Recovering from the xxx-exploiter attack

At the risk of painting a big circular target across my site, I would like to document how I recovered from a recent hack on my website.

About the Hack/Attack

Information on this is pretty sparse across the internet. I struggled initially to understand what was going on. In the simplest of terms, it is a basic redirection attack. Going to the website URL will take you to a different website (contrary to the URL name, there is nothing adult about the website/content). You will also not be able to login to your WordPress admin dashboard.

However, as long as you have FTP access to your website and a backend way to access the MySQL database (like phpMyAdmin), you can fix this issue without more than a few scratches.

The instructions assume a fair understanding of hosting, website management. PHP knowledge is not essential. If you need additional instructions, feel free to drop a comment and I will be glad to help out.

Cleaning Up

The attack leaves multiple unwanted files/modifications on your website. Cleaning up will therefore take some effort. My best suggestion is to download the entire site onto your local computer. I don’t see any files infected by viruses, but you should scan the entire downloaded folder with a good anti-virus before you begin tinkering around.

Login to your website’s control panel and through a DB access tool such as PHPMyAdmin. Export the entire database as a .sql file and save it on your local machine. We will attack it in a moment.

Starting at the root folder of your WordPress installation, find for the file xxx.php and delete it. You should see some 404.html files as well. Delete them as well.

Impacted wp-content folder from the attack

Parallely, speak with your host and have them reset your account. Once reset, upload a coming soon page (something like this [Download Files] or this [Download Files]

The easy parts are over, next you need to fix the .htaccess files. Starting with the website root, search for all .htaccess files. Not all are infected/need to be removed, some are simply put by your plugins to prevent direct access to plugin folders. Search for any Redirect instructions. I found one in my uploads folder

Redirect 301 / http://{nasty-url-here}/loading/

Clean up all such redirects. You can also take a step further and build a stronger .htaccess file by following the instructions in the next section. With this, your website is all cleaned up, let’s look at the database you have exported.

Open the .sql file and search the hacker’s URL. You may/may not find it. However, you will likely find that the field user_login in the tcic_users table has been replaced to with the hacker’s id. Replace this to your original user id. It is better to change the password, but let’s wait to upload the database before making the change.

Using PHPMyAdmin, import the database by uploading the .sql file. Then go to the tcic_users table and click on Edit against the line with your user id. For the field user_pass, enter the password of your choice in the Value field and set function as MD5 (See image below). You can also double check the values in the other fields and make changes if required. Once you are all set, click on Go and the password is changed.

This concludes the part of cleaning up. However, I recommend reading further on the next page on how you can fortify your wordpress against similar attacks.

Leave a Reply

Your email address will not be published. Required fields are marked *