Hacked again? hiken.php

by davenathanson on October 2, 2016

in Internet

cyber-hackerI run quite a few websites for friends and clients. One in particular keeps getting hacked (not this one). The rest of my sites do not get hacked at all. The differences, as I see it, is a  theme purchased from Template Monster. That theme runs under the Cherry Framework and there must be a security problem with it. Every time this site is attacked, the attacker put a bunch of files into the theme folder, and in wp-admin.  I spent a weekend learning more about WordPress security, and installed WordFence, but got hacked again anyway. At least WordFence notified me right away, so I could replace the template folder.

When I did a web search for the file names that the hackers installed on my website I came up empty, so I’m going to post the file names here in case it helps somebody recognize them for what they are. I’m not 100% sure what this hack is all about, but it seems to involve a Paypal spoof, and they may be collecting paypal logins, passwords, and credit card numbers from people who think that are reconfirming their Paypal details – but didn’t notice they are at the wrong site.  🙁  Doesn’t look good at all.

Some files that appear to be key to this hack include;
And of course all that PayPal stuff, plus the illegitimate login system they installed too.  I’ll put a more complete list of the hacker files at the end. I read through the code of most of them, and although I’m not completely fluent in php, it seems pretty obvious that they have an alternate login system, and a spoof of a PayPal login page that asks the victims to enter their paypal login and credit cards to unlock their account.

The first time it was hacked the biggest clue (after being notified by DreamHost security that my site had malware) was that I couldn’t login to wp-admin. As it turned out, the whole wp-admin directory was completely missing. Probably a script kiddie that didn’t get it right and deleted more than they meant to. I replaced the wp-admin folder by grabbing it from a similar website. DreamHost was very helpful and was able to switch the theme after which I was able to log in & look around. Several parts of the website were non-op and I spent the better part of a 3 days trying to repair it before I just started all over.

Because I don’t know what the hackers did and did not have access to, I made a new web directory under a new FTP user. Installed a fresh copy of WordPress with a new database, and restored from backup. That is when I discovered a problem with my site backups. I had to use the database backup that was made with one app, and the files from another. Of course these apps use a different format for the wordpress database, but UpdraftPlus (paid version) was able to deal with that easily. Wow! And Updraft was also able to find/replace URLs that needed to be changed because I moved the site to a new FTP user with a slightly different path. Hundreds of urls needed to be changed, so I was even more glad to have a power tool like Updraft Plus. (I’m not getting anything out of mentioning this, I’m just happy about it). Of course I used new passwords for everything. When I was finished, I changed all the passwords again, including the database password & wp-config.php .

Anyway, it was slow & painful, but I recovered & the site was repaired… And it was 3 weeks before it was hacked again.

When the site was hacked again, I spent a weekend learning more about wordpress security. I checked out WordFence, Sucuri and iThemes Security. As I look back now at the files the hackers installed, it’s starting to look like the site was hacked several times by different hackers with different methods.

When I got a notice from WordFence this morning that it had detected malware the 3rd time, I was able to repair most of it in a few minutes. Just replaced the Theme46018 dir from backup, and deleted a few files that didn’t belong in wp-admin or wp-content. Then I spent a considerable amount of time going through the WordFence log file, looking for links that I didn’t realize existed. Deleted a bunch of categories I’m not using, and made “private” the sample posts & pages that came with the template. Those were getting hits, which probably indicates template websites that are soft targets. And probably indicates that this Cherry Framework theme 46018 sucks and has known security weaknesses.

UPDATE, 2 days later:

While WordFence was still in “Learning mode” during the first week after installation, it does not block anything (and therefore did not prevent hack #3), but it does make a firewall whitelist rule to allow whatever it would have blocked. Those whitelist rules and the Live Traffic report is fascinating. So many unexpected URLs most involving junk like mydomain.com/buy-online-Adobe-Creative-Suite-6-Master-Collection-MAC and many other similar requests for pirated software.  Reading this log is where I noticed certain URLs were being sought out by the hacker bots. I’ve already removed the malware files, so these links don’t work anymore. These interesting URLs include:

/category/in-faucibus-orci-luctus/    # <- sample text from the purchased theme template
/category/ut-pharetra-augue-nec/  # <- sample text from the purchased theme template

I’m wondering if maybe the URL above for the cherry-plugin is the weakness. I don’t have any need to import/export the site via the Cherry Plugin, so this will be one of the first URLs I disable via .htaccess or firewall. WordFence doesn’t seem to have any way to add a blacklist rule, so .htaccess may be a good way to prevent malicious URLs from reaching WordPress.

