Securing hacked website // Malware infected website filled with backdoors
Securing hacked website
last week incident
Richard, a grad student notified that there's an issue with one website
(http://www.bnaijacobjc.com/) , and he received credentials next day from the owner of the
website, so we can help them fix it.
Basically, anyone searching for this website from Google or any backlinking to
this website, were being redirected to Drive-By Attack, Video websites,
Advertisements, etc by malicious script injected in website.
And we fixed it finally after numerous countermeasures!
Theme with malicious JS to redirect users for advertisement (http://portal-b.pw/XcTyTp)
^ NSFW: redirects to Drive-By downloads, Advertisements, Pron*
Old Wordpress Version
● Found Multiple Backdoors, which can be used by an attacker to regain access
Exploited RCE vulnerability in preg_replace function in PHP
Fixes / Countermeasures
Identified, ordered recently changed files and removed malicious files
Listing files modified in last 3 days $ find . -mtime -3
Updated Wordpress and installed Security Scanner plugins
Acunetix Secure WordPress
Analyzed Traffic pattern through Chrome Developer Tools
Throttled Network Traffic to Check multiple Redirects
Identified backdoor in one of the theme and removed it
$ grep -nri "_wp_http_referer" .
$ grep -nri "portal-b.pw" .
Infrastructure/Access Level Used for fixes:
GoDaddy Hosting with cPanel
phpMyAdmin (DB access) to reset wp-admin credentials
SSH access to execute CLI commands (Linux)
Some gatherings about attacker // Appears to be using pseudonym
● portal-b.pw domain used to circulate advertisement of all kind.
WHOIS on domain revealed someone in RU (could be forged information)
Name: Dzhamaldin Budunov
Organization: Private Person
Street: molodezhnaya 16/2
City: s. Sokur
State/Province: Saratovskaya oblast
Postal Code: 421994
By Mayur Pipaliya (mpipaliya) at Cyber Security Center, SPU / Nov’16