Hacked - Created new user - WP site not functional

Sukovich · 2011-12-15 04:37:49 UTC

Hello all - I am brand new to the forums.

I recently got hacked and I am trying to remove the intrusion entirely.
I check the forums and got a response from ticketing with DreamHost and they suggested making new users so one website couldn’t infect the rest of them.
I made a new user on dreamhost and made it a SFTP user, since I heard this was more secure. After the user was active, I edited the user for my WP site and changed it to the new one.

The website comes up, but certain things are not working at all like images that were uploaded to WP. The images that are uploaded directly to the directory are working fine.

How can I fix this?

Also, am I on the right track towards fixing the malware problem?

Here is my site but BEWARE! It currently is injected with Malware - www.slimtrimspa.com

UPDATE!

I just created a testftp user to see if I would have the same problem. Same problem.

The problem was not switching from an FTP user to a SFTP user - just switching to a new user.

UPDATE 2!

Great progress! I created a new user on DreamHost as SFTP, then I took one of my HTML sites (not Wordpress) and switched it over to the new SFTP user.

Everything worked fine, as I expected. I decided to take a look at the source codes for the HTML files and some of the PHP files as well.

The HACK embeds a line in my HTML and PHP pages starting with the string “eval(base 64”. I could not find this string this time, but I did find one in my index.html that started with “eval(function(p,a,c,k,e,d)”, but I did not find it anywhere else except index.html, so I deleted that script.

What this means for me?
This intrusion is not as malicious as I thought, because it isn’t injecting EVERY HTML and PHP file.

My domains can not be re-injected if I set them up under their own SFTP user account.

MAKING PROGRESS! =D

bobocat · 2011-12-15 07:19:37 UTC

It’s safest to run each website in it’s own user account.

Sukovich · 2011-12-15 10:21:08 UTC

Yes, yes. I have learned this after being hacked.

Do you know why you my Wordpress websites are not functioning properly after I put them under a new user?

bobocat · 2011-12-15 10:38:00 UTC

Probably a script was placed in your WP dir that still allows access (TimThumb was a big vulnerability lately that caught many people). They could have modified your .htaccess files as well. If you just did the automated move that DH provides, then all they did was copy your files. If they were infected or changed or otherwise compromised, they’ll still be compromised.

If you know when your site was hacked, you could restore from a backup before that point after deleting everything. That is assuming you don’t have a lot of updates and changes between then and now.

Sukovich · 2011-12-15 12:48:47 UTC

Thank you for the response!
A few questions…

I have already fixed the infected files, but they keep getting re-infected. How can I find the vulnerability that is causing them to be re-infected?
How do I do a restore? Am I restoring up the files in my FTP or am I restoring the mySQL?
Can the mySQL be the vulnerable part or is it something in my FTP?

Sorry if I stated this wrong, I am really unfamiliar with PHP and mySQL.