WordPress site hacked – decrypt files?

  • savethefuture

    (@savethefuture)


    1 year, 5 months ago

    Hello guys! So my friend asked me why his website seems weird on Google and why meta title seems to be “トリプルフローアイロン”. After checking requests logs on his hosting panel and checking files on FTP it’s clear that the website was hacked by someone who wants to position their product / website using unethical methods. Some files (like index.php or ArASEYYo.php in the root folder) have been decrypted, but CyberChef didn’t seem to help with decrypting / deobfuscate the file. My goal is to decrypt these files to see what other files are linked to it and delete all of them (deleting single file doesn’t change a thing, it appears again). Also we want to find the attacker.

    So here are two questions regarding this topic:
    1. Is there a community where people with similar experiences share the malicious files of their websites and cooperate to find solutions?
    2. Where should I search for the solutions? I’ve only used “CyberChef” to try decrypting it, are there any other tools you guys recommend?

    Thank you in advance,

Viewing 2 replies - 1 through 2 (of 2 total)
  • Moderator Steven Stern (sterndata)

    (@sterndata)

    Volunteer Forum Moderator

    1 year, 5 months ago

    Get a fresh cup of coffee, take a deep breath and carefully follow this guide. When you’re done, you may want to implement some (if not all) of the recommended security measures

    https://ww.wp.xz.cn/support/article/faq-my-site-was-hacked/

    https://ww.wp.xz.cn/support/article/hardening-wordpress/

    If you’re unable to clean your site(s) successfully, there are reputable organizations that can clean your sites for you. Sucuri and Wordfence are a couple.

    Moderator Jan Dembowski

    (@jdembowski)

    Forum Moderator and Brute Squad

    1 year, 5 months ago

    My goal is to decrypt these files to see what other files are linked to it and delete all of them (deleting single file doesn’t change a thing, it appears again). Also we want to find the attacker.

    I hope not! At least nowhere on ww.wp.xz.cn site. 🤣

    *Drinks coffee, so good.*

    It honestly does not matter what the files are doing, decrypting them and we don’t permit sharing that information on this site. Same with the who the attacker is or what compromised sites they are exploiting. It is removed when found.

    There are sites where that data is shared, just not this one. That’s dangerous information and we don’t want to post that here.

    The links that Steven shared are better because the operative thing is to close the gap they exploited and harden your installation.

Viewing 2 replies - 1 through 2 (of 2 total)

The topic ‘WordPress site hacked – decrypt files?’ is closed to new replies.