes back, deleted his users, and changed my passwords.

Today, while I was just looking around in my website, I found that all the Wordpress pages went to something that looks like this:
http://i.imgur.com/g2kXV.png

That is not my site, but another site that I found when searching for the problem/solution. The one on my site was a lot cleaner and displayed my entire file manager! Anyone accessing that page could edit or delete any of my files or upload any other files!! It no longer shows up, but all of my Wordpress pages on my main site give a Not Found error.

When I went to that page, my Microsoft Security Essentials told me that it was a BackdoorHP/Shell.G.

I am very nervous and angry and I was wondering if there was anything I could do to get this hacker away from me?

I have contacted my webhost so hopefully something can be done.

Any help would be appreciated.
#backdoor #hacked #trojan #website
  • Profile picture of the author Abledragon
    I'm sorry to hear about that - and I can well understand how you feel.

    I'm assuming that you don't have any backups (clean backups, that is) of your site..?

    If you do, or if you have the original files in which you created the content (e.g. Word files or similar) and you know they're clean, the best bet would be to delete the entire site, including your database and set it up again from scratch.

    When you set up the site (from your post above I believe it's on WordPress) take these precautions:

    - Do a manual installation, rather than a 1-click installation.

    - change your database prefix from wp_ to something else (it must end in the _ character)

    - Change the default 'admin' username to something else - you can use letters, numbers, spaces and special characters (e.g. ^, &, (, ?)

    - In your profile, change your Nickname to something different from your user name, to prevent your user name being displaid.

    - Make sure your password includes numbers, letters and special characters

    - Change your hosting provider login password

    - Change your FTP password

    - Do a thorough malware and virus scan of your computer

    - Use SFTP, rather than FTP to transfer files between your computer and your web server

    - Install the WP-Security-Scan plugin and follow the recommendations it gives in each of its menu items

    - Add a blank index.html file to your wp-content/themes and wp-content/plugins folders

    Those steps should get you on the road towards keeping those hackers at bay, but keep reading and learning as much as you can about security - it's an ever changing field!

    You can read some more details here (the last section covers the points above in more detail):

    WordPress Security: How to Fix Your Site if it is Hacked | WealthyDragon

    I hope you're able to get back up and running again in good time.

    Cheers,

    Martin.
    Signature
    WealthyDragon - Earning My Living Online
    {{ DiscussionBoard.errors[6685999].message }}
  • Profile picture of the author ubaid12j
    You should change auth key in wp-config.php using worpdress api service.
    {{ DiscussionBoard.errors[6687281].message }}
  • Profile picture of the author Chris Thompson
    Here's a podcast that should help people just getting up to speed on Wordpress and those who want to be proactive about security & hacking BEFORE you get hit.

    http://blog.outsourcefactor.com/podc...urity-podcast/
    {{ DiscussionBoard.errors[6690899].message }}
    • Profile picture of the author Mkj
      As mentioned previously you need a perfect backup. You also need a method of isolating the hacker so you can ban him. I use a program called bbclone which I use to view users activities. If they are displaying hacking or spamming type visits then I search google using their ip. In most cases this results in the ip being listed elsewhere as a hacker or spammer. I then ban them using htaccess. In nearly all cases this eventually results in a hacking free and spam free site.

      Perfect backup?
      Just make sure your site isn't already hacked and hasn't malicious code already in place. You should start monitoring sites as soon as you create them. Create new backups every few days and keep the previous backups for a while before getting rid of them. I create database backups and full file backups of each site every day if I am working on them. Can't be anything worse than losing work be it your own fault or at the hands of some arsehole hacker.
      {{ DiscussionBoard.errors[6691856].message }}
  • Profile picture of the author WebdevelopmentGroup
    They really tried to take you out. can you add me on Skype.

