|
topotepuy
|
June 18, 2013 at 11:38 pm
Hi there, I have a big issue with event espresso, and I think that a back door is created every time the sofware needs to be upgraded.
The site that I mange has been attacked so many times, and I think I should speculate that it happens every time the plugin needs to be updated.
I tried installing Wp better Security plugin and I found out that the hacker(s) attack the site using the payment gayeways in most cases. I’m going nuts with this issue, I have researched and tried most of the wp security recomendations available out there without any luck.
I’ve notice that they are injecting some unsual files in the root folder of the site with some really wierd code, specially a file called wp-apps.php, and a blank wp folder is also created every time in the root folder.
I hace deleated and changed users and passwords for most of the potential vulnerable accounts, but I’m still trying to wonder what’s going on.
I really need to know if someone is experiencing the same problem. Whenever the site is hacked, event espresso reacts vey strange, for example it amplafies the amount that shoud be charged for an especific order.
The site url is www topotepuy.com, it mught be hard to give a diagnose with only the url, but really, I need some help here, I think there’s a team of hackers working on this because the attacks are very often, and only on this specific site (I manage several wp sites)
Any lights will be specially apreciated, please, I DO NEED YOUR HELP!
|
|
Dean
|
June 19, 2013 at 3:54 am
Hello Frederico,
That is not good at all! We try to make sure that Event Espresso is secure as possible and if any security holes are found we will resolve them as quickly as possible.
We havent heard of other hacking attempts that are due to Event Espresso.
Sucuri states that your site has been blacklisted but could not find any malware or viruses – http://sitecheck.sucuri.net/results/www.topotepuy.com
Do you have any further information that can confirm it is Event Espresso and where it is coming from? Screenshots of the security warnings etc etc.
If you have further information please send it via this form https://eventespresso.com/report-a-security-vulnerability/
WordPress has some helpful advice regarding hacked sites – http://codex.wordpress.org/FAQ_My_site_was_hacked
|
|
Josh
|
June 19, 2013 at 8:38 am
Hi Federico,
The wp-apps.php hack is a general hack that affects WordPress sites that do not have Event Espresso installed. Here are some links to some general WP resources that may help:
http://blog.aw-snap.info/2011/08/malware-hosted-newportalsecom.html
http://wptheming.com/2011/08/cleaning-up-the-timthumb-hack/
http://marshallssecurityreview.blogspot.com/2012/11/wp-appsphp-wpcountphp.html
http://www.krizalys.com/article/multi-wordpress-hack
|
|
topotepuy
|
June 19, 2013 at 5:54 pm
Hi, thank you for your replies. It’s curious that the injection happens as soon as Event Espresso is outdated, and when hacked wierd things happe to the number of tickets and payment amount when an order is processing.
However, it’s also true that the wp-apps.php hack happens to all kinds of wordpress sites whitout Event Espresso installed as well. I even removed the contact form from the site in order to prevent possible injections.
I’ve been strugling with this issue for some months, and luckly, I’ve managed to clean up the site everytime it gets hacked and improve the security a bit more each time this happens. Nevertheless, the attacks continue permanently.
I will read everything on those links to see if I can manage the situation, thank you for the lights and I’ll be reporting ASAP.
Best regards
|
|
Josh
|
June 19, 2013 at 9:37 pm
It sounds like they’ve left a backdoor, which could be hidden away in a file in a legitimate folder. One of the above references advises to check the index.php files that normally appear inside most plugin, theme, and upload directories for backdoors. Typically the index.php files will be empty to prevent directory browsing.
|
|
topotepuy
|
June 20, 2013 at 9:24 pm
That’s what I though, so I deleated all files and reinstalled a couple of times before the latest hack, but the backdoor still seems to be there, and I can find it yet.
I’m going to investigate the logs and implement SSH shell access to see what happens.
|
|
Josh
|
June 21, 2013 at 10:09 am
Here is another reference that may help:
http://www.wpbeginner.com/wp-tutorials/how-to-find-a-backdoor-in-a-hacked-wordpress-site-and-fix-it/
|
