Comments on: How to find a backdoor in a hacked WordPress

By: JoeyD714

JoeyD714 — Thu, 11 Mar 2010 06:10:23 +0000

We believe the site has a backdoor installed by the company we hired to create it.

any ideas on how to find a backdoor created by the site builders?

By: Otto on WordPress » Blog Archive » How to find a backdoor in a hacked WordPress

Thu, 04 Mar 2010 22:28:29 +0000

[...] How to find a backdoor in a hacked WordPress March 4, 2010, 4:27 pm Originally posted here: http://ottodestruct.com/blog/2009/hacked-wordpress-backdoors/ [...]

By: Spring Cleaning – Of Hacked Files : Money News

Spring Cleaning – Of Hacked Files : Money News — Wed, 03 Mar 2010 10:44:25 +0000

[...] How to find a backdoor in a hacked WordPress [...]

By: Obnoxious Clients - CLEARLY I'M NOT A PEOPLE PERSON

Obnoxious Clients - CLEARLY I'M NOT A PEOPLE PERSON — Sun, 07 Feb 2010 08:09:05 +0000

[...] How to find a backdoor in a hacked WordPress [...]

By: Obnoxious Clients - CLEARLY I'M NOT A PEOPLE PERSON

Obnoxious Clients - CLEARLY I'M NOT A PEOPLE PERSON — Sun, 07 Feb 2010 08:09:05 +0000

[...] How to find a backdoor in a hacked WordPress [...]

By: Sanaa

Sanaa — Tue, 26 Jan 2010 22:43:38 +0000

one of my sites got hacked, I had it restored to a Jan 6th version…(I am adding the lost info and will do a backup). I did have the latest version of wordpress but like you said, the hack could have already been installed.

I had it restored to a previous date but…

HOW do I prevent this from happening again on this site, as well as, on my other sites which haven’t been hacked –in other words, how do I find the backdoor and close it?

By: Jillian

Jillian — Fri, 11 Dec 2009 09:56:35 +0000

Does anyone know if people who installed WP into a randomly named sub-directory under the DocumentRoot were less likely to get hacked? It probably doesn’t matter too much, but if any of the backdoors assumed where files were located with respect to the docroot — then installing WP in a subdirectory would be another security measure. Not that injected code couldn’t smarten up and add logic to compensate. I’m just curious. Also, did it affect WPMU installations the same way?

Just curious.

By: Averill

Averill — Tue, 24 Nov 2009 15:04:30 +0000

Thanks, Otto. I’m kinda compulsive, so I had to comb through the site to find whatever I could. There were, as you say, more backdoors, and I don’t trust that I caught all of them. I also deleted multiple users from the database, and did lose the extra (hidden) admin person. I can see that they easily could have gained access through our plugin folder. I’m learning a lot more about this than I ever planned to learn. I guess it’s good. I appreciate your sharing this information.

By: Otto

Otto — Mon, 23 Nov 2009 23:04:33 +0000

I don’t think there is a wp-manager.php file, that whole thing is probably added by the hacker.

There’s almost certain to be more than one backdoor in the system, I’d go through and replace all the WP files with fresh ones, just to be sure. Anything else should be examined carefully.

By: Averill

Averill — Mon, 23 Nov 2009 14:47:26 +0000

P.S. I’ve found several other files that have been altered, including wp-manager.php, wp-blog-header.php… I can’t even begin to figure out what to do with the wp-manager file, since I don’t have the original. On to re-doing the site. Quite insidious, this invasion!