I have contacted TemplateMonster twice to alert them that there is a security weakness in their product which includes; Cherry framework, template, theme46018, Cherry plugin, or maybe MotoPress editor. All they did was to try & blame my webhost & give me an affiliate link to switch to another webhost (an affiliate link so they will make a commission). No, I’m sure that is not the problem.

After getting a great tip from TZ-Security in the comments below, I am trying out the 6g Firewall from perishablepress. It is all based on .htaccess files & regex, which is great.

And after some researching, Ive added the following to my .htaccess file to deflect bad bots. Finally I’m getting a laugh from all this work!  😀

UPDATE #3, (4 days later).

After some thought & .htaccess education, I’ve decided it is better to halt certain URLs instead of redirecting them to google or anywhere. For those I’m now using a redirect code of 410, which means “Gone”. I like that better because it sends a clear message that I have hardened my site and removed the pages they are looking for. So here are my new redirects.

Redirect 410 /wp-content/plugins/cherry-plugin/admin/import-export/?  # I don’t want/need import.
Redirect 410 /wp-content/themes/theme46018/reload.php  #hacker file
RedirectMatch 301 /(.*)cheap-price(.*) /
RedirectMatch 301 Adobe /
RedirectMatch 301 download /
RedirectMatch 410 /(.*)adminrekt(.*)
RedirectMatch 410 /(.*)autodesk(.*)
RedirectMatch 410 /(.*)Autodesk(.*)
RedirectMatch 410 /(.*)best-price(.*)
RedirectMatch 410 /(.*)buy-cheap(.*)
RedirectMatch 410 /(.*)Dhcteam(.*)
RedirectMatch 410 /(.*)how-to-buy(.*)
RedirectMatch 410 /(.*)microsoft(.*)
RedirectMatch 410 /(.*)Microsoft(.*)
RedirectMatch 410 /(.*)software(.*)
RedirectMatch 410 /(.*)where-to-buy(.*)
RedirectMatch 410 /1337w0rm_2.php
RedirectMatch 410 /audio-post-format/
RedirectMatch 410 /buy-online(.*)
RedirectMatch 410 /donec-porta-diam-eu-massa/?
RedirectMatch 410 /hiken.php
RedirectMatch 410 /inboxtoall_3_.php
RedirectMatch 410 /purchase-.*
RedirectMatch 410 /quisque-diam-lorem/?
RedirectMatch 410 /rebels.php
RedirectMatch 410 /SSL-Verification-secureid=hiken/?
RedirectMatch 410 /taraji.php
RedirectMatch 410 /ut-pharetra-augue-nec
RedirectMatch 410 /wtf.php

=== end 2 & 4 day update == lists follow =====


Here is a list of most of the hacker files:



Found in WP-ADMIN


Backdoor list:


FOUND IN  wp-content/:

/bt/root    # (sim-link to root. Nice try!)
/BT     # (huge number of sim-links! Too many to list)


move WordPress to root

by davenathanson on September 9, 2016

in Internet

It’s really not that big of a deal.
But sequence DOES matter.
And if you have access to your database via phpMyAdmin, that might be handy in case anything goes wrong, you can fix it. The database doesn’t get moved, but it will hold the URLs we are editing below. However, most people have never used phpMyAdmin and you probably don’t need it either. If you did step one correctly.

Step 1) Make a backup of your site. I’ve been using UpdraftPlus and it is awesome. Even the free version is great. Easy to back up, easy to restore. Tons of features. So awesome I paid for it.

What it looks like BEFORE we move anything What it looks like BEFORE we move anything

2) Clear out any cruft from the root of your web dir- leaving only your wordpress files in the same folder and path they were in. Do not yet move any of your wordpress files. But do move everything else out of the root folder, including any index.html or index.php files. If anything needs to stay at the root, you can put it back in a sec, but for now move it elsewhere.

3) Login to WP as an admin. Deactivate your caching plug-in. Purge all caches now. – If your WordPress site is broken (already?!) you may have accidentally moved the wordpress files too soon. Put them back & try step 3 again.

4) Go to Administration -> Settings -> General.
Change the WordPress Address from example.com/wordpress to example.com
Change the Site Address address from example.com/wordpress to example.com
As soon as you save this change – Boom! – you’ll get an error. That’s how you know it worked! 🙂 Don’t worry, were are about to fix it.

5) Using FTP, move all the WordPress files (but not the enclosing folder) from their “wp” directory (folder) into root of the web folder.

