bt files they will still be re-generated by the script inside functions.php. Hackers injected a script on top of the functions.php original content so every time the site loaded the hack re-generated the. In our client site, the hack was found under the active theme’s function.php file. Theme’s functions.php injected with a malicious script bt files, we stumbled into Michael Nilsen’s php-hacks GitHub page about lmlink1-redirect where he explained how the. Obviously this file wasn’t related to WordPress and the content looked suspicious already.
This file contained a list of IPs, you can see a sample of them below: The lmlink1-redirect WordPressĪfter first accessing the site files we noticed that there was a file present under the root dir, the wp-admin and wp-admin/css dir under the name of.
While the site’s frontend worked fine its backend wasn’t maintained and updated for a long time and as a result, some of the themes and/or plugins used were vulnerable so it became a hackers playground. The hack was still active and our client was lucky that we found it since he asked us to host the site for him(we’ll talk about this added service in a new blog post).Įvery time we handle a WordPress site we check if it has any signs of being hacked or compromised, we did the same for this site as well and we’ve found that it has been hacked for more than 2 years. Just recently we cleaned a WordPress site which was apparently hacked many years ago.
0 kommentar(er)
