Unfortunately my website got hacked a couple of months ago. The following post by Julio was very helpful for me to restore my website. I hope it will help others too.
From Julio Marchi:
Here is my “comment” (or “mini-tutorial” if you want to call it):
I’d like to present here some of my discoveries about this exploit, and also to disclose the solution that worked on my sites (several sites, actually). It is a bit long comment (kind of a “tutorial”), and I hope you guys forgive me for that! My goal was to be as most descriptive as possible, so anyone suffering with this exploit can get rid of this thing for good (if not using the presented fix, at least with enough information to find a better solution to resolve the problem)!
I’ve found that this “site hacking” explores a well known vulnerability in a file called “timthumb.php”. Most WP themes use this small php script for cropping, zooming and resizing web images, and in the case of the WP themes, it is commonly found at /library/ folder inside the theme’s folder.
What I’ve done to get rid of this site hacking, once and for all, was the following:
1) Download and use the “Fix Hacker Shit” Judd has provided above in his original post. It is a very good piece of work, and it will help you to temporarily “disable” this exploit. Please, notice that the Base64 Code may vary from one hack to another (as the called domain may differ), and then you may have to edit the line 14 of Judd’s file to change the “aHR0cDovL2hvdGxvZ3VwZGF0ZS5jb20vc3RhdC9zdGF0LnBocA” by the Base64 Code found on your installation.
2) After using Judd’s tool to clean your files, simply re-install WordPress. You don’t need to delete or backup anything (although a backup is always highly recommended), just go to your UPDATES page in the ADMIN PANEL and click the button “Re-install Now”.
3) After done with steps 1 and 2, now you MUST install the following plugins in the presented order (do it from INSIDE your WordPress installation, searching by the plugin name on wordpress.org. DO NOT DOWNLOAD IT FROM ANY OTHER SOURCE DIFFERENT THANWORDPRESS.ORG):
– TimThumb Vulnerability Scanner
– Exploit Scanner
– BulletProof Security
– 6Scan Security
The “TimThumb Vulnerability Scanner” will detect bad versions of the “timthumb.php” file and replace it with a safer one. It is a must have plugin nowadays.
The “Exploit Scanner” will allow you to check your entire site against common vulnerabilities and exploits dirty tricks. However, please notice that this plugin DO NOT FIX ANYTHING, it will only CHECK and LIST potential threats. Notwithstanding, not everything listed will be an actually hacking. You will be required to review the listed files manually and identify if it is a real threat or a “false positive”. Most “base64_decode” will be a BAD THING, but in my case I’ve found that the WP E-Commerce plugin was using this function in a legit piece of code. Also, the newer version of the “timthumb.php” file uses it in ONE position only to implement a “anti-leech access”, and the code that starts with the following code IS legit:
$imgData = base64_decode(“R0lGODlhUAAMAIAAAP8AAP///yH5BAAHAP8ALAAAAABQAA (…)
More info about this specific base64_decode can be found here:http://code.google.com/p/timthumb/issues/detail?id=237
It being said, please be careful before editing or deleting anything as you can manage your site broken.
What I actually like about the “Exploit Scanner” plugin is that it match some installation files with its original versions, making it a great tool to have when looking for unknown or new potential hack attempts.
The “BulletProof Security” is something that should be a default plugin in any WP installation. It creates a very decent and well thought boundary of protection around your sites, protecting folders and files using the Apache .htaccess level, also reviewing them periodically. Please, notice the “settings” for this plugin may be somehow a little bit tricky for beginners, as there is a lot of reading and “clicks” required (please, do so). However, if you really want to have a clean site, you cannot afford not to have this plugin fully installed!
Finally, the “6Scan Security” will imply extra security levels, complementing the “BulletProof Security” protection layer. However, the “6Scan Security” will disable some of the “BulletProof Security” implementations to add its own security levels, but they will not conflict or interfere with each other. Just remember to fully setu the “BulletProof Security”, then install and setup the “6Scan Security” on top of it.
4) In the future, DO NOT install and/or use ANY theme from ANY source without reviewing its contents. You can use the “Exploit Scanner” to test your site after coping the theme into your installation (and priory from enabling it, of course). WP themes are the most well known cause of site infections and for each 100 one I’ve downloaded, 98 have some “crap” hidden in it. So, BE CAREFUL.
5) Same advice above for the PLUGINS! I’d never (ever) install any plugin from any other source different than wordpress.org. And, even trusting WordPress, I’d never activate them before checking the installation against the aforementioned security plugins (and, immediately after activated, check it all over again).
It all may sound very paranoid, but we have no much choice nowadays. I’d say it is “better safe than sorry” (as you can also be a victim of the virus yourself, being accidentally infected by those scripts by simply accessing the Admin Panel of your own site if you don’t check the new plugins and themes before and after enabling them).
BTW, changing FTP and CPANEL passwords won’t fix a thing in this case, you will NEED to clean the “timthumb.php” file to prevent its vulnerability from being exploited. I haven’t review it indepth myself, as I have no time for chasing ghosts, but looks like the “hackers” are using some sort of injection code related to images internal compression method/algorithm to download their backdoor in the site as it was a thumbnail, then they “call it” unsuspectingly by rendering the generated thumbnail, executing the code that will result in a script that will use another vulnerability from the the FTP DAEMON to download a file that will scan and edit your files locally, adding the crap code Judd has disclosed above. It seems to be a lot of work, but it may take no more than a few seconds for it all to happen, and then they erase all traces of those files after the job is done. The only digital footprint I’ve found in my case was a FTP access log from an IP 22.214.171.124 (which is from Stockholm, Sweden) that accessed the exactly infected files and folders pointed by the “Exploit Scanner” plugin. I’ve traced back this IP and it is only used by ONE site, the iforex.to. If you want to complaint (as I did) send emails to [email protected], which is the major authority for that IP!
As you can see, this exploit “dirty trick” is not as well elaborated as most people may think, but the vulnerability is real and it renders your site widely open for many other possible attacks. It being said, if you take care of the “timthumb.php” vulnerability, it will help prevent these and other hackers from accessing your local files, as they really DO NOT KNOW and DO NOT NEED your FTP/CPANEL password.
Please, notice that “timthumb.php” is not the bad guy here, and it is a widely used “piece of code” in many other CMS and Open Source tools. In fact, any other code that uses same image management methods may be exploit using same techniques, however, in most cases hackers do not know your PHP code, but they can systematically search for the presence of the “timthumb.php” script on ANY site (as its code and functions are well known). It being said, this vulnerability is not only affecting WordPress sites, but looks like those hackers have a crunch on WordPress installations (God knows why?).
Finally, don’t forget to ALWAYS review your /cgi-bin/ folder, as many hackers also use it to run “email spam routers” on your sites. Also, if you don’t use the FrontPage Extensions, simply delete all folder and files related to it from your /public_html/ folder. For more information about the FrontPage Server Extensions you can access here:http://aquesthosting.headtreez.com/doc/6939a3f3-281d-4a83-a14a-3bda9459702b
I hope this quick “tutorial” can help some of you guys to clean your sites and keep it safe.
I’d like to say a expecial thanks to Judd, as this was the most well informative page I’ve found about this hacking, the one that brought me the initial clues of how to track, kill and prevent this hacking from happening again. That’s why I am writing this “tutorial” here!
Please, share this page! Everyone must know about this threat and how to fix it for good!