Wordpress base64_decode infection... again

Sharp101Sharp101 TorontoRegistered User regular
edited August 2012 in Help / Advice Forum
I'll try to keep this short.

Over the past few years my wordpress site (www.shiftedmatrix.com) has been hacked a few times. Every time it's almost the same thing, that good old base64_decode injection hack that spreads to every index.php file on your server. Since I run a few sites off a single web hosting account, this is really fucking annoying.

The first time it was because I wasn't keeping my wordpress up to date, but after a full reinstall I was clean (for a while.)

Then about a year later it happened again. After a few infections over the course of a few months I eventually tracked it down to an outdated tim-thumb.php file included with my theme. Updating that, cleaning out all extra themes and plugins I wasn't using, I thought I was good.

This summer it's been happening again. Thanks to WordPress Firewall at least I get some warnings now. It first happened in July, then in August, and then again this morning. Each time, WordPress Firewall lets me know that during the night someone is trying to overwrite certian common plugins with a hacked files through plugin-editor.php. It generally lets me know it blocked 4 or 5 attempts, but when actually check the site I've usually been infected. After the July attempt I cracked down with as much security as I could, full .htaccess protection, folder permissions, security plugins, etc, did all I could to prevent it from happening again but with no luck.

After every infection I've been very thorough with my cleanse. If I catch it quick enough it generally only gets into the main index.php file, my theme index.php file, and maybe one more index file in a random wp-admin or wp-includes folder. I know from the first few times if I don't catch it early it can spread into a lot more files. But between a few different exploit scanners, Dreamweaver find/replaces and manual checks, and overwriting system files with a fresh download, I'm sure I get everything when I clean it out.

I'm almost positive it's always coming through my main site, despite having a 4 different sites hosted on the same server. Reason being that 2 of those sites are non-wordpress (one mediawiki and one custom php) and the other site is wordpress but gets no notifications from the firewall. Also, the infections seem to happen after I get a bump in traffic to the main site from posting a link to reddit or something. These other sites do get infected as well, but I'm sure the source of the infection is through my main site.

So, short of making all the system, theme and plugin files read only, what can I do to stop this? It's really fucking annoying to have to waste a couple hours every month cleaning my websites. And as web developer it's rather embarrassing to have this problem and not be able to permanently fix it.

Any ideas?

Sharp101 on

Posts

  • SebbieSebbie Registered User regular
    Have you changed the names of your wordpress folders from the default wp-admin to something a little more obscure? You can also change where your admin login is from wp-admin to some other file to keep automated bots from finding your admin. security through obscurity and all.

    As far as protecting yourself, I would recommend updating all your plugins. In my experience, all hacks were through plugins that were of poor quality. I've had the same hack on a few website of mine and each time I managed to narrow down the point of entry to an uploading script where there was poor validation on the input... so basically the hacker manages to upload a php file which opens a backdoor on to my server. I'm sure you've cleaned up all your index.php file but in addition you should look for randomly named files. I had a few instances of new files like a random string of text (e.g: "lwgup.php") which just reattached the eval(base_64(...)) bit into my index files.

    I'm not a security expert and definitely not a server guru but this is how I've managed to clean it up in the past. Hopefully others can help you boost your actual server security :)

    "It's funny that pirates were always going around searching for treasure, and they never realized that the real treasure was the fond memories they were creating."
  • Sharp101Sharp101 TorontoRegistered User regular
    Thanks Sebbie, renaming the wp-admin folder seems like a good, simple solution. I'll look into that tonight.

  • SeguerSeguer Registered User regular
    @Sharp101 depending on the sort of access you have to your server, you might be able to set a lot of your files to be read-only.

    Then it doesn't matter what they do or if they get in.. cos they can't change the files ;)

  • Sharp101Sharp101 TorontoRegistered User regular
    Seguer wrote: »
    @Sharp101 depending on the sort of access you have to your server, you might be able to set a lot of your files to be read-only.

    Then it doesn't matter what they do or if they get in.. cos they can't change the files ;)

    Yeah, this was going to me my final solution if I couldn't figure out anything better.

    The only reason its not my first solution is that it would make updating wordpress and plugins a little more difficult.

    Good idea though, at the very least I'll do that to the index.php file which should never really be overwritten anyway.

Sign In or Register to comment.