Hacked again? hiken.php

cyber-hackerI run quite a few websites for friends and clients. One in particular keeps getting hacked (not this one). The rest of my sites do not get hacked at all. The differences, as I see it, is a  theme purchased from Template Monster. That theme runs under the Cherry Framework and there must be a security problem with it. Every time this site is attacked, the attacker put a bunch of files into the theme folder, and in wp-admin.  I spent a weekend learning more about WordPress security, and installed WordFence, but got hacked again anyway. At least WordFence notified me right away, so I could replace the template folder.

When I did a web search for the file names that the hackers installed on my website I came up empty, so I’m going to post the file names here in case it helps somebody recognize them for what they are. I’m not 100% sure what this hack is all about, but it seems to involve a Paypal spoof, and they may be collecting paypal logins, passwords, and credit card numbers from people who think that are reconfirming their Paypal details – but didn’t notice they are at the wrong site.  :-(  Doesn’t look good at all.

Some files that appear to be key to this hack include;
hiken.php
ref.php
reload.php
wtf.php
And of course all that PayPal stuff, plus the illegitimate login system they installed too.  I’ll put a more complete list of the hacker files at the end. I read through the code of most of them, and although I’m not completely fluent in php, it seems pretty obvious that they have an alternate login system, and a spoof of a PayPal login page that asks the victims to enter their paypal login and credit cards to unlock their account.

The first time it was hacked the biggest clue (after being notified by DreamHost security that my site had malware) was that I couldn’t login to wp-admin. As it turned out, the whole wp-admin directory was completely missing. Probably a script kiddie that didn’t get it right and deleted more than they meant to. I replaced the wp-admin folder by grabbing it from a similar website. DreamHost was very helpful and was able to switch the theme after which I was able to log in & look around. Several parts of the website were non-op and I spent the better part of a 3 days trying to repair it before I just started all over.

Because I don’t know what the hackers did and did not have access to, I made a new web directory under a new FTP user. Installed a fresh copy of WordPress with a new database, and restored from backup. That is when I discovered a problem with my site backups. I had to use the database backup that was made with one app, and the files from another. Of course these apps use a different format for the wordpress database, but UpdraftPlus (paid version) was able to deal with that easily. Wow! And Updraft was also able to find/replace URLs that needed to be changed because I moved the site to a new FTP user with a slightly different path. Hundreds of urls needed to be changed, so I was even more glad to have a power tool like Updraft Plus. (I’m not getting anything out of mentioning this, I’m just happy about it). Of course I used new passwords for everything. When I was finished, I changed all the passwords again, including the database password & wp-config.php .

Anyway, it was slow & painful, but I recovered & the site was repaired… And it was 3 weeks before it was hacked again.

When the site was hacked again, I spent a weekend learning more about wordpress security. I checked out WordFence, Sucuri and iThemes Security. As I look back now at the files the hackers installed, it’s starting to look like the site was hacked several times by different hackers with different methods.

When I got a notice from WordFence this morning that it had detected malware the 3rd time, I was able to repair most of it in a few minutes. Just replaced the Theme46018 dir from backup, and deleted a few files that didn’t belong in wp-admin or wp-content. Then I spent a considerable amount of time going through the WordFence log file, looking for links that I didn’t realize existed. Deleted a bunch of categories I’m not using, and made “private” the sample posts & pages that came with the template. Those were getting hits, which probably indicates template websites that are soft targets. And probably indicates that this Cherry Framework theme 46018 sucks and has known security weaknesses.

