I've got a site that has been hacked for the fourth time now this month. With scripts hosted on autofaucet.org
. (sloppy code even, found their names. Some Russian dudes. But that's off topic) I've taken some measurements to prevent a new hack, but alas...
- I've installed a clean WP installation on the server, with clean files and a clean DB.
- reinstalled the plugins clean
- I have
All In One WP Security & Firewall
plugin for file scanning, firewall, hide inlog page, etc. - Changed all the wordpress passwords.
I've notices the encoded code is being placed in files called assets.php
.
I'm curious how a hacker would inject/place the code on the server. How to prevent it better and what questions to ask the webhost company. I've asked them before and they just say it's my fault, update the wp installation and move on. What should they check if the code is injected from their side?
CodePudding user response:
Your log files (of the web server) e.g. /var/log/nginx/access.log
with the nginx
web server will tell you who it was. Look for the change date/time of the assets.php
file. Then check server access logs for IP addresses from that exact time. Then search logs for that IP address. You will find the first accesses by that IP address. That was likely the hack.
Usually Wordpress plugins are to blame as long as you keep the WP site updated. So, you could disable plugins not needed urgently, and disable the others one by one, or all for testing.
As a workaround, you can make the index.php
(or other) file under attack read-only. In the past I have worked around particular attacks by chown root.root filetobeattacked.php
which usually works (but may hinder updates, so it's a temporary solution). If you are not root
on the server (shared hosting) perhaps chmod 444 filetobeattacked.php
could work.
CodePudding user response:
I had same issue before. It might be the wordpress core files.
- Delete all files except wp-content, then download and replace it with the new wordpress files.
- Search for 'autofaucet.org' inside wp-content, and remove if necessary.
- Open wp-contents/themes/ then check functions.php - check if any additional code is there on top. Check the last updated files and time inside the theme and plugins.
- Export database files and searcg for 'autofaucet.org' and remove if any item found.