Skip to main content
Information Security

You are not logged in. Your edit will be placed in a queue until it is peer reviewed.

We welcome edits that make the post easier to understand and more valuable for readers. Because community members review edits, please try to make the post substantially better than how you found it, for example, by fixing grammar or adding additional resources and hyperlinks.

Required fields*

3
  • We've kept very close watch on .htaccess files. They have seemed clean throughout. My belief is that an evil doer has root access to the Virtual Private Server and once a week he plays games. One week this JS thing in the database, the week before an eval(base64_decode... I didn't know this site has been hit a lot. The site owner is insistent on using bandaids. I've convinced the business owner to go elsewhere and start fresh with all new passwords and better security. Commented Feb 2, 2015 at 17:34
  • It sounds like you're dealing with an adversary that has the experience to ensure they have one or more backdoors in place everytime they inject malicious code. Or a hosting provider that is running vulnerable software. I would start with a fresh install, clean database or at least a manual review of any data you import and ideally not on a shared server that is up to date on its patch levels. Analysing your log files and comparing them to file modification/creation dates may hold some clues as to how the attackers are accessing their tools and how you can stop it. Commented Feb 2, 2015 at 21:19
  • WireGhoul, right you are. Virgin code everywhere. Total rebuild required from the ground up. (Why didn't they think of that last year when they were first hit? I was most unhappy when the guy told me, "oh, yeah, we saw that last month." Ugh. ) I think we're going to do a manual review of the XML code from wordpress export, instead of using the DB. I'm not certain I can automate the search for all the errant code. Too many variants. Commented Feb 2, 2015 at 21:33