website design gold coast
website design gold coast

WP File Manager Hacked

Many WordPress sites have been hacked via a WP File Manager vulnerability. What to do and how to repair your site.

Unfortunately, a few of our WordPress sites have been hit by this hack. This was a 0-day security vulnerability that wasn’t known to the developers until it Seravo announced it. We don’t use this plugin but we do allow our clients and their third-party marketing companies to install plugins which is how it has found its way on to our sites.

What to do?

The easiest fix is to restore from a clean backup and then run your updates. The security issue with this plugin has been fixed. Before you do this you should identify the hacked files in your site installation so you can tell if your restore is clean or not.

Look for:

1. Random string PHP filenames in your directories such as sdfkjhds.php

2. Coded injected into the top of index.php, wp-settings.php and wp-config.php – In our case, we have seen the code similar to below injected into these files. As below:


/*23f09*/ 

@include "\057srv\057use... 

/*23f09*/

3. PHP Code is hidden in .ico files such as “./wp-content/languages/.31845625.ico” – This would be imported into active PHP files via an include. If you open these files as text you will see code similar to the below:


<?php
$_w3kz6u0 = basename/*vxr6j*/(/*1bl*/trim/...

Once you have found some of these files you will be able to identify a clean backup. If you don’t you will need to try to clean your site manually.

Manually remove the hack. 

1. Firstly, make a full backup.

2. You should manually reinstall WordPress. Then download a fresh copy a from WordPress.org. Delete everything except your wp-content folder and the wp-config.php. Reupload fresh copies of the core files. This will make sure you don’t have any hacked files hanging around in the core folders.

3. Then, look for random string PHP filenames in your directories. These should be safe to remove.

Using terminal you can search and for the fake ICO files *.ico – In our case, these all had Random string PHP filenames. You also need to search for hidden files.

 
$ find . -name *.ico -path '*/.*'

4. Inspect index.php, wp-settings.php and wp-config.php. Check if there is a wp-xmlrpc.php file added to the core. if so delete it.

5. Check for PHP files using the @include


$ grep -R -l --include \*.php "@include "

You might find recently changes files and an easy way to spot the hacked files.


$ find ${1} -type f | xargs stat --format '%Y :%y %n' 2&gt;/dev/null | sort -nr | cut -d: -f2-

6. Update all user and server passwords

7. We recommend monitoring your site with iThemes Security. The free version comes with File change detection.

8. We also recommend scanning your site with Sucuri.

Please let us know if you are seeing different code injected and your approach to removing, protecting and cleaning.

Let's work together!

Get in touch Request a quote

Sharing is caring:

Created Sep 28, 2020 - Last modified on October 20th, 2020 - Web Design Gold Coast

Leave a Reply