Website security breach need help URGENT

[nagsterza]

Hi All,

 

I have multiple wordpress websites for different people. My hosting provider has recently taken one down due to malicious scripts within the site. Their system deleted some harmful files and zipped up my sites contents. They now want me to ensure the problem has been sorted before they bring it live again otherwise the domain could become blacklisted. I have been trying to run the site offline on my pc but that hasn't worked nor has scanning and looking over the code got me anywhere. The hosting provider told me i should just hire someone to ensure all is good, so does anyone know an individual who can do this?? Its not a big website the whole file is only 250mb.

 

Please if you know someone who can help or have any tips please tell me.

 

Thanks in advance

[KuJoe]

Did you give you a list of the files they deleted? If so, you can grep the logs and find out exactly when and how the malicious code was injected onto your website. I would say 99% of the issues I have with my clients are Wordpress related but luckily the severe lack of security in Wordpress also makes it easy to determine what was exploited.

[nagsterza]

Just now, KuJoe said:

Did you give you a list of the files they deleted? If so, you can grep the logs and find out exactly when and how the malicious code was injected onto your website. I would say 99% of the issues I have with my clients are Wordpress related but luckily the severe lack of security in Wordpress also makes it easy to determine what was exploited.

Yes they told me which 2 files were deleted, and how would i grep the logs in cpanel?

[b.macpherson]

https://www.wordfence.com/ these guys are awesome. I use them for all my business' WP sites. Their site cleaning service was fantastic too ! 

[KuJoe]

Just now, nagsterza said:

Yes they told me which 2 files were deleted, and how would i grep the logs in cpanel?

You can either open the access logs in cPanel directly if the exploit was recent of you can look at the access.log files via the File Manager, FTP, or SSH (if available). Just open each log and find the name of the file that was deleted. Once you find the first instance of it, grab the IP that accessed it and search for that IP in the logs to see what other files they accessed. Then you'll know how they exploited your Wordpress site.

[KuJoe]

1 minute ago, b.macpherson said:

https://www.wordfence.com/ these guys are awesome. I use them for all my business' WP sites. Their site cleaning service was fantastic too ! 

Holy crap, I could be getting paid to fix Wordpress sites?!?? Time to dust off my old Fiverr account.

[SCHISCHKA]

4 minutes ago, nagsterza said:

just hire someone

in south africa? good luck man.

theres a lot of cowboys out there but i cant name some certs you might like to throw at anyone who wants to do the job.

OSCP which is the cheapest but does have some credibility.

CCSP comes from the realms of ISC which was a volunteer effort to get some credibility into cloud security analysis.

Like I said good like finding a pro. You will find a lot of web programmers who know this stuff but have not gone into getting these certifications; they cost money and time. It is good to ask for these things and its also good to ask your web host what their requirements are. Shit without any cred what is stopping you from just telling your host that you are ok? How can a web developer quote for this with some assurance to you that they know what they are doing?

These certs are all industry volunteer efforts to provide some professionalism and ethics into the job required, except OSCP is purely commercially driven.

I'd do it for you but I dont have the time or setup (business model) to respond to such an urgent request.

[nagsterza]

2 minutes ago, SCHISCHKA said:

in south africa? good luck man.

theres a lot of cowboys out there but i cant name some certs you might like to throw at anyone who wants to do the job.

OSCP which is the cheapest but does have some credibility.

CCSP comes from the realms of ISC which was a volunteer effort to get some credibility into cloud security analysis.

Like I said good like finding a pro. You will find a lot of web programmers who know this stuff but have not gone into getting these certifications; they cost money and time. It is good to ask for these things and its also good to ask your web host what their requirements are. Shit without any cred what is stopping you from just telling your host that you are ok? How can a web developer quote for this with some assurance to you that they know what they are doing?

These certs are all industry volunteer efforts to provide some professionalism and ethics into the job required, except OSCP is purely commercially driven.

I'd do it for you but I dont have the time or setup (business model) to respond to such an urgent request.

Well I told my host I checked it and found nothing, he just said that if i found nothing its probably still compromised. Also really not in the mood to get blacklisted. What im thinking is once the site is live, i can unleash every wordpress security plugin on it...

[KuJoe]

Just now, nagsterza said:

Well I told my host I checked it and found nothing, he just said that if i found nothing its probably still compromised. Also really not in the mood to get blacklisted. What im thinking is once the site is live, i can unleash every wordpress security plugin on it...

Those security plugins are cute and work sometimes. They definitely won't work if your Wordpress install already has a backdoor in it though which it most likely does unless the hacker has no clue what he's doing (which could be possible because it takes no knowledge or skill to exploit a Wordpress install if you install any plugins or themes).

 

If you want to send me a copy of your access.log files and the names of the files your host deleted I can check them over for you if you'd like. PM me for my e-mail address if you're interested.

[nagsterza]

6 minutes ago, KuJoe said:

Those security plugins are cute and work sometimes. They definitely won't work if your Wordpress install already has a backdoor in it though which it most likely does unless the hacker has no clue what he's doing (which could be possible because it takes no knowledge or skill to exploit a Wordpress install if you install any plugins or themes).

 

If you want to send me a copy of your access.log files and the names of the files your host deleted I can check them over for you if you'd like. PM me for my e-mail address if you're interested.

PMd you

[gspark05]

I second WordFence ... you get notifications of suspicious activity, login attempts and much more. I have Wordfence on both of the WordPress sites that I host for companies and have never h ad any problems.

[renzothemartian]

are you sure theres no incident of you accidently putting the script on the site?????