UPDATE, 2 days later:

While WordFence was still in “Learning mode” during the first week after installation, it does not block anything (and therefore did not prevent hack #3), but it does make a firewall whitelist rule to allow whatever it would have blocked. Those whitelist rules and the Live Traffic report is fascinating. So many unexpected URLs most involving junk like mydomain.com/buy-online-Adobe-Creative-Suite-6-Master-Collection-MAC and many other similar requests for pirated software.  Reading this log is where I noticed certain URLs were being sought out by the hacker bots. I’ve already removed the malware files, so these links don’t work anymore. These interesting URLs include:

/wp-content/themes/theme46018/reload.php
/wp-content/themes/theme46018/wtf.php
/themes/theme46018/hiken.php
/wp-content/plugins/cherry-plugin/admin/import-export/upload.php
/category/in-faucibus-orci-luctus/    # <- sample text from the purchased theme template
/category/ut-pharetra-augue-nec/  # <- sample text from the purchased theme template

I’m wondering if maybe the URL above for the cherry-plugin is the weakness. I don’t have any need to import/export the site via the Cherry Plugin, so this will be one of the first URLs I disable via .htaccess or firewall. WordFence doesn’t seem to have any way to add a blacklist rule, so .htaccess may be a good way to prevent malicious URLs from reaching WordPress.

I have contacted TemplateMonster twice to alert them that there is a security weakness in their product which includes; Cherry framework, template, theme46018, Cherry plugin, or maybe MotoPress editor. All they did was to try & blame my webhost & give me an affiliate link to switch to another webhost (an affiliate link so they will make a commission). No, I’m sure that is not the problem.

After getting a great tip from TZ-Security in the comments below, I am trying out the 6g Firewall from perishablepress. It is all based on .htaccess files & regex, which is great.

And after some researching, Ive added the following to my .htaccess file to deflect bad bots. Finally I’m getting a laugh from all this work!  :-D

UPDATE #3, (4 days later).

After some thought & .htaccess education, I’ve decided it is better to halt certain URLs instead of redirecting them to google or anywhere. For those I’m now using a redirect code of 410, which means “Gone”. I like that better because it sends a clear message that I have hardened my site and removed the pages they are looking for. So here are my new redirects.

Redirect 410 /wp-content/plugins/cherry-plugin/admin/import-export/?  # I don’t want/need import.
Redirect 410 /wp-content/themes/theme46018/reload.php  #hacker file
RedirectMatch 301 /(.*)cheap-price(.*) /
RedirectMatch 301 Adobe /
RedirectMatch 301 download /
RedirectMatch 410 /(.*)adminrekt(.*)
RedirectMatch 410 /(.*)autodesk(.*)
RedirectMatch 410 /(.*)Autodesk(.*)
RedirectMatch 410 /(.*)best-price(.*)
RedirectMatch 410 /(.*)buy-cheap(.*)
RedirectMatch 410 /(.*)Dhcteam(.*)
RedirectMatch 410 /(.*)how-to-buy(.*)
RedirectMatch 410 /(.*)microsoft(.*)
RedirectMatch 410 /(.*)Microsoft(.*)
RedirectMatch 410 /(.*)software(.*)
RedirectMatch 410 /(.*)where-to-buy(.*)
RedirectMatch 410 /1337w0rm_2.php
RedirectMatch 410 /audio-post-format/
RedirectMatch 410 /buy-online(.*)
RedirectMatch 410 /donec-porta-diam-eu-massa/?
RedirectMatch 410 /hiken.php
RedirectMatch 410 /inboxtoall_3_.php
RedirectMatch 410 /purchase-.*
RedirectMatch 410 /quisque-diam-lorem/?
RedirectMatch 410 /rebels.php
RedirectMatch 410 /SSL-Verification-secureid=hiken/?
RedirectMatch 410 /taraji.php
RedirectMatch 410 /ut-pharetra-augue-nec
RedirectMatch 410 /wtf.php

=== end 2 & 4 day update == lists follow =====

 

Here is a list of most of the hacker files:

