Client can't log in

cruxwireweb
(@cruxwireweb)

12 years, 7 months ago

Hi-

My client is not able to log in to WordPress. The error message says the password is incorrect, however I am able to log in just fine. We have gone through this many times and I am 99% sure she is using the correct password. I even pointed out that the zeroes were not the letter O, etc.

Her computer was infected with OtShot. She says she has gotten rid of it completely, and her Avast scan comes out clean. I’m not sure she has done a boot scan, though. She is not the most technologically adept (although I have to say she has been a real trooper throughout this.) So, I think a boot scan would confuse and overwhelm her and I don’t want to go there unless I have to.

The site was also compromised. I found a file named header.php.injected09052013 in the root folder. At the same time, a file named .viminfo was created or uploaded.

I deleted those files and insalled WordFence and ran a scan. It did pick up something, but unfortunately I don’t remember what, except that it had to do with Akismet. I resolved whatever it was. Now both WordFence and Sucuri scans are coming out clean, but my client is still not able to log in.

The FTP log for the day of the header injection (assumedly 9/5/13) lists the followng files: wp-config.php, robots.txt, sitemap.xml, .the theme’s header.php, and a file called “6mhd8V2T.gif”. The gif was uploaded to the public_html folder – ofdd place for it and definitely not something I would do.

Gifs with random string names like that since 9/2/13. Between 9/2 and 9/5, also showing in the log is htaccess and a file called “count.php” in the public_html folder.

I have also looked through the files by hand and have seen nothing else suspect. This is a very simple installation of WordPress.

Does anyone have any idea what might be going on? The site scans turn out clean and her computer scans turn out clean, so I am at a loss.

It occurred to me to have her clear her cache, but it’s a bit of a pain to have one’s cookies deleted and I think it would confuse her, so again, I’d rather not if I don’t have to.

Any ideas would be very gratefully accepted.

Thanks,
Kim

P.S. I changed all passwords, updated everything, and created a new db user and deleted the old.

P.S.S. Plugin list at time of hacking: Akismet, Broken Link Checker, Contact Form 7, Dynamic Widgets, Jetpack, Shortcode Exec PHP, Under Construction. They were all the latest version, or one version behind. Same with WordPress.

Viewing 8 replies - 1 through 8 (of 8 total)

Thread Starter cruxwireweb
(@cruxwireweb)

12 years, 7 months ago

Also, neither the debug.log or error_log show anything between 9/3 and 9/5.

Krishna
(@1nexus)

12 years, 7 months ago

From your description of the problem, it looks like an intrusion/hack. Not all hacked sites show up in security scan tools nor detected by antivirus software just because the intruders inject scripts similar to adware or scripts for displaying ads.

Anyway, what I can suggest is to delete the entire installation, install WordPress afresh from a fresh download of WP, and restore the site from a backup that is dated prior to a date since when you started having the problem. Also make sure that your client’s computer is not infected so that the problem may occur again.

Here are the recommended resources for hacked sites.
http://codex.ww.wp.xz.cn/FAQ_My_site_was_hacked
http://ww.wp.xz.cn/support/topic/268083#post-1065779
http://smackdown.blogsblogsblogs.com/2008/06/24/how-to-completely-clean-your-hacked-wordpress-installation/
http://ottopress.com/2009/hacked-wordpress-backdoors/

Additional Resources:
http://codex.ww.wp.xz.cn/Hardening_WordPress
http://sitecheck.sucuri.net/scanner/
http://www.unmaskparasites.com/
http://blog.sucuri.net/2012/03/wordpress-understanding-its-true-vulnerability.html

Thread Starter cruxwireweb
(@cruxwireweb)

12 years, 7 months ago

I will try that, thank you.

Would this diagnosis explain why I can log in on my computer (with her account), but she can’t with her computer?

Also, is it possible the infection is in the database? I have not checked the code line by line for all files, but everything looks normal.

Thank you for your time
Kim

Krishna
(@1nexus)

12 years, 7 months ago

As you can login using your computer, it indicates that the problem can be with her computer. It is quite common for intruders to use computers from where sites can be accessed and malware injected. The database also may contain malicious code. As you seem to be conversant with the problematic scripts/codes and as you say you have checked the database, you may go ahead with restoring the site. But keep monitoring the site and also harden the site.

Thread Starter cruxwireweb
(@cruxwireweb)

12 years, 7 months ago

Actually, I haven’t checked he database yet – still figuring out how. 😉 Do you know if there is a tool I can use for this?

Thread Starter cruxwireweb
(@cruxwireweb)

12 years, 7 months ago

Unless Wordfence or Sucuri checked the database?

Krishna
(@1nexus)

12 years, 7 months ago

No such reliable tool. You can download and open the database using a reliable text editor and search for doubtful strings using common search tools such as Find (ctrl+F) and delete them. However, make copies of the database and keep them safely so that you can use them in case you happen to damage one copy. Also try to use a local WordPress installation so that you can go through each table of the database (phpMyAdmin) and also make sure the site functions properly before you export the database to the live site.

Thread Starter cruxwireweb
(@cruxwireweb)

12 years, 7 months ago

OK. I was hoping to avoid the line-by-line thing, but at least I know there isn’t a viable alternative. Thanks again for your help.

Viewing 8 replies - 1 through 8 (of 8 total)

The topic ‘Client can't log in’ is closed to new replies.

Client can't log in

Topics

Topics with no replies

Non-support topics

Resolved topics

Unresolved topics

All topics