As was foretold, we've added advertisements to the forums! If you have questions, or if you encounter any bugs, please visit this thread: https://forums.penny-arcade.com/discussion/240191/forum-advertisement-faq-and-reports-thread/
Options
Wordpress base64_decode infection... again
Sharp101
TorontoRegistered User regular
TorontoRegistered User regular
I'll try to keep this short.
Over the past few years my wordpress site (www.shiftedmatrix.com) has been hacked a few times. Every time it's almost the same thing, that good old base64_decode injection hack that spreads to every index.php file on your server. Since I run a few sites off a single web hosting account, this is really fucking annoying.
The first time it was because I wasn't keeping my wordpress up to date, but after a full reinstall I was clean (for a while.)
Then about a year later it happened again. After a few infections over the course of a few months I eventually tracked it down to an outdated tim-thumb.php file included with my theme. Updating that, cleaning out all extra themes and plugins I wasn't using, I thought I was good.
This summer it's been happening again. Thanks to WordPress Firewall at least I get some warnings now. It first happened in July, then in August, and then again this morning. Each time, WordPress Firewall lets me know that during the night someone is trying to overwrite certian common plugins with a hacked files through plugin-editor.php. It generally lets me know it blocked 4 or 5 attempts, but when actually check the site I've usually been infected. After the July attempt I cracked down with as much security as I could, full .htaccess protection, folder permissions, security plugins, etc, did all I could to prevent it from happening again but with no luck.
After every infection I've been very thorough with my cleanse. If I catch it quick enough it generally only gets into the main index.php file, my theme index.php file, and maybe one more index file in a random wp-admin or wp-includes folder. I know from the first few times if I don't catch it early it can spread into a lot more files. But between a few different exploit scanners, Dreamweaver find/replaces and manual checks, and overwriting system files with a fresh download, I'm sure I get everything when I clean it out.
I'm almost positive it's always coming through my main site, despite having a 4 different sites hosted on the same server. Reason being that 2 of those sites are non-wordpress (one mediawiki and one custom php) and the other site is wordpress but gets no notifications from the firewall. Also, the infections seem to happen after I get a bump in traffic to the main site from posting a link to reddit or something. These other sites do get infected as well, but I'm sure the source of the infection is through my main site.
So, short of making all the system, theme and plugin files read only, what can I do to stop this? It's really fucking annoying to have to waste a couple hours every month cleaning my websites. And as web developer it's rather embarrassing to have this problem and not be able to permanently fix it.
Any ideas?
Over the past few years my wordpress site (www.shiftedmatrix.com) has been hacked a few times. Every time it's almost the same thing, that good old base64_decode injection hack that spreads to every index.php file on your server. Since I run a few sites off a single web hosting account, this is really fucking annoying.
The first time it was because I wasn't keeping my wordpress up to date, but after a full reinstall I was clean (for a while.)
Then about a year later it happened again. After a few infections over the course of a few months I eventually tracked it down to an outdated tim-thumb.php file included with my theme. Updating that, cleaning out all extra themes and plugins I wasn't using, I thought I was good.
This summer it's been happening again. Thanks to WordPress Firewall at least I get some warnings now. It first happened in July, then in August, and then again this morning. Each time, WordPress Firewall lets me know that during the night someone is trying to overwrite certian common plugins with a hacked files through plugin-editor.php. It generally lets me know it blocked 4 or 5 attempts, but when actually check the site I've usually been infected. After the July attempt I cracked down with as much security as I could, full .htaccess protection, folder permissions, security plugins, etc, did all I could to prevent it from happening again but with no luck.
After every infection I've been very thorough with my cleanse. If I catch it quick enough it generally only gets into the main index.php file, my theme index.php file, and maybe one more index file in a random wp-admin or wp-includes folder. I know from the first few times if I don't catch it early it can spread into a lot more files. But between a few different exploit scanners, Dreamweaver find/replaces and manual checks, and overwriting system files with a fresh download, I'm sure I get everything when I clean it out.
I'm almost positive it's always coming through my main site, despite having a 4 different sites hosted on the same server. Reason being that 2 of those sites are non-wordpress (one mediawiki and one custom php) and the other site is wordpress but gets no notifications from the firewall. Also, the infections seem to happen after I get a bump in traffic to the main site from posting a link to reddit or something. These other sites do get infected as well, but I'm sure the source of the infection is through my main site.
So, short of making all the system, theme and plugin files read only, what can I do to stop this? It's really fucking annoying to have to waste a couple hours every month cleaning my websites. And as web developer it's rather embarrassing to have this problem and not be able to permanently fix it.
Any ideas?
Sharp101 on
0
Posts
As far as protecting yourself, I would recommend updating all your plugins. In my experience, all hacks were through plugins that were of poor quality. I've had the same hack on a few website of mine and each time I managed to narrow down the point of entry to an uploading script where there was poor validation on the input... so basically the hacker manages to upload a php file which opens a backdoor on to my server. I'm sure you've cleaned up all your index.php file but in addition you should look for randomly named files. I had a few instances of new files like a random string of text (e.g: "lwgup.php") which just reattached the eval(base_64(...)) bit into my index files.
I'm not a security expert and definitely not a server guru but this is how I've managed to clean it up in the past. Hopefully others can help you boost your actual server security
Then it doesn't matter what they do or if they get in.. cos they can't change the files
Yeah, this was going to me my final solution if I couldn't figure out anything better.
The only reason its not my first solution is that it would make updating wordpress and plugins a little more difficult.
Good idea though, at the very least I'll do that to the index.php file which should never really be overwritten anyway.