Hackers, Brute-Force Attacks and Malware

The end of 2015 has been hectic. I’ve spent most of November (and I suspect I’ll be spending all of December) cleaning up sites that have been infected by malware. In the process, I decided to beef up my own sites’ security and I thought I would write a blog post to raise awareness so other website owners could check/clean up their sites and increase security before it’s too late.

It appears hackers from all over the world (or I should say hackers using servers located all around the globe) are desperate to gain access to legitimate, small, mom-and-pop websites to take advantage of their reputation with Google and other search engines (i.e., their Search Engine Optimization (SEO) ranking) in an effort to spread malware (or viruses) and infect unsuspecting users. For more details about what they’re doing, read this article.

While what I’ve seen isn’t the only thing hackers are trying to do, this page will cover what I’ve seen while cleaning up sites over the past few weeks. It could be the results of various types of hacks; I don’t know. I’m not a hacker myself, so I don’t pretend to know what’s going on in their nasty little minds, but here’s what I think is happening, in (hopefully) simple terms, followed by recommendations about how to clean your site and increase its security.


How these Attacks/Malware Infections Occur

I don’t know the exact order of the hackers’ actions, but based on the sites I’ve had to clean up and how spread-out the infected files were, here is the order that would make sense to me:

  1. Hackers use Brute-Force Attacks to force their way into your Content Management System (“CMS” like WordPress, Joomla, and many other popular website platforms). Several attempts are made every minute from various IP addresses to try and guess your password. Hackers know the default login pages for all of these CMS, so it’s pretty easy for them to do that (www.yourdomain.com/wp-admin or wp-login is the default for WordPress.) If your username is “admin” that’s also very bad news. And if you don’t currently limit the number of failed login attempts, it’s just a matter of time before their automated scripts and repeated login attempts can uncover your password.
  2. Once in, hackers can modify the email address associated with that admin username (so you’re not notified of anything that may have changed or that could be wrong with your site). They often create a silly email like nobody@website.com or use a fake email from a large corporation like info@bp.com. They also create new administrative usernames that they can later use to access your site. If you look at the users associated with your site and see any weird email addresses or new accounts that you didn’t set up, that’s a big red flag. If you see usernames without email addresses, that means that they’ve accessed your database directly… Not a good sign at all. If you see this (more info on how to check for this in the next section) and do not want to finish reading this article or deal with technical issues yourself, I recommend you talk to these guys right away.
  3. (This one could have occurred prior to the steps I listed above.) Hackers may have found a separate back-entry or vulnerability. If you use Revolution Slider (a slideshow plugin) and you haven’t kept it up-to-date, you’re probably in trouble. Because of the popularity of both WordPress + Revolution Slider, hackers jumped on the opportunity to infect as many sites as possible once they found a vulnerability with an older version, and it’s easy to tell which sites have it installed. If you don’t use this particular plugin, another vulnerability could have existed and been exploited in another plugin, your theme, or an outdated WordPress installation. Many possible entry points exist and it’s hard to tell how hackers could have gotten in. Heck, they could have reached your files from another website that belongs to another person/company on the same shared server. (If you don’t know, login to your hosting company. If you pay peanuts per month and use GoDaddy, BlueHost, HostGator and the likes, you’re probably on a shared server. I’m not saying that these hosting services are not secure, I’m saying that you’re likely sharing a server and that, based on this report, it’s possible for hackers to access other files on the same shared server. Then again, there’s no point in paying big dollars to get your own dedicated server if you have little or no traffic just for peace of mind. I recommend a better solution at the bottom of this page.)
  4. Our unfriendly hackers then modify various files in every nook and cranny of your installation. They could modify your theme files (what determines the ‘look and feel’ or ‘appearance’ of your site) because they know you’ll likely never modify these files. They could also install plugins that prevent WordPress/other CMS from upgrading to their latest version (so they can continue to exploit whatever vulnerability they may have discovered) and they infect core files (like wp-config.php and files located within wp-admin and wp-includes folders). Of course, they can also infect plugins and even upload hidden files within the uploads folder. Nothing is out of bounds once they sneak their way in. That means their malicious code could also spread to other installs on the same server (and most of us little-guys use shared servers… Ouch!) Hackers also modify file permissions on these folders, preventing legit users from deleting or modifying their malicious code once it’s been inserted…
  5. At that point, your site is a big mess of malicious code. It’s just a matter of time before malware appears on various pages of your site and before Google and other sites “blacklist” your site and start giving you a bad reputation… (and your site starts infecting people’s computers, and possibly your own!!!)

