# Wordpress Site Keeps Getting Hacked With Phishing Files



## BML (Nov 25, 2001)

How do I stop this from happening. I've had this several times now. My site will get hacked where a zip file gets uploaded, then extracted into various new directories. The folders contain coding which probably creates a fake signin page looking like its hosted on my host's server. Phishing emails would direct people to these pages, and the info they put in would be stolen & transmitted to the hacker.

I use a couple of security plugins. They alert me to changes like files/directories being added but I want to block that from happening. This takes me a lot of time and effort to clean, and google may see it and flag my site as malicious.

How are these files being uploaded or put into my server space? How do I block it???


----------



## lunarlander (Sep 22, 2007)

Hi,

Are you using a host that provides Wordpress for you, or do you install your own Wordpress? If the latter, you should upgrade to the latest Wordpress 4.6.1. Wordpress releases new versions to mitigate security vulnerabilities, and you must keep it up to date.And remember, plugins needs updates too.

I am not a Wordpress specialist, I have sent for help to someone who is also in the security field and knows Wordpress better.


----------



## colinsp (Sep 5, 2007)

Make sure that you change your ftp and cpanel passwords as it is possible those that have been compromised too. Ensure that when you clean out all the files from your hacked Wordpress install you clean out the database too and also delete any rogue users. Ensure Wordpress and your plugins are up to date. I use both Wordfence and Sucuri to secure my Wordpress websites and haven't suffered a problem yet.


----------



## dvk01 (Dec 14, 2002)

You will find it almost impossible to stop attacks against WordPress or any other CMS or website by relying on plugins. Yes, they help a lot but the only real way is to host on a secure server that doesn't have any vulnerabilities, or at least keeps them patched as quickly as possible and has a decent webserver firewall /exploit scanner

Almost all shared hosting will not have that. If you really want security, then you need to host either on a dedicated server or at least a VPS, where you have the ability to install your own firewall & exploit scanner
I host my own server & install all the tools/programs from http://configserver.com/
It is unlikely that you will be able to while hosting on shared server.

A very high proportion of hacks against Wordpress are from non existent plugins where lax security settings / permissions allow almost any file to be uploaded to a users wordpress folders , via server vulnerabilities.


----------



## lunarlander (Sep 22, 2007)

Thanks dvk01 for dropping by.


----------



## dvk01 (Dec 14, 2002)

At the moment you have a worse problem than being occasionally hacked
Your site does not display in Internet explorer at all
it just displays a plain blue background


----------



## BML (Nov 25, 2001)

lunarlander - my host provides it, and I've updated it to the current version along with all plugins.
Colinsp - I've changed my passwords; there were no other users listed; all rogue files have been deleted and I searched the database for any entries referencing the rogue directories' files (there were none).
dvk01 - I have shared hosting. But even though I share a server with other users, how is it possible for someone to put a file on MY server space without logging into it somehow?
Also.... I think that is some kind of Internet Explorer problem, related to the previous hack. My site views normally on Firefox desktop & mobile and also on Chrome mobile (I just checked it now). But at work we have IE and it will not display, it is blue just like for you. Maybe IE is somehow blocking it as if it was malicious? I checked it on Google safe site and it says not dangerous.


----------



## dvk01 (Dec 14, 2002)

The problem will be somewhere in the coding with a misplaced or missing end tag on a script somewhere
Chrome & FF are quite forgiving on missing tags. IE is not

it looks like a possibly incorrect doctype declaration because you appear to be using html coding not html 5

either change doctype declaration to HTML 4.01 transitional or remove all the if IE junk, which isn't needed nowadays
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">

If I change your doctype dec I see the page in IE as it is supposed to be
Shared hosting in most situations can lead to one site on the server being compromised by a weakness or vulnerability in a plugin or out of date web version like wordpress and if incorrect permissions are set ( many shared hosting servers are wrongly set) that allows a compromised site to attackk every other site on the server


----------



## dvk01 (Dec 14, 2002)

actually it isn't the doctype declaration at all
sorry
it looks like something to do with the slider or image display scripts
if I put the site into restricted sites that block active X controls, it works perfectly


----------



## BML (Nov 25, 2001)

Ok. I tried to load it on Internet Explorer on my home computer and I got a security flag. I use Microsoft Security Essentials on my computer. Its blocking the site and it says this:

*Microsoft Security Essentials blocked content on this website*
gevathedphosphorescentes.ieltsonlinehelp.com
Hosted by: flightlineaviationmedia.com

It does not get blocked using Firefox.

So it makes it look like I am hosting this malicious website. I don't know what to do. I searched within my SQL database for this website name and also any files and there are none. I do not see any strange files or references to external websites.


