[Solved] Suspended: Sahdes

[sahdes]

username: sahdes

server: Stevie

domain: sahdes.heliohost.org / sahdes.org

No idea why. Thank you.

Plus, I cannot access my CP either (I got the renew pw mail but the sent code doesn't work).

[Byron]

Your account was suspended for causing high server load. I have unsuspended your account, but please try to limit the load you put on our servers as it slows down not only your site, but the sites of all other HelioHost users sharing your server.

 

If you still see the suspended page, please clear your cache.

 

According to your home page, your site was hacked. I can reset your password if you need me to.

[sahdes]

Now the site's online again but it's been hacked by some terrorists!! I'm working on it

 

That may have caused the high server load...

 

update: I just updated wp and everything went back to normal

[wolstech]

Wordpress is notorious for its terrible security and for being hacked...in fact, it's one of the leading cause of hacked sites on our service.

 

Usually, the issue is caused by the use of "free" themes and extensions from dubious websites (they're "free" because the criminals distributing them make money using the malware/backdoor built into them to abuse websites for spam or phishing). It's also common for people to forget to install the security updates for WP and the extensions.

[sahdes]

I know, and I've installed wordfence to avoid those issues. But it's weird. This time, eveyithing within WP was intact, they just changed index.php, and it doen't seem have been done trhough the WP editor, as if they had gained access to my CP and replaced it there...

[wolstech]

They probably used a backdoor or known vulnerability in WP to do it. When the malware in a theme or extension is used by the attacker, it's not generally accessed through any of the "normal" admin interfaces, so changing passwords won't fix it (and in fact, depending on the malware, it could just get the new password stolen).

 

Very often, such malware is accessed through some hidden URL arguments or by doing something on a C&C server and waiting for the malware to receive the instructions (in both scenarios, the initial malware that accepts these arguments or talks to said server was unknowingly installed by you as part of an infected free addon). The malware's capabilities generally allow attackers to create/alter/delete files and in some cases read/edit your database as well.

 

The reason I recommend against WordPress is because it is difficult-to-impossible to fully secure (especially if you use themes or extensions/plugins), and it needs a lot of maintenance to keep secure. As a result, it is often vulnerable and (based on my experiences dealing with abuse reports and suspensions) is a leading cause of hacked websites here at Heliohost.

[Krydos]

Since you guys keep talking about it I got curious. Check out

/home1/sahdes/public_html/wp-content/aa.php

What that file means is anyone who wants to can send as many phishing scams or spam through your account they want to, bypassing all of your passwords and plugins that you installed. Overwriting your index.php definitely didn't fix everything. Like wolstech said it is best to wipe it all and start over fresh. Who knows what else is hiding in there. It took me about 30 seconds to find that file. If the hackers actually put some effort into it it would be much harder to find.

[sahdes]

Thank you for your information. As you said, the site's heavily hacked, down again, and having changed the passwords was useless, I've even lost access to my CP.

 

Now, when I try to reset password it doen'st work. I receive the mail, enter the code, and nothing happens, it keeps asking for the code. Direct link neither works. What can be done?

[wolstech]

That's because it's suspended for high server load...again.

 

You need to reinstall everything using clean, up to date versions (and then keep them updated), or not use WordPress. Almost every hacked site we see is hacked WordPress, so not using it will probably significantly lower your odds of getting hacked.

 

If I unsuspend you, do you agree to immediately delete everything in the public_html folder (except the cgi-bin folder, which should be empty)?

[sahdes]

(sorry for my bad english) If you can, just please give me a couple of hours to try to get the site clean, whithout losing years of posts. I have the wordfence plugin which is pretty good on that. I have to use WP because it's for a non-profit NGO blog, I have to rest in some patform that allows the team to post stuff without depending on me. But I keep it always updated, with just a few and well known plugins and this wordfence to keep it secured, I don't know what happened. If I don't manage to clean it at first, I will erase everything. Let me know if that's possible.

[wolstech]

Escalating.

 

@Krydos/Byron: He already tried and failed to clean this once...and we all know the story with WP. What do you think?

[sahdes]

Sorry, a clarification: I didn't try, I just updated WP and everything looked ok, my bad. This time I will.

 

I've run this site for years and it had never happened something like this.

 

UPDATE: I've found a backup from a year ago. If I fail to clean the site as it's now, I'll just restore that one.

[Byron]

Your site is unsuspended. Go ahead and clean it up.

I renamed

 

/home1/sahdes/public_html/wp-content/aa.php

 

to

 

/home1/sahdes/public_html/wp-content/aa.txt

 

just in case.

[sahdes]

Done. Meanwhile (before you renamed aa.php), on an automatic scan wordfence had found this

 

[sep 01 22:35:46] Adding issue: File appears to be malicious: wp-content/aa.php

[sep 01 22:35:46] Adding issue: File appears to be malicious: wp-content/isis.php

So it's effective, it was me that missed the alerts. Sorry about that, henceforth I'll be on guard.

 

Both deleted, a new scan produced

 

Congratulations! No security problems were detected by Wordfence.

 

So all should be OK. Thank you very much.