/wp-content/themes/theme46018//bootstrap
/wp-content/themes/theme46018/bootstrap/css
/wp-content/themes/theme46018/bootstrap/less
/wp-content/themes/theme46018/favicon.ico
/wp-content/themes/theme46018/filterable-portfolio-loop.php
/wp-content/themes/theme46018/hiken.php
/wp-content/themes/theme46018/images
/wp-content/themes/theme46018/includes
/wp-content/themes/theme46018/install.log
/wp-content/themes/theme46018/js
/wp-content/themes/theme46018/languages
/wp-content/themes/theme46018/loop
/wp-content/themes/theme46018/main-style.css
/wp-content/themes/theme46018/options.php
/wp-content/themes/theme46018/Paypal
/wp-content/themes/theme46018/Paypal/baca.txt
/wp-content/themes/theme46018/Paypal/blocker.php
/wp-content/themes/theme46018/Paypal/data_ip_masuk.txt
/wp-content/themes/theme46018/Paypal/detect.php
/wp-content/themes/theme46018/Paypal/dhcteamfix2016.zip
/wp-content/themes/theme46018/Paypal/Email.php
/wp-content/themes/theme46018/Paypal/function.php
/wp-content/themes/theme46018/Paypal/index.php
/wp-content/themes/theme46018/Paypal/myaccount
/wp-content/themes/theme46018/Paypal/myaccount/.htaccess
/wp-content/themes/theme46018/Paypal/myaccount/0953c
/wp-content/themes/theme46018/Paypal/myaccount/0953c/.htaccess
/wp-content/themes/theme46018/Paypal/myaccount/0953c/footer.php
/wp-content/themes/theme46018/Paypal/myaccount/0953c/header.php
/wp-content/themes/theme46018/Paypal/myaccount/0953c/home.php
/wp-content/themes/theme46018/Paypal/myaccount/0953c/index.php
/wp-content/themes/theme46018/Paypal/myaccount/0953c/redirscr.php
/wp-content/themes/theme46018/Paypal/myaccount/0953c/Submit.php
/wp-content/themes/theme46018/Paypal/myaccount/0953c/Submition.php
/wp-content/themes/theme46018/Paypal/myaccount/0953c/success.php
/wp-content/themes/theme46018/Paypal/myaccount/0953c/tabel_kiri.php
/wp-content/themes/theme46018/Paypal/myaccount/0953c/webscr.php
/wp-content/themes/theme46018/Paypal/myaccount/0953c/webscrr.php
/wp-content/themes/theme46018/Paypal/myaccount/0953c/websrc.php
/wp-content/themes/theme46018/Paypal/myaccount/css
/wp-content/themes/theme46018/Paypal/myaccount/css/.htaccess
/wp-content/themes/theme46018/Paypal/myaccount/css/app.css
/wp-content/themes/theme46018/Paypal/myaccount/css/coreLayout.css
/wp-content/themes/theme46018/Paypal/myaccount/css/eightball.css
/wp-content/themes/theme46018/Paypal/myaccount/css/global.css
/wp-content/themes/theme46018/Paypal/myaccount/css/index.php
/wp-content/themes/theme46018/Paypal/myaccount/css/pageSalsa.css
/wp-content/themes/theme46018/Paypal/myaccount/css/summary.css
/wp-content/themes/theme46018/Paypal/myaccount/Dhcteam
/wp-content/themes/theme46018/Paypal/myaccount/Dhcteam/.htaccess
/wp-content/themes/theme46018/Paypal/myaccount/Dhcteam/footer.php
/wp-content/themes/theme46018/Paypal/myaccount/Dhcteam/header.php
/wp-content/themes/theme46018/Paypal/myaccount/Dhcteam/home.php
/wp-content/themes/theme46018/Paypal/myaccount/Dhcteam/index.php
/wp-content/themes/theme46018/Paypal/myaccount/Dhcteam/redirscr.php
/wp-content/themes/theme46018/Paypal/myaccount/Dhcteam/Submit.php
/wp-content/themes/theme46018/Paypal/myaccount/Dhcteam/Submition.php