----------



## lunarlander (Sep 22, 2007)

I scanned the site at virustotal.com, and it reports that BitDefender and Kaspersky find it malicious.


----------



## dvk01 (Dec 14, 2002)

That is not a malicious site but is your other website flightlineaviationmedia.com that uses the same WordPress theme and same slider plugin that gets blocked by IE

I think it is either a slider plugin or the sociable plugin that si blocking things in IE

Best suggestion so far is temporarily disable each plugin in turn, and check in IE, until you find the one causing the problem


----------



## dvk01 (Dec 14, 2002)

Taking another look, you have an iframe appearing that is the malicious content ( this content changes each time page is reloaded) on your flightaviation site and on the bruce site

```
[URL=http://christianisierung.pmgstudios.com/?w3aKdriUJBjHAos=l3SKfPrfJxzFGMSUb-nJDa9BNUXCRQLPh4SGhKrXCJ-ofSih17OIFxzsmTu2KTKvgJQyfu0SaGyj1BKeO10hjoUeWF8Z5e3x1RSL2x3fipSA9weKZV5EqpPGHbA_3Qunm7dHIstzlEKA6GlXzblPBAwZ5RgY0Q]http://christianisierung.pmgstudios.com/?w3aKdriUJBjHAos=l3SKfPrfJxzFGMSUb-nJDa9BNUXCRQLPh4SGhKrXCJ-ofSih17OIFxzsmTu2KTKvgJQyfu0SaGyj1BKeO10hjoUeWF8Z5e3x1RSL2x3fipSA9weKZV5EqpPGHbA_3Qunm7dHIstzlEKA6GlXzblPBAwZ5RgY0Q[/URL]
```
without access to the raw files & plugins I cannot completely determine what plugin is causing it but I suspect the sociable plugin


----------



## dvk01 (Dec 14, 2002)

That iframe only shows in IE
doing some tests with different browser ID strings, it looks like it is pretty photo that is the problem . Something in that plugin uses an IE specific CSS that has the iframe embedded in it somewhere

I have downloaded the latest available pretty photo plugin from wordpress & cannot see nay malicious content in it ( but I wouldn't expect to ). However the plugin has not been updated for over 1 year and there might be vulnerabilities in it
Disable pretty photo plugin
see if IE works then & if you can see an Iframe in the view source, once pretty photo is disabled


----------



## BML (Nov 25, 2001)

I'm actually not using a prettyphoto plugin. I am however using a fancybox plugin called Easy Fancybox which it says supports iframe and inline content. It was last updated 4 months ago and says not tested with current wordpress. I am disabling it on the Flightline site. Does it still have the iframe content?


----------



## dvk01 (Dec 14, 2002)

it is not fancy box it is pretty photo which looks like it is an embedded part of the theme you are using ( infocus)
that theme that is no longer sold & probably not supported by its developer.
I think your only answer to all your problems is change themes to a different one, that hasn't got all the embedded plugins.

you are better off with one of the free ones from wordpress

Wordpress no longer allow themes to have embedded plugins because of this sort of problem and all current themes have to have separate plugins


----------



## BML (Nov 25, 2001)

Hmmm. Well it wasn't like this prior to getting hacked at my prior host. Maybe I should delete the theme and do a clean install of it, maybe one of its embedded files got corrupted?


----------



## dvk01 (Dec 14, 2002)

reinstalling that theme will not cure the problem. It might temporarily solve it, but if there is a plugin vulnerability within the theme then a simple website scan by a malicious person will find the vulnerability and reinfect you

That is why & how millions of wordpress sites get infected daily
I get about 200 automated attacks against my wordpress sites on a quiet day. on a bad day it can be 1000 attacks. My firewall & exploit scanner blocks 90% of them and the others fail because I don't have the vulnerable plugins of themes that use embedded plugins active on my sites
If you have the vulnerable plugins that are embedded in the theme, I can guarantee that you will be reinfected within days if not hours or even minutes. Once your site is on the list as being vulnerable, they will keep trying and find another vulnerability, until you finally fix it properly


----------



## dvk01 (Dec 14, 2002)

https://wpvulndb.com/search?utf8=✓&text=infocus


----------



## dvk01 (Dec 14, 2002)

https://themeforest.net/forums/thre...ty-affecting-prettyphoto-jquery-script/181180


----------



## BML (Nov 25, 2001)

Oh geez. I didn't know that. Local File Inclusion is probably how they're able to upload the zipped file to my server space. Although my version of the theme is newer than what is in the database

I probably should look at new themes. I want something that looks professional though. How do I know if any of the themes available have vulnerabilties? I suppose I could check that database you linked to. Is there anything I should look for in a theme to stay away from that is less secure?


