My web page was hacked

mikeglass · July 7, 2018, 10:42pm

My web wordpress web site was hacked awhile ago. In the process of clearing thing up, ran into a folder called “compartmented-chattererz” which got deleted along with a bunch of other stuff. I now have a that runs in the background that catches calls to non-existent pages on my site. I get a bunch of calls the include compartmented-chattererz in the URL along with some thing after it (see below). I’ve tried looking it up on the internet but I can’t find anything about it. Any ideas?

I also get a lot of calls to pages such as http://www.mikeglass.com/free-auto-loans. What’s the point of that?

hon1nbo · July 7, 2018, 10:55pm

SOmeone was using your service to host a bunch of spam from the looks of it; they were probably cycling scams based on what was getting flagged from your domain.

-Jim

Raymond · July 8, 2018, 12:08am

Wordpress is a PITA. You have to be 100% on top of all the patches and proper settings to avoid this.

Your best bet is to save the content that is yours, burn the site down, and rebuild it - after verifying your site code.

hon1nbo · July 8, 2018, 12:09am

Wordpress has been auto-updating for quite a while now; the typical case of this failing is only on botched installs or shared hosting where wordpress is not given permission to update its own files.

-Jim

mikeglass · July 8, 2018, 12:23am

That’s how I fixed it. Deleted everything from the server, reinstalled WP and got most of my data back from old backups. There is nothing on there important. I’m just amazed how many attempts there are to access non-existent pages.

Lampy · July 8, 2018, 1:53am

There are some firewall plugins like Wordfence but only worth anything if you keep all other plugins and themes up to date.

I hate WP with a passion but I have to maintain about 200+ websites built on it. Seems advertising agencies just love WP.

deetoo · July 9, 2018, 4:03pm

Using wordfence goes a long way, but as others have said, you need to keep everything updated. Additionally, reduce the number of plugins you are using, and finally, verify the permissions on the files and directories are set correctly, the script located at https://gist.github.com/macbleser/9136424 is a good place to start.

denzuko · July 17, 2018, 11:31pm

Word of advice from someone that’s seen too many WP installations cracked into…

BLOODY SCAN ALL OF YOUR DATABASE! Even the backups. Then install a WAF like naxsi waf and funnel all the logs to http://www.ossec.net/. Plus setup block lists with https://www.threatstop.com/.

And good gods don’t use a community hosting like godaddy/hostgator. Use something like wordpress on digital ocean and docker.

Then… and only then use plugins like wordfence as the last layer of defense. The rest just builds up the great wall plus the castle.

As for those “none” existant page hits. Well that’s all coming from a botnet and most likely they installed a c99shell and then setup a bit of script to do:

adware farming
message passing for botnets
malware redirection via javascript.
other nasties that will not be published to j. q. maker.