While I hope your site hasn’t been infected yet, chances are that someone has automated a script to attack your site with Brute-Force and possibly infect it.

How to Determine If Your Site is Clean or Infected

I hope I’ve scared you enough to make you want to log into your own site and have a look at your list of users.

Checking for Suspicious or Corrupted Usernames

In WordPress, you can access this menu via the left-column once logged in, then click on Users -> All Users. If you don’t see this menu, contact your web developer and ask them to grant you “administrative access” (you’re probably just an “editor”). You’ll want to inspect your list of users, especially “administrative users.” Look for weird or absent email addresses or names that you don’t recognize.

Malware Scan

You should also run this free scan to determine if your site is infected with malware. But beware!!! I’ve seen many sites that were reported as being “clean” with this tool but that showed numerous red flags (unauthorized admin users + several hundreds of files that were modified). Keep reading to know what else you can do to check if your site is in the earlier stages of infection.

Security Plugins for More Thorough Scans

For WordPress, I recommend you install the following free plugins (you need administrator access to install new plugins, then left column, go to Plugins -> Add New and find your way to these plugins):

  • Anti-Malware: You’ll have to register the plugin (after installing and activating it, go to the “Anti-Malware” item in the left-column of WordPress then enter your contact information in the right column and click a few buttons to register and download the latest data before you can perform a scan of the core-files, plugins, and theme files. Highly recommended. This can pinpoint files that do not match what WordPress has installed by default and it even offers to remove malicious code in some files.
  • Sucuri Security: This one offers a malware scan and ways to “harden” your site following a hack. Be very careful with these ‘hardening’ buttons. They’re easy to press but could break some of your website functionality… (But it’s easy to revert if you find something that’s broken).
  • WordFence: This one is a great way to be notified of and block IP addresses that are trying to get into your site via Brute Force. Once again, you’ll need to go through a long list of options and check various boxes, but it works well and it comes with a neat dashboard on the main admin page of WordPress that gives you a good overview of what’s happening in terms of hacker activity toward your site. I highly recommend receiving the automated emails they offer to be notified of login attempts.
  • All-in-One WP Security: This is a great tool that will allow you to beef-up various parts of your website, including changing the login page, modifying the file permissions for various folders, and modifying your database table prefix without having to go through your hosting account and phpmyadmin. You can also limit the number of login-attempts here and automatically ban IP addresses that try to login using usernames that don’t exist. It will be a time-consuming process to go through all of the tabs and check boxes, but it’s well worth it. Plan to pour yourself a strong cup of coffee and have at least 30 minutes to do it.

Once the plugins I listed above are installed, you can run various scans. They may tell you if your site has been infected.

How to Update Your Site and Clean it Up

Usernames

At this point, you may want to set up a brand new username and hard-to-crack password. Don’t pick something easy like ‘domainadmin’ or your company or personal name. That’s too easy to guess. Use a combination of letters and numbers in your username and use a random string of characters for your password (your hosting company may limit what you can use for admin users, so use the WordPress interface to do it). WordPress (the latest version) will provide you with a really strong password. If you discover that your site was hacked, WordFence will show you if hackers have been trying to log in using real existing usernames. If your username appears there, set up a new one and delete the old one that is known by the hackers.

Plugins and Malware Scans

Once logged in as an administrative user, you should see if any updates need to be installed. If you haven’t updated your site in a while and don’t see any available updates, check your list of plugins to see if you have something called “Disable all WP updates” or similar. If so, deactivate it and delete it after talking to your web developer. (It may have been installed with a specific reason in mind.)