----------



## dvk01 (Dec 14, 2002)

Just about any theme on Wordpress itself is "safer, because they don't allow embedded plugins. They have to be separate, so they can be easily disabled / updated / removed / changed etc
I use weaver xtreme on all my sites and that can be set to similar to your existing sites without much fiddling
Look through the wordpress themes from within your wordpress control panel, see what you like & what looks easy to use. There are thousands of good ones there


----------



## BML (Nov 25, 2001)

I was looking at this theme, https://themeforest.net/item/sterling-responsive-wordpress-theme/2320578?s_rank=56

Its not listed on the vulnerabilities database, has a lot of downloads, and although its been on the market a long time it says the most recent update was less than 2 months ago. Any thoughts?


----------



## dvk01 (Dec 14, 2002)

by all means try it
But first , I would use the WordPress default 2016 theme and see if all problems stop, before laying money out, just in case I am wrong about your existing theme being the problem and it is a different plugin causing it


----------



## BML (Nov 25, 2001)

I tried activating the twentysixteen theme and it still does not work in IE. I don't get any security warnings though. Just a black screen. In Chrome and Firefox it works, though the pages are messed up due to the coding not being optimized for this theme. Then I tried deleting all the infocus theme files and re-uploading them from the latest version of that theme that I have from 2015. Same thing. Works in Chrome & Firefox, but on IE I get just a solid blue screen with what looks like a few random letters in the very top left. No security warnings.

When I had Twentysixteen active, in IE I looked at the source code for the homepage and I do see an iframe with this code:

ahubd
http://green.KINGFISH.CO/?w3eKdbGdJRfHC4o=l3SKfPrfJxzFGMSUb-nJDa9BNUXCRQLPh4SGhKrXCJ-ofSih17OIFxzsmTu2KTKvgJQyfu0SaGyj1BKeO10hjoUeWF8Z5e3x1RSL2x3fipSA9weKYg1G_ZGQRrJt3wn1mrEVdc92kxOGuDJWz-kcAQ5C5hgY0Q]http://green.KINGFISH.CO/?w3eKdbGdJ...g1G_ZGQRrJt3wn1mrEVdc92kxOGuDJWz-kcAQ5C5hgY0Q

Looks to me like some random letters and a redirect of some sort, right? (I didn't get any security warnings on it tho) So swapping themes did not get rid of it. What else could it be?


----------



## dvk01 (Dec 14, 2002)

that is the same hack with a different address

that means it isn't the theme but one of the other plugins that you have on the site
only way to solve it is disable ALL plugins
see if the problem happens with ALL plugins disabled. If it does then it means one of the core WP files has been compromised
If there is no iframe or display problems, then enable the plugins, ONE AT A TIME. Check after each plugin is enabled for an iframe &/or IE display problems. Once the problems occur, you know it is the last plugin enabled. so disable that one again & enable all the others and see what happens then.
Once you have determined which plugin is responsible then you can remove it


----------



## BML (Nov 25, 2001)

Well.... I think I got it!!! What I ended up doing was installing a plugin called Anti Malware Scanner. This did more than the other security plugins I have - it scanned all files and the result was 3 were flagged as backdoor scripts and 17 were flagged as "known threats". Some of them had odd names, some were located among the Wordpress core files and some were located among the theme files in the theme folder. It fixed them by putting them in a quarantine area and I was able to click on the file an look inside it. Most of them had chunks of Base-64 code in them. There was even a file inside one of my upload folders where I generally upload images, this was a php file so I knew that did not belong there. Opened it, and it was Base-64 gibberish. These files were literally scattered all over the site.

So I also replaced all the wordpress core files by downloading a clean copy from Wordpress.org and uploading by FTP. I had already replaced my theme files earlier. Then I tried both of my sites in IE and they both work, no iframes or security flags. Also works in Chrome and Firefox and mobile too.

There must be a vulnerability somewhere that allows this to happen.

Also, I checked the sites in Google Safe Browsing and it says they are safe, but it still shows that some pages are redirecting to malware sites: https://www.google.com/transparency...nostic/?hl=en#url=flightlineaviationmedia.com as it did before. So I don't know what that could be.


----------



## dvk01 (Dec 14, 2002)

looks OK now
we know there was a vulnerability in your theme from before. Whether they were using that or whether it is a vulnerability on the actual server on a different account that incorrect settings allow you to be hacked, is beyond me to determine.

all you can do is keep daily scanning g with this new anti-malware scanner & se what it picks up


----------

