Recently on a client site some of the pages were showing suddenly hacked by dr.m1st3r and that happened in the blink of an eye, as i was working on localhost after transferring the site from live.
I google and came up to an article https://thepersonalblog.com/sites-hacked-by-dr-mister-dr-m1st3r/ which saved me from more researching about how to fix this hacking. This point “[New!] Easier Fix For Hack” worked from me from that article, the malicious code was javascript and was inside a widget on the backend like the below screenshot.
I am copy pasting the whole article below:
Sites Hacked By Dr Mister (dr.m1st3r)
Just got off the Grand Canyon (16 day river trip) and I knew there would be much shit to deal with when I return back into society. The one thing I wasn’t ready for was having to deal with hacked sites. The sites that got hacked weren’t major sites, and not the sites that really gets me paid (thank god, I don’t want tanked SEO!) but it’s a major inconvenience just the same. Luckily none of my clients sites were hacked either.
Only Sites On A2 Hosting Were Hacked
I don’t know how relevant this is, but it was only my sites hosted on A2 Hosting that were affected. None of my sites on HostGator were hacked. This might be a coincidence, but it makes me wonder if either A2 Hosting was being targeted, or if there’s a vulnerability with the solution. I only recently switched to A2 Hosting after the “#HostgatorDown” incident, where basically all the HostGator reseller plans had gone offline. After this event (and the serious lack of concern from the support ticket I created) I’m 99% sure I’m going to be switching over to SiteGround, which is EIG free (never go with an Endurance International Group company) and has come highly recommended by some local web developers that I highly trust.
All Hacked Sites Were WordPress Sites
I don’t know if there’s a vulnerability in the WordPress platform that the hacker managed to exploit or not. It might just be a coincidence and if the site was html, php or a different CMS, who knows whether they’d also be hacked, or if it would have only been the WordPress sites.
Softaculous Causing Security Risks?
These WordPress sites were also all created using Softaculous. Softaculous is an auto-installer for WordPress. Doing some Googling, it appears that software installers might be capable of creating security risks. It’s worth mentioning, and I highly doubt I’ll ever do any WordPress installs outside of manual installs again. Not saying this is for sure why this