i download a theme and plugin and my cpanl is hacked

***rocky_17117*** · 02-03-2015, 11:38 PM

i have removed all files which is created on hack date (as i know when i update my sites)
also delete every single file, and also take backup in my HDD with zipped files
i found nearly 50+ files in different sub-directories.
he also hack askimet plugin to see my files,
now i know what kind of file he use to hack a wordpress site,
now i disable the domain (with using file permission 0000)
and delete all infected file (php files)
hope its work, the only way to track hacking is if you have a small amount email sending limit,
i have unlimited VPS, so my vps is good for him, when i see a huge log files and a huge ammount of EXIM (email queue ) then i recognize the problem.

(02-03-2015 11:24 PM)Captain99 Wrote: then you have problems my friend
as Grumble says - unless you can find someone to go through everything
and clean it for you (expensive)

Not able to offer much help I am afraid you will probably have to delete and start again BUT
wait to see if someone can offer a solution though I doubt it.

as someone above stated, for anything like themes, scripts or plugins use a GB and be safe

Cap ;)

ps good luck buddy

***Captain99*** · 02-03-2015, 11:42 PM

sounds like you answered your own question buddy :)
Hope you got it all

Cap ;)

***rocky_17117*** · 02-04-2015, 12:11 AM

not like that,, my question was = how its done,
i mean file creation without my permission and sending email with email id which is not created in my cpanel, and also sending nearly 100K email in 7 days.
now i also find the infected plugin in my HDD where i save, now searching the forum link where i download, i also post date of download, and the name of person who post here, its my request to ban the user.
also i want to aware other peoples like me who download and use and forget to check their sites regularly.
some time virustotal fail to find this kind issue, but we have to aware, if its done with a simple plugin the we have to avoid plugin, using another substitute
anyways, thanks for all replies. Cool

(02-03-2015 11:42 PM)Captain99 Wrote: sounds like you answered your own question buddy :)
Hope you got it all

Cap ;)

***utahman1971*** · (This post was last modified: 02-04-2015 05:48 AM by utahman1971.)

(02-03-2015 10:33 PM)danimation3d Wrote: Woah far out, where'd you download this theme?
Personally, I stay away from the "nulled" crap. Group buys are probably the way to go. You'll spend $3-10 more than you would on a free nulled version. But you also avoid getting your butt hammered by some of the pricks out there who are waiting for you to play with their viruses

Sorry, but GB is not way to go, because you don't get a license with Themeforest. There is only one license, and that is the purchaser that gets it, and if that person shares his license, then the license gets deactivated. GB if they do it, should not share license, but that is bad for the group that pays, because they paid for a no license for the theme. How many people on the internet are honest? If you do GB for extended license of the theme, that is way more money for extended license, which makes the license able to be multiple shared.

$2900 for Newspaper theme for an example of extended license.

***grumble*** · 02-04-2015, 09:38 PM

It is NOT where you got the theme. Yes, some themes are hacked. THIS was a slider included with the theme - it had bad coding 'from the factory' - The coder left a hole in the code. NO HACKING involved. It was the badly written plugin. The hole is in EVERY copy of Revslider on the planet. Over 100,000 sites hit 6-7 weeks ago.

A bot searches for the hole, finds it and issues an sql command on the end of a standard command and gains access to everything in the database. This particular one also moved 'sideways' into other sites on the same shared host (Only 'your' part of it).

It's called an SQL injection attack. Google has something to say about it.

Hard to stop, but I've supplied the method on my blog. Takes 5 mins to remove. If you get a malware ahead site ban from Google, clear the virus, secure the site and ask for a manual review. This will take Google about 5 hours.

As Google runs the 'Safe Browsing Alliance' - it will also remove the Bing malware ban.

You also need to check your database fields and reset passwords to the database and the site.

You MUST have security and backups. If you can't be bothered or are too busy or don't know how, pay a good webmaster to manage your sites for you instead of using cheapo hosting with no service.

***rocky_17117*** · 02-05-2015, 12:09 AM

now here is the answers,
thanks

(02-04-2015 09:38 PM)grumble Wrote: It is NOT where you got the theme. Yes, some themes are hacked. THIS was a slider included with the theme - it had bad coding 'from the factory' - The coder left a hole in the code. NO HACKING involved. It was the badly written plugin. The hole is in EVERY copy of Revslider on the planet. Over 100,000 sites hit 6-7 weeks ago.

A bot searches for the hole, finds it and issues an sql command on the end of a standard command and gains access to everything in the database. This particular one also moved 'sideways' into other sites on the same shared host (Only 'your' part of it).

It's called an SQL injection attack. Google has something to say about it.

Hard to stop, but I've supplied the method on my blog. Takes 5 mins to remove. If you get a malware ahead site ban from Google, clear the virus, secure the site and ask for a manual review. This will take Google about 5 hours.

As Google runs the 'Safe Browsing Alliance' - it will also remove the Bing malware ban.

You also need to check your database fields and reset passwords to the database and the site.

You MUST have security and backups. If you can't be bothered or are too busy or don't know how, pay a good webmaster to manage your sites for you instead of using cheapo hosting with no service.

***bale*** · 02-05-2015, 12:24 AM

I doubt its wordpress at all, looks more like a backend vulnerability. Update your server core! Is your cpanel legit? You cant gain access to cpanel files through a wordpress site!

***Interpreneur*** · 02-05-2015, 04:10 AM

So Revslider is too dangerous to install on our sites? I've seen this plugin accompanied with many good themes, that I also use, such as Betheme, Avada, etc.

***Angelina*** · 02-05-2015, 04:34 AM

(02-05-2015 04:10 AM)Interpreneur Wrote: So Revslider is too dangerous to install on our sites? I've seen this plugin accompanied with many good themes, that I also use, such as Betheme, Avada, etc.

The author has since updated the plugin:

Code:

VERSION 4.1.4 OR OLDER MUST BE UPDATED IMMEDIATELY TO AVOID CRITICAL VULNERABILITY

Code:

http://codecanyon.net/item/slider-revolution-responsive-wordpress-plugin/2751380

***Interpreneur*** · 02-05-2015, 04:40 AM

Thanks Angelina for your answer. I also went on to search for more info and found the same info as well.