Got hacked?

Unfortunately, a few of our WordPress sites have been hit by this hack. This was a 0-day security vulnerability that wasn’t known to the developers until it Seravo announced it. We don’t use this plugin but we do allow our clients and their third-party marketing companies to install plugins like this which is how it has found its way on to our sites.

So, what to you do?

The easiest fix is to restore your site from a clean backup and then run all available updates. The security issue with this plugin has been fixed, however you should identify the hacked files in your site installation so you can tell if your restore is clean or not.

Here’s what to look for:

• PHP file names in your directly with randomised strings like sdfkjhds.php
• Code injected into the top of index.php, wp-settings.php or wp-config.php  (in our case, we have seen the code similar to below injected into these files).

/*23f09*/
@include "\057srv\057use...
/*23f09*/

• PHP code can be hidden in .ico files such as ./wp-content/languages/.31845625.ico (this is often imported into an active PHP file via an include. If you open these files as text you will see code similar to the below).

<?php
$_w3kz6u0 = basename/*vxr6j*/(/*1bl*/trim/...

Once you have found some of these files you will be able to identify a clean backup. If you don’t find any, you will need to try to clean your site manually.

Remove the hack manually

• Firstly, make a full backup of your website. We suggest using a plugin like UpdraftPlus to do this.
• Now, you should manually re-install WordPress. Download the most up-to-date version here.
• Delete everything except your wp-content folder and the wp-config.php file and then re-upload a fresh copy of your core files. This will make sure you don’t have any hacked files hanging around.
• Then, look for any PHP filenames like contain a random string or generally look out of place. These should be safe to remove.
• Using terminal you can search and for any fake .ico files and hidden files using the below.

$ find . -name *.ico -path '*/.*'

• Inspect the index.php, wp-settings.php, and wp-config.php files. If there is a wp-xmlrpc.php file added to the core, delete it.
• In terminal, check for PHP files using the @include

$ grep -R -l --include \*.php "@include "

• You can also look at any recently changed files which is an easy way to spot potential hacks.

$ find ${1} -type f | xargs stat --format '%Y :%y %n' 2>/dev/null | sort -nr | cut -d: -f2-

• Once all the hacked files are removed, update your WordPress and server password.
• We recommend setting up site monitoring with a plugin like iThemes Security. The free version comes with file change detection and will send a report directly to your email.
• We also recommend scanning your site with Sucuri and Ninja Scanner as an extra measure of security.

Did this help you? Or is there something that we missed? At Thrive we are the digital experts and can help you get out of a rut. Fill out our contact form today and we will be happy to help you out!