You’ll first need to do a complete back-up of your database + files (see here for a list of backup plugins), then upgrade WordPress and your plugins BUT, this shouldn’t be done without talking to your web developer. It’s also a great idea to have FTP access and hosting login handy in the (unlikely) event that your upgrades bring your site down. It’s possible that some of your installed plugins may have been modified to fit your exact needs, and by upgrading those plugins, you would delete those custom changes… so BEWARE!! Carefully back-up then update your plugins (again, talk to your developer first, or ask him/her to do it for you and you should definitely have a back-up of that pre-upgrade plugin handy if you did inadvertently break it).

If you encounter problems during the “deletion” or “upgrade” process (WordPress freezing or giving you some sort of error message), it’s likely because hackers have modified file permissions on various files and folders, and you won’t be able to change those permissions via FTP. You’ll have to login to your host and use their built-in FTP manager, then reassign “write” permission to the owner of that file. You’ll have to reassign the correct permissions to all folders and sub-folders, which can be time-consuming.

Look at your list of plugins (and talk to your developer). Remove any that are deactivated or unnecessary. (Files for deactivated plugins exist on your server and their code could provide a back-entry for hackers).

Does this sound like too much work? Possibly. Based on cleaning up more than a dozen sites, it takes about two hours per site to do what I’ve listed above and much more if malicious code has spread far and wide and if you can’t locate the source of malware right away (could be an externally loaded file that looks like javascript, could be something else).

If you’re site is infected, I recommend you use Sucuri’s Malware Removal Services.

Better, More Secure Hosting for WordPress

If all of this scares you (and it should, at least enough for you to take action and beef up your site’s security), I recommend that you move your site over to a WordPress-only hosting company that really cares about security. I recommend the guys at FlyWheel.

WordPress hosting is ALL they do, and security is really important to them, as you can see if you click on previous link (or image to the left) and navigate to Why FlyWheel->Hacker-Free Security to learn more. They also migrate your site from your old host to them for free (although I would highly recommend that you clean up your site first!)

Moving Forward

I recommend that you review your site status and security at least quarterly. This means you should backup and upgrade WordPress and your plugins, then run regular scan of your site to make sure everything is clean and clear of malicious code. If you modify your site daily, you may want to do this more frequently.

Make sure to install anti-virus software on your computer. Of course, Windows-computers are more vulnerable than Macs, but I use a Mac and I can tell you that my free anti-virus (Sophos Anti-Virus) has spotted (and removed) malware for me in the previous weeks. Always keep your anti-virus updated and run regular scans, especially if you use a Windows-computer, but with Mac’s popularity on the rise, who’s to say if hackers will soon target us with more malware and viruses…




If you found this information helpful, and especially if it has helped you to clean up your site and discover malicious code, I’d appreciate a small donation:


Fatal error: Uncaught ErrorException: md5_file(/home/gocreate23/creativecs/wp-content/litespeed/js/f68a6e8cd288e3708b866ebbef366b72.js.tmp): failed to open stream: No such file or directory in /home/gocreate23/creativecs/wp-content/plugins/litespeed-cache/src/optimizer.cls.php:140 Stack trace: #0 [internal function]: litespeed_exception_handler() #1 /home/gocreate23/creativecs/wp-content/plugins/litespeed-cache/src/optimizer.cls.php(140): md5_file() #2 /home/gocreate23/creativecs/wp-content/plugins/litespeed-cache/src/optimize.cls.php(837): LiteSpeed\Optimizer->serve() #3 /home/gocreate23/creativecs/wp-content/plugins/litespeed-cache/src/optimize.cls.php(382): LiteSpeed\Optimize->_build_hash_url() #4 /home/gocreate23/creativecs/wp-content/plugins/litespeed-cache/src/optimize.cls.php(264): LiteSpeed\Optimize->_optimize() #5 /home/gocreate23/creativecs/wp-includes/class-wp-hook.php(324): LiteSpeed\Optimize->finalize() #6 /home/gocreate23/creativecs/wp-includes/plugin.php(205): WP_Hook->apply_filters() #7 /home/gocreate23/cr in /home/gocreate23/creativecs/wp-content/plugins/litespeed-cache/src/optimizer.cls.php on line 140