Nice & clean AFTER we've moved WordPress to root folder Nice & clean AFTER we’ve moved WordPress to root folder

You will now have a root dir full of all the WP files that used to be in the WP dir.

6) Log into your WordPress at example.com/wp-admin  Hopefully it totally works. 😉
Just to be sure, Check Administration -> Settings -> Permalinks to ensure the link structure is still good. Push the “Save” button. And Again. Thanks.

7) A few things may still need fixing, like maybe the header graphic. You can relink or reupload.

8) You *may* need to open each page or post & and in the “text” mode, Find/Replace the old URL with the new URL (from step 3 above). For example, if your old WP site URL was example.com/wp/ and the new URL is example.com you’d do a find/replace in the “text”view of each post for example.com/wp/ and replace with example.com/   (those slashes are not optional). I would copy the entire post (from text mode) then paste into a text editor (no MS Word! Please), Then do that Find/Replace. Copy from the Text Editor and paste back into the post. Repeat for each post that has a link problem (they all might).

There are plugins that can quickly do a Find/Replace over your whole site, and this is a great time to know about a good one. I’ve used the free version of All-in-One WP Migration (once) and it did the job by exporting the database, doing your find/replace and offering the db as a download. You then upload it back in as an “import” to make the changes real. You DO have a back up, right? Actually, it did a great job.

9) If your site still needs some of the files you moved out of the root folder, you can put those back into the root folder now, but really consider which files you actually need, and which will just be more clutter to figure out later.

Advanced Tip: If you are not quite ready to go live with the WordPress site yet, you can put your old index.html file (& supporting files) back into the root folder because index.html usually has priority over index.php so your old site can still be at root, and when you want the WordPress site to take over, just rename or remove that index.html file to make the WP site active. This is messy, but does work if you are careful. Sometimes I’ll move all files out of the root folder prior to installing WordPress for the 1st time. Then put them back so the old & new sites can co-exist.  You will need to remember to rename either index.html (z_index.html) or index.php (z_index.php) to make either the old or new site active.

If I left anything out, web search for “move wordpress to root”

Dave Nathanson
Mac Medix


Email SSL Security Certificates

April 22, 2014

Sometimes your email server gets a new SSL security certificate, or you have just set up your email account for the first time on this computer. In those cases, you may need to accept & save the email servers SSL security certificate. This works well with Mac OSX 10.5 (Leopard) and up, it is possible, […]

Read the full article →

HeartBleed is SSL Serious Security problem -but Macs aren’t directly vulnerable

April 9, 2014

THE BAD NEWS From  heartbleed.com The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual […]

Read the full article →

Password strength checker

January 23, 2014

The worst thing about passwords is trying to come up with a new one that is sufficiently complex, yet something you can remember. And how do you know if a password is easily guessed versus being a great password? How long would it take the robo-crackers to figure out your password? You know they are […]

Read the full article →

Cheap iPhone Talk Text & Data plan $30/month from KittyWireless & Page Plus

November 27, 2013

Hey, if you are open to saving money with last year’s phone, and some people will be, check this out. It won’t work for the iPhone 5, but it does work really well for the Verizon iPhone 4S. I mentioned this in a previous post, but I’ve received enough questions that I am going to […]

Read the full article →

How to Disable Sophos AV On-access Scanning

November 5, 2013

Most Mac users have not even seen a virus in many years. But it could happen. I’ve been trying out Sophos AV for Mac (Free) for some time now in both Mac OS X 10.6 Snow Leopard & Mac OS X 10.8 Mtn Lion. It seems to run OK, without causing noticeable problems. One of […]

Read the full article →

I’m contributing to the Technical Documentation of CHIRP

September 7, 2013

I am now a contributing editor of Technical documentation for the CHIRP project. CHIRP is a free, open-source tool for programming your ham radio. It supports a large number of manufacturers and models, as well as provides a way to interface with multiple data sources and formats. With CHIRP you can easily upload or download […]

Read the full article →

Migrate from VirtualBox to Parallels

March 2, 2013

How to Migrate from VirtualBox to Parallels I have a bunch of VirtualBox VMs that work fine under VBox, and I’d like to use them with Parallels Desktop 8 on Macintosh. Sadly, Parallels is not able to import them as-is, and researching this via the Parallels KB has not been effective.  Searching the web I […]

Read the full article →

Twitter Spam – How to Revoke Access from Rouge Apps

January 2, 2013

Did your friends tell you that you sent them Twitter Spam? How could that have happened? Here is how to fix it and regain control of your Twitter account. Change your Twitter password. This the first step. It might be all you need. But often it is not enough because Twitter is not just a little […]

Read the full article →