    I'll give you a hand free.
    Signature
    WebDevelopmentGroup NYC & CA- Small Business Web Development, App Development, WordPress Development, Graphic Designs, Online Marketing, Local Marketing & more!. "Call us 1.800.219.1314 or message us!". Visit us today! "Now On Live Chat Mon-Fri.". www.WebDevelopmentGroup.org
    (Whitelable our Services)
    ===================================
    ==> #1 OFFLINE MARKETING FORUM ON THE WEB! <==
    www.OFFLINEMARKETINGFORUM.com     (Register Now)
    {{ DiscussionBoard.errors[6691835].message }}
  • Profile picture of the author jaasmit
    You have really done a bad job by not integrating proper security for your site.
    In todays world secuirity is a major concern.
    {{ DiscussionBoard.errors[6693258].message }}
  • Profile picture of the author wordpressmania
    Most of the essential suggestions already mentioned...

    You should move your wpconfig file move one level up.....Oh, surely you can install wp lock down plugin

    Hope this helps
    Signature
    {{ DiscussionBoard.errors[6702129].message }}
  • Profile picture of the author andersvinther
    Sucuri.net are good for cleaning up your site... USD89 for one years subscription where they will clean your site every time it's infected...

    Also you can check the WordPress Security Checklist that I've written... should tighten up your site to prevent it from happening again... see The WordPress Security Checklist
    Signature

    Visit WordPress Security Checklist for a FREE comprehensive guide on improving your security.

    Visit Easy-Email for the solution to all your email problems.

    {{ DiscussionBoard.errors[6723474].message }}
  • Profile picture of the author locke815
    You should probably look for a WordPress specialist or hosting provider that specializes in WordPress
    {{ DiscussionBoard.errors[6747102].message }}
  • Profile picture of the author krialex
    Try to apply to host for help.
    I had a problem, my hosting company to help.
    {{ DiscussionBoard.errors[6748551].message }}
  • Profile picture of the author winiw
    * first of all, install ClamAv to erase all theses files (PHP Shellz).
    * If your website is under shared hosting, you better upgrade to VPS one.
    * your website have include/upload exploit, you can use Acunetix to find the exploit and fix it.
    * never save your password (Browser, File in you PC, or Filezilla).
    * use one of theses services to secure your website : CloudFlare or Stopthathacker.

    for more support, you can visite Hacking - Webmastering and SEO Forum | Meziamus.Net and ask for help
    Signature
    MonkeyAdvert.com : SMS Marketing
    {{ DiscussionBoard.errors[6750923].message }}
  • Profile picture of the author introspective1234
    Banned
    [DELETED]
    {{ DiscussionBoard.errors[6751604].message }}
    • Profile picture of the author damoncloudflare
      Originally Posted by introspective1234 View Post

      May 12, 2012 -- Techworld -- Amnesty International's UK website was hacked to host the unsafe Gh0st RAT Trojan for two days this week, security firm Websense has disclosed.

      striking browsers unpatched against the common CVE-2012-0507 Java vulnerability (also used by the Mac Flashback Trojan), between 8 and 9 May visitors would have been at risk of downloading a Windows executable concealing behind a valid VeriSign-issued digital credentials.

      any person banging Ok to this establish knack would have become infected with Gh0st RAT, a powerful backdoor Trojan utilised to cull passwords and files and just about any thing additional the attacker likes to take from the contaminated system.
      A lot of hacks like this tend to happen via ftp (we don't proxy these ports) , so you might want to look at hardening that (a service like Dome9) might be able to help with that.
      Signature

      Damon
      CloudFlare Community Evangelist

      Tips for using WordPress with CloudFlare

      {{ DiscussionBoard.errors[6758939].message }}
  • Profile picture of the author Ryan Cassidy
    May have been ratted, or someone has found an exploit on your website to somehow upload a shell onto your web hosting. I'd get someone to check that over.
    {{ DiscussionBoard.errors[6759068].message }}
  • Profile picture of the author Mike Hlatky
    Someone uploaded a shell onto my hosting. I managed to delete it and get rid of all the files, but I have no idea how to prevent the attack from happening.
    {{ DiscussionBoard.errors[6759875].message }}

Trending Topics