Comments on: I was hacked again. Here’s how I locked the site down.

By: talgalili

talgalili — Mon, 23 Nov 2009 08:03:08 +0000

You're link of gratefulness just made my day :)

All the best to you,
Tal

By: Jan Karlsbjerg

Jan Karlsbjerg — Thu, 05 Nov 2009 23:45:01 +0000

Hi Rob, yeah the WP Exploit Scanner is your friend. In the spring I wrote up my advice for dehacking your WordPress site.

By: Rob Cottingham

Rob Cottingham — Tue, 03 Nov 2009 20:53:26 +0000

Thomas, thanks for the solid advice on checking for malware. In my case, I'm on a Mac with decent protection (hello, ClamXav!) so I'm not as worried about my laptop having been compromised - but I don't want to be complacent. That said, I don't think malware protection and changing my FTP password alone will leave me save from future hacks, because those measures don't address the server end of the situation. And there, I have a likely suspect: WordPress itself. I was late to the party in upgrading to version 2.8.4, and there were some crucial exploits in earlier versions. Given how many WordPress users have had similar attacks on their sites, I'm guessing that's how my hacker got in. Nonetheless, I've changed the FTP password, disabled a few plugins that were on the strictly optional end of the Spectrum of Essentialness, and done a little extra site hardening (am I the only one who thinks that sounds rude?) with the help of WP Exploit Scanner and WP Security Scan.

By: Thomas J. Raef

Thomas J. Raef — Tue, 03 Nov 2009 13:12:31 +0000

You’re investigative skills are remarkable!

It’s nice to see someone who share their experience with their readers. Often times many just want to forget it ever happened.

However, you have one last step, you need to find out how that cache.php file got there in the first place. If one hacker/cybercriminal found a way in, others will as well.

Often times, these files are placed there with stolen FTP login credentials. These credentials are stolen by a virus on a PC with FTP access to the infected website. Typically the hackers replace legitimate files with infected files. In your case they put a file that provided them with remote access to your site and possibly sent the modified files through their file.

What I’ve been recommending on sites like http://www.badwarebusters.org is to install a new anti-virus program. The reason is that the viruses learn how to avoid detection of the currently installed anti-virus program. Otherwise, the current anti-virus program would have detected the virus and removed it.

Many have had good success with AVG, Avast or Avira. Select one of these and also use Malwarebytes. This combination should find and remove any viruses/trojans on the PC.

Then change all FTP passwords and you should be safe from any future hackings.

Nice job on the investigation and the reporting. If you care to share the cache.php file, I would like to see what it does and how it does it. I can report back to you with my findings. Please share the file.

Thank you.