My Wordpress Website Accused Of Phishing

[Michael Martinez]

One thing you need to do is make sure your Wordpress is the latest official version and all your plugins are compatible and up-to-date.

You should also examine what you changed or installed just prior to being hacked. Sometimes the hacker comes in through your site, sometimes your account, less often from the hosting provider itself.

You should change the passwords on everything: any email accounts your site hosts, your SQL databases, your site admin logins, etc.

I would also make sure I have a current backup of the database, just in case you need to delete the site and reinstall from scratch.

And you can scan the database to see if there are any wonky entries in it that may include hidden code.

[pokeraussie]

Ok, now the same happened to me, just my domain wasn't suspended - I noticed hacked files in time. I deleted them all from my hosting. Please tell what should I do next, cause I imagine I might have something also in my original files and/or database. How to find it while not deleting my website content/files?

Is it a wordpress site? Install this plugin WordPress › Timthumb Vulnerability Scanner « WordPress Plugins

It will look for the timthumb script in the wp-content folder. If it's outdated it will update the file with 1 click.

Like already mentioned, make sure wordpress and all plugins are up to date.

[redvel]

One thing you need to do is make sure your Wordpress is the latest official version and all your plugins are compatible and up-to-date.

You should also examine what you changed or installed just prior to being hacked. Sometimes the hacker comes in through your site, sometimes your account, less often from the hosting provider itself.

You should change the passwords on everything: any email accounts your site hosts, your SQL databases, your site admin logins, etc.

I would also make sure I have a current backup of the database, just in case you need to delete the site and reinstall from scratch.

And you can scan the database to see if there are any wonky entries in it that may include hidden code.

Is it a wordpress site? Install this plugin WordPress › Timthumb Vulnerability Scanner « WordPress Plugins

It will look for the timthumb script in the wp-content folder. If it's outdated it will update the file with 1 click.

Like already mentioned, make sure wordpress and all plugins are up to date.

Thank you both for help and advices - that really was a Timthumb issue. Everything else was up-to-date. I have my backups done twice a week, so I just installed WP, plugins and theme fresh, updated timthumb, reinstalled my db (scanned it before) and changed all possible passwords.

So as I imagine, Timthumb was used to create backdoor, and also in the hacked version I found new folders in root with many files, together with some .php files in Images folder. DB was clean. All hacked files in the commneted parts mention some guy from India who names himself V0ld3m0rt... Very original.

I also became paranoid and installed these plugins on all my WP sites:
Exploit Scanner
WordPress File Monitor
Wordpress Firewall 2
WP Security Scan

Thank you again!

[pokeraussie]

Yes mate, for me every site that's been affected has had an outdated timthumb script I think its a popular exploit for hackers.

Btw how did you scan the db? It seems my DB files are clean but just want to make sure.

[Michael Martinez]

There was an outbreak of Timthumb hacks earlier this year. Although I don't use that plugin, I update all of my themes and plugins every time I log in to Wordpress if it tells me there are available updates.

[redvel]

Yes mate, for me every site that's been affected has had an outdated timthumb script I think its a popular exploit for hackers.

Btw how did you scan the db? It seems my DB files are clean but just want to make sure.

For db I made some manual queries in PHPMyAdmin to search for <script>, <iframe>, eval and all other suspicious things. Also, one of the plugins I mentioned does similar job, just automatically.

[pokeraussie]

Gosh this is becoming frustrating. Updated wordpress and all modules, scanned and updated the timthumb script for another site, and was still the target of another phishing attack today.

Now it's getting even more weird, some random hotmail address contacted me telling me about the phishing site on the server, linking me to the malicious file. How the hell would this person have known about it?