/wp-content/themes/theme46018/Paypal/myaccount/Dhcteam/success.php
/wp-content/themes/theme46018/Paypal/myaccount/Dhcteam/tabel_kiri.php
/wp-content/themes/theme46018/Paypal/myaccount/Dhcteam/webscr.php
/wp-content/themes/theme46018/Paypal/myaccount/Dhcteam/webscrr.php
/wp-content/themes/theme46018/Paypal/myaccount/Dhcteam/websrc.php
/wp-content/themes/theme46018/Paypal/myaccount/form
/wp-content/themes/theme46018/Paypal/myaccount/form/.htaccess
/wp-content/themes/theme46018/Paypal/myaccount/form/address_info.php
/wp-content/themes/theme46018/Paypal/myaccount/form/bank_info.php
/wp-content/themes/theme46018/Paypal/myaccount/form/card_info.php
/wp-content/themes/theme46018/Paypal/myaccount/form/index.php
/wp-content/themes/theme46018/Paypal/myaccount/form/info.php
/wp-content/themes/theme46018/Paypal/myaccount/form/success.php
/wp-content/themes/theme46018/Paypal/myaccount/icon
/wp-content/themes/theme46018/Paypal/myaccount/icon/.htaccess
/wp-content/themes/theme46018/Paypal/myaccount/icon/apple-touch-icon.png
/wp-content/themes/theme46018/Paypal/myaccount/icon/cv_amex_card.gif
/wp-content/themes/theme46018/Paypal/myaccount/icon/cv_card.gif
/wp-content/themes/theme46018/Paypal/myaccount/icon/enabled_by_symc_vip.png
/wp-content/themes/theme46018/Paypal/myaccount/icon/header_logginginAction.gif
/wp-content/themes/theme46018/Paypal/myaccount/icon/icon_alert_24wx24h.gif
/wp-content/themes/theme46018/Paypal/myaccount/icon/icon_critalert.gif
/wp-content/themes/theme46018/Paypal/myaccount/icon/index.php
/wp-content/themes/theme46018/Paypal/myaccount/icon/logo_paypal_106x27.png
/wp-content/themes/theme46018/Paypal/myaccount/icon/logo.gif
/wp-content/themes/theme46018/Paypal/myaccount/icon/logo2.gif
/wp-content/themes/theme46018/Paypal/myaccount/icon/paypal_logo.gif
/wp-content/themes/theme46018/Paypal/myaccount/icon/pp_favicon_x.ico
/wp-content/themes/theme46018/Paypal/myaccount/icon/sc.png
/wp-content/themes/theme46018/Paypal/myaccount/icon/scr_check_10x10.gif
/wp-content/themes/theme46018/Paypal/myaccount/icon/scr_x_10x10.gif
/wp-content/themes/theme46018/Paypal/myaccount/icon/sprite_header_icons_2x.png
/wp-content/themes/theme46018/Paypal/myaccount/icon/sprite_ia.png
/wp-content/themes/theme46018/Paypal/myaccount/icon/sprite_nav_icons.png
/wp-content/themes/theme46018/Paypal/myaccount/icon/sprite_nav_icons2x.png
/wp-content/themes/theme46018/Paypal/myaccount/icon/sprites_cc_global.png
/wp-content/themes/theme46018/Paypal/myaccount/index.php
/wp-content/themes/theme46018/Paypal/myaccount/js
/wp-content/themes/theme46018/Paypal/myaccount/js/.htaccess
/wp-content/themes/theme46018/Paypal/myaccount/js/global.js
/wp-content/themes/theme46018/Paypal/myaccount/js/index.php
/wp-content/themes/theme46018/Paypal/myaccount/js/jquery.bank.js
/wp-content/themes/theme46018/Paypal/myaccount/js/jquery.billing.js
/wp-content/themes/theme46018/Paypal/myaccount/js/jquery.min.js
/wp-content/themes/theme46018/Paypal/myaccount/js/jquery.payment.js
/wp-content/themes/theme46018/Paypal/myaccount/js/new.look.js
/wp-content/themes/theme46018/Paypal/myaccount/js/pageSalsa.js
/wp-content/themes/theme46018/Paypal/myaccount/objects
