A number of Just Link Buildings client WordPress sites (which are hosted on a shared host) have been attacked last night by CrAzY DoCtoR who is pushing a political message to save Syrian refugee children.
The politico-graffiti style attack is the 3rd executed hack in the past 4-6 months towards the portfolio of small-business, Leeds, Sheffield and Manchester focused client websites hosted by our WordPress design department.
The attack has not come as a shock to members of the security team here at Just Link Building who have spent the morning cleaning up the graffiti with success.
Previous attacks witnessed by our team have been similar to this ‘graffiti’ although not as carcinogenic as the files uploaded by CrAzY DoCtOr to the servers last night – which successfully spread throughout the every directory within WordPress – infecting both front-end design and back-end interaction with the Worpdress CMS.
Although Just Link Building does sympathise with the messages portrayed by the hacker, the clean-up of over 32 websites has taken (just) a few hours to complete where, initially both index.php and asu.htm files have been deleted and/or re-assigned to their original status.
This deletion of core files and re-uploading saw the client website restored to their original former-glory and were hereafter, fully functioning again within a matter of minutes. Further files infected by the CrAzY DoCtOr hack included the wordpress ‘mu-plugins’ file (that nests inside /wp-content/) by added a repetition of the hackers code and imgur images to WordPress headers even post reconfiguration of the hackers new index.php file.
Admin pages and WordPress login pages have also been infected with spook files and required separate attention by the security team.
How to clean up a simple WordPress Hack
To clean up a graffiti hack such as this (which was performed through PHP/SQL injection via outdated plugins) admins must find, delete and replace any files/ directories which are infected…
by far the simplest and quickest way to do this is via SSH, using a ‘find command’ to identify files affected and deleting them. These spook files can be accessed via ‘date-edited’ or simply by name!
Once all files are deleted admins must simply replace the core/ required files with the original versions of index.php which are common across all worpdress sites/ themes.
Alternatively admins can handpick through the files in cpanel areas; simply organising by ‘date order’ and delete each new file as required (although this method is somewhat time consuming.)
Stopping further attacks in WordPress
Adding some free plugins such as WordFence can hold off some amateur hackers who use known IP addresses however, where shared hosting is concerned admins must ensure that the WordPress core and all plugins are kept updated. Further to this; taking back-ups of files on regular occasions can also ensure that copies of websites are kept and later restored in times of need.
Common, open source CMS websites like WordPress are hacked regularly and more frequently during the past couple of years where the majority of attacks are graffiti or to insert links/ adverts, even redirection of websites to generate free traffic and hits… To prevent a WordPress hack is almost impossible when using shared hosting with multiple sub domain/websites as once a hacker gains access to one website within the shared host they can nearly always get into everything else on the host, as such even if your primary website doesn’t get hacked but, someone else’s (on the shared host) does get targeted then this can infect all domains stored on the shared hosting.
Many hosting providers will not be able to do anything about the hacks other than offer backups – but if your website has been attacked recently it might be worth contacting your hosting provider just in case.
If your wordpress site has been hacked by so called CrAzY DoCtoR or anyone else for that matter, simply get intouch with the security team here at Just Link Building (by calling 0113 815 0035) who should be able to restore your site in full post inspection, our team can also install some widgets and server analysis software which can prevent future attacks and minimise any risk of being targeted in future.
NB/ Naturally, we do echo the CrAzY DoCtOrs message that Syria’s Children Don’t Start Wars and as such would encourage you to donate to the Save the Children Syria fund today…