Last day I've noticed that my site is hacked and a PHP backdoor is installed on my site. Virus scanner reported that a plugin file is inside my wp-content/uploads which I did not upload it myself. It included a wordpress plugin plus some php shells.

I don't know how this file placed there, by using this file, hacker could access root folder of my host, create files and change permission of file to allow them to be executed.

I don't know how does it help the hacker and what was the benefit for him/her but he could create a file on my host and claim my site as its property on google search console. I want to know:

1. How can I find the security hole on my site?
2. What was the benefit for hacker to claim my site as his/her property on Google search console? I removed him/her from google search console of my site but I want to know the risks that it might bring for me.

I'm using wordpress 4.6.9, I've used plain-ftp sometime for file transfers which I guess it might put me in trouble but I'm not sure. I also noticed change in size of database and host disk usage.

Last day I've noticed that my site is hacked and a PHP backdoor is installed on my site. Virus scanner reported that a plugin file is inside my wp-content/uploads which I did not upload it myself. It included a wordpress plugin plus some php shells.

I don't know how this file placed there, by using this file, hacker could access root folder of my host, create files and change permission of file to allow them to be executed.

I don't know how does it help the hacker and what was the benefit for him/her but he could create a file on my host and claim my site as its property on google search console. I want to know:

1. How can I find the security hole on my site?
2. What was the benefit for hacker to claim my site as his/her property on Google search console? I removed him/her from google search console of my site but I want to know the risks that it might bring for me.

I'm using wordpress 4.6.9, I've used plain-ftp sometime for file transfers which I guess it might put me in trouble but I'm not sure. I also noticed change in size of database and host disk usage.

• security
• hacked

• link to dirty plugin: files.fm/u/e3wrcurq – VSB Commented Jun 10, 2018 at 8:56
• if a hacker can modify files, security holes can be in any files. then it's better to delete all files and reinstall a clean backup. – mmm Commented Jun 10, 2018 at 9:01
• @ mmm I could find the first file which was placed in uploads folder. Other files then created using php files included on that plugin file. Plugin also included .htaccess file with this content: AddType application/x-httpd-php .suspected AddType application/x-httpd-php5 .suspected AddHandler application/x-httpd-php .suspected which I don't know what does .suspected means. Besides installing older backups does not guarantee that security hole is blocked and this might be repeated. I would be thankful if I could have your opinion about this. :) – VSB Commented Jun 10, 2018 at 9:09

1 Answer 1

The Symptoms you mentioned in your question and comment indicates that you might have compromised / nulled plugin or theme that deployed some sort of shell bomb. Its possible that there might be multiple malicious files in your main domain, add-on domains and subdomains. Its also possible that your default core wordpress files might also have been infected by malicious code. This type of behavior is quite common.

Your best bet here is to:

1. Check the modified timestamps of files and folders. Find most recently modified files. Start by collecting samples from files with .suspected extension. The line in your htaccess are basically telling apache to treat .suspected files as PHP file which means they are executable. So these are not quarantined files these are active malwares.
2. Try to identify malware signature. This can be a difficult task but you should be looking for encrypted code first. Hackers usually use eval and base64_decode to decrypt encrypted code. Also check for file_get_contents
3. When you identify one or two signatures start hunting them with the acquired pattern.
4. Another way is to download entire wordpress installation, open it in text editor and use find in all files to find malicious code. In this case I will recommend Notepade++ but you can use any good text editor.
5. Now after checking each directory, upload your website.
6. Install some security plugin to scan your installation against malwares and compare core files against their respective repositories to find any possible modifications.

Its also possible that after all this there might be some left over pieces of malware that can make your site vulnerable to remote file uploads, remote file inclusion or hidden administrative users which can be very hard to detect.

Now here I would recommend using antivirus to scan for malicious files but these malicious codes can easily evade most of the antivirus. So I would recommend you to find an expert to do this for you.

You should also update your wordpress installation, plugins, themes to their latest versions and change passwords of control panel account, database and wordpress users.

Lastly at best hacker can only infect the server on which the website is present to possibly send mass mails, run crypto currency miners, stealing user information, hosting phishing pages but It can not affect your google search console account.

I hope this will help you. Best of luck.