/wp-content/themes/theme46018/Paypal/myaccount/objects/btn_bg_default.gif
/wp-content/themes/theme46018/Paypal/myaccount/objects/btn_bg_sprite.gif
/wp-content/themes/theme46018/Paypal/myaccount/objects/btn_bg_submit.gif
/wp-content/themes/theme46018/Paypal/myaccount/objects/nav_sprite.gif
/wp-content/themes/theme46018/Paypal/myaccount/objects/PayPalIcons-Regular.eot
/wp-content/themes/theme46018/Paypal/myaccount/objects/PayPalIcons-Regular.ttf
/wp-content/themes/theme46018/Paypal/myaccount/objects/PayPalIcons-Regular.woff
/wp-content/themes/theme46018/Paypal/myaccount/objects/src_ao_bluebg_1x300.gif
/wp-content/themes/theme46018/Paypal/myaccount/page
/wp-content/themes/theme46018/Paypal/myaccount/page/.htaccess
/wp-content/themes/theme46018/Paypal/myaccount/page/cvv_info_pop%26enable_locale.htm
/wp-content/themes/theme46018/Paypal/myaccount/page/index.php
/wp-content/themes/theme46018/Paypal/myaccount/robots.txt
/wp-content/themes/theme46018/Paypal/robots.txt
/wp-content/themes/theme46018/Paypal/signin
/wp-content/themes/theme46018/Paypal/signin/index.php
/wp-content/themes/theme46018/Paypal/success.php
/wp-content/themes/theme46018/Paypal/webapps
/wp-content/themes/theme46018/Paypal/webapps/.htaccess
/wp-content/themes/theme46018/Paypal/webapps/3420e
/wp-content/themes/theme46018/Paypal/webapps/3420e/.htaccess
/wp-content/themes/theme46018/Paypal/webapps/3420e/home.php
/wp-content/themes/theme46018/Paypal/webapps/3420e/index.php
/wp-content/themes/theme46018/Paypal/webapps/3420e/login.php
/wp-content/themes/theme46018/Paypal/webapps/3420e/webscr.php
/wp-content/themes/theme46018/Paypal/webapps/3420e/websrc.php
/wp-content/themes/theme46018/Paypal/webapps/edaf6
/wp-content/themes/theme46018/Paypal/webapps/edaf6/.htaccess
/wp-content/themes/theme46018/Paypal/webapps/edaf6/home.php
/wp-content/themes/theme46018/Paypal/webapps/edaf6/index.php
/wp-content/themes/theme46018/Paypal/webapps/edaf6/login.php
/wp-content/themes/theme46018/Paypal/webapps/edaf6/webscr.php
/wp-content/themes/theme46018/Paypal/webapps/edaf6/websrc.php
/wp-content/themes/theme46018/Paypal/webapps/index.php
/wp-content/themes/theme46018/Paypal/webapps/MoreArt
/wp-content/themes/theme46018/Paypal/webapps/MoreArt/.htaccess
/wp-content/themes/theme46018/Paypal/webapps/MoreArt/home.php
/wp-content/themes/theme46018/Paypal/webapps/MoreArt/index.php
/wp-content/themes/theme46018/Paypal/webapps/MoreArt/login.php
/wp-content/themes/theme46018/Paypal/webapps/MoreArt/webscr.php
/wp-content/themes/theme46018/Paypal/webapps/MoreArt/websrc.php
/wp-content/themes/theme46018/Paypal/webapps/robots.txt
/wp-content/themes/theme46018/ref.php
/wp-content/themes/theme46018/reload.php
/wp-content/themes/theme46018/screenshot.png
/wp-content/themes/theme46018/slider.php
/wp-content/themes/theme46018/static
/wp-content/themes/theme46018/static/static-footer-text.php
/wp-content/themes/theme46018/static/static-logo.php
/wp-content/themes/theme46018/static/static-social-networks.php
/wp-content/themes/theme46018/style.css
/wp-content/themes/theme46018/style.less
/wp-content/themes/theme46018/style.less.cache
/wp-content/themes/theme46018/wrapper
/wp-content/themes/theme46018/wtf.php

