Track down insecure plugin | ww.wp.xz.cn

seancho
(@seancho)

11 years, 10 months ago

Hi. Client WP website got hacked by cryptocurrency miners. Website is running a hodgepodge of old and new plugins, all as up-to-date as possible, but some of them legacy, and I suspect one of them let the bad guys in. Question is, which one?

Intruders set up a root user crontab that downloaded perl mining scripts. I deleted the crontab and blocked all the outgoing urls and IP addresses, so if they try the same attack again, it wont work. But obviously that doesn’t prevent them from doing anything else they want with root access to the server. So, question is, how do I figure out which plugin got them root access to set up the crontab?

Viewing 1 replies (of 1 total)

esmi
(@esmi)

11 years, 10 months ago

You need to start working your way through these resources:
http://codex.ww.wp.xz.cn/FAQ_My_site_was_hacked
http://ww.wp.xz.cn/support/topic/268083#post-1065779
http://smackdown.blogsblogsblogs.com/2008/06/24/how-to-completely-clean-your-hacked-wordpress-installation/
http://ottopress.com/2009/hacked-wordpress-backdoors/

Anything less will probably result in the hacker walking straight back into your site again.

Additional Resources:
Hardening WordPress
http://sitecheck.sucuri.net/scanner/
http://www.unmaskparasites.com/
http://blog.sucuri.net/2012/03/wordpress-understanding-its-true-vulnerability.html

Viewing 1 replies (of 1 total)

The topic ‘Track down insecure plugin’ is closed to new replies.

Tags

hacked plugin

In: Fixing WordPress
1 reply
2 participants
Last reply from: esmi
Last activity: 11 years, 10 months ago
Status: not resolved

Topics

Topics with no replies

Non-support topics

Resolved topics

Unresolved topics

All topics