0

I have a weird hacking case with one of my wordpress sites. It's a small site, basically shows 5 blog posts on whether or not the office will be open/closed. It's not too complicated or anything, but it was hacked and now redirects to some spam/malware sites.

Basically the site loads the pages, and after about 3 seconds it redirects. I've checked the header.php, index, footer, and don't see anything obvious, plus they weren't listed as being changed. The other thing that is weird is I ran a linux command to search for files that have been changed in the last 10 days, and the only ones that came back were ones I touched while checking for these redirects and doing :wq with vi. It doesn't seem like anything on the php/backend side is doing this redirect.

It is hosted on a apache linux server. Would there be somewhere else I can check to see if this redirect is being made? If there was something that was causing it in the php files, wouldn't it redirect immediately instead of letting the site load? There isn't an .htaccess and I don't see anything obivous in the apache.conf file.

After doing some digging I found that there is some script injects in all pages. The script redirects to a page where there is some malicious content. However, the wordpress version control does not say that these pages were edited. It doesn't have anything historical that looks like this had happened. Is it possible that something was changed in the wp-admin to inject these scripts in the editor? Or if you make changes to the wordpress database for a page does it not create a new version? Where would I check that? What permissions should my wordpress site have?

Thanks for the help!

Brendan
  • 3
  • 2
  • @lain it is similar, but I think the core question here is not how to deal with the compromise but rather how the observed malware could function in this context. Brendan, I would recommend editing the question, however, to clarify the main question now that you have found the malware. – B00TK1D May 07 '19 at 12:58

1 Answers1

0

If your server was compromised, then it is entirely possible for the attacker to circumvent any application-level version controls through the back end, including the built-in Wordpress page versions and timestamps. It is also possible to falsify the date modified on files, as noted here: https://askubuntu.com/questions/62492/how-can-i-change-the-date-modified-created-of-a-file.

There are any number of different specific ways that malware could be created to implant redirection scripts on every page like this, so without analyzing the specific malware there is no way to tell exactly how it was built. Some simple JavaScript would be fully capable of detecting whether you were logged in through the dashboard or not, and only running the redirect code on the public site.

I would recommend referring to these steps for responding to a compromised server: How do I deal with a compromised server?

B00TK1D
  • 685
  • 4
  • 18