 

Found in WP-ADMIN

/hiken.php
/SSL-Verification-secureid=hiken
/SSL-Verification-secureid=hiken/.htaccess
/SSL-Verification-secureid=hiken/6b0dc379e587b2e
/SSL-Verification-secureid=hiken/6b0dc379e587b2e/.htaccess
/SSL-Verification-secureid=hiken/6b0dc379e587b2e/blocker.php
/SSL-Verification-secureid=hiken/6b0dc379e587b2e/css
/SSL-Verification-secureid=hiken/6b0dc379e587b2e/detect.php
/SSL-Verification-secureid=hiken/6b0dc379e587b2e/functions.php
/SSL-Verification-secureid=hiken/6b0dc379e587b2e/images
/SSL-Verification-secureid=hiken/6b0dc379e587b2e/index.php
/SSL-Verification-secureid=hiken/6b0dc379e587b2e/js
/SSL-Verification-secureid=hiken/6b0dc379e587b2e/login.php
/SSL-Verification-secureid=hiken/6b0dc379e587b2e/myaccount.php
/SSL-Verification-secureid=hiken/6b0dc379e587b2e/system
/SSL-Verification-secureid=hiken/56ec1304e109fa2
/SSL-Verification-secureid=hiken/57a0daa8617ad85
/SSL-Verification-secureid=hiken/63bd3424928e73c
/SSL-Verification-secureid=hiken/77f4c0f0846ebbe
/SSL-Verification-secureid=hiken/817d6459fc4b131
/SSL-Verification-secureid=hiken/ea6cd2c3d57574c
/SSL-Verification-secureid=hiken/index.php
/SSL-Verification-secureid=hiken/NEW
/SSL-Verification-secureid=hiken/PPLV2.zip
/SSL-Verification-secureid=hiken/vu.txt

Backdoor list:

/wp-content/themes/dusk-to-dawn/content-link.php
/wp-content/themes/next-saturday/content-image.php
/wp-content/themes/sunspot/index.php
/wp-content/themes/theme46018/adminrekt.php
/image_creator.php

FOUND IN  wp-content/:

/1337w0rm_2.php
/bootstrap
/bootstrap/css
/bootstrap/less
/bt
/bt/.htaccess
/bt/root    # (sim-link to root. Nice try!)
/BT     # (huge number of sim-links! Too many to list)
/favicon.ico
/filterable-portfolio-loop.php
/hiken.php
/inboxtoall_3_.php
/includes
/includes/class-tgm-plugin-activation.php
/includes/custom-function.php
/includes/my_script.php
/includes/plugins
/includes/post-formats
/includes/register-plugins.php
/includes/sidebar-init.php
/includes/theme-init.php
/includes/widgets
/install.log
/js
/js/ie8.js
/languages
/loop
/loop/loop-single-portfolio.php
/main-style.css
/options.php
/php.ini
/rebels.php
/ref.php
/reload.php
/screenshot.png
/slider.php
/static
/static/static-footer-text.php
/static/static-logo.php
/static/static-social-networks.php
/style.css
/style.less
/style.less.cache
/taraji.php.php
/wrapper
/wrapper/wrapper-footer.php
/wrapper/wrapper-header.php
/wtf.php

3 thoughts on “Hacked again? hiken.php

  1. Main .zip file with Paypal phishing pack is dhcteamfix2016.zip, site can be easily flagged as malicious or phishing site and that is not pleasant experience.
    You should check for backdoors manually, do not think that security plugin can fix the issue 100%. You need to change all logins (wp admin login, ftp access, cpanel, everything) and you need to check your computer for viruses, many times logins are stolen directly from ftp client. Also you need to update all plugins to their latest versions. For first help, find .htaccess firewall 6G from perishable press (do a google search) , test it and use it.

Leave a Reply

Your email address will not be published. Required fields are marked *