Hacked

Just discovered this website had been hacked. First clue was when the site got banned by a corporate web filter as “adult material”. Unless someone had posted a particularly vitriolic comment that was unlikely.

I won’t provide any more oxygen to the hackers over what exactly happened, but here’s the steps taken to get back online.

(1) Run to Google

As always, find a friend who’s been through it before. In particular these two pages proved useful.

First steps taken after reading them (and they explain more about each step):

  • change passwords (for both wordpress and mySQL)
  • setup secret keys and salts
  • check .htaccess
  • delete all unused themes

(2) Install the exploit scanner

There is a plugin available that can help check for suspicious code:

http://ocaoimh.ie/exploit-scanner/

Follow the provided instructions to install.

When I ran the scanner it located dodgy code in a plethora of files. Comparing those files to a (sadly) old backup I discovered they were not part of the original wordpress installation. They also, suspiciously, all had an identical and recent install date/time.

Therefore next step was to delete them all. And that did most of the work. I got my site back. Almost….

(3) Fix the theme

After deleting all the extra files, the site was almost back. It now did not show the “you’ve been hacked page”. But instead it showed the contents of my theme’s CSS file. Obviously some corruption in there somewhere.

First step was to temporarily install a basic theme and switched to that. All worked well and my site was back up and running. Just ugly(er). To improve I then deleted the corrupted theme and re-installed from a backup. And everything was back to normal.

Conclusion

Thankfully my intrusion proved quite simple to remove. Whether I removed every element we’ll find out in the next days as we see how long the site stays up. However lessons learnt are quite simple:

  1. get a recent/regular backup (of content and data). Having another folder listing what files should be there proved invaluable in quickly deleting what was added.
  2. keep up to date with releases.
  3. if you’re site suddenly gets blocked by a web filter, don’t blame a rude commenter!

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>