During past week, I saw two shell accounts are hacked. Both are on Dreamhost.
One of it is reported by Google Webmaster Tools. It said there are some malicious code found.
The other one is found, because that the memory usage is increased too fast, but no increase on PV.
I checked the account and be noticed some wired issues.
One of the important files, .htaccess is changed by a hacker.
It send web spiders, such as Google bots, Bing, ASK, to a third party site, which has a malicious code. The code may affect the user computers.
When user enter a wrong URL, user should see a 404 error page from the site. The hacker also send these users to the remote site, which has malicious codes.
SO, if you land the website on the right page URL, you will not see it.
It looks normal and no problems.
The hacker steal the traffic from the sites. And also has potential risk to the users of the site.
How to fix hacked WordPress blog?
The way I did to clean it is that simply.
1) Export the data
2) Make a new shell account on Dreamhost
3) Point the site to new account
4) Install the fresh, updated version software
5) Import the data
Done.
Then last step to delete the old shell account.


How the hacker get the shell access?
It is a pure WordPress installation. And it is updated. How the hacker get the access of it?
Finally I feel the most chances is the theme. The theme installed are download from one theme site, not from the WordPress official theme site. The author name of these theme is undersigned.
Because I saw the shell command record history. There are some commands showing that some folder are deleted from theme folder. Followed by editing .htaccess file.
How to protect your WordPress installation?
There are some plugins are good.
One I recommend is Ultimate Security Checker
Do not install the plugins, or themes from the source you don’t know.

David Yin

David is a blogger, geek, and web developer — founder of FreeInOutBoard.com. If you like his post, you can say thank you here

Leave a Reply

Your email address will not be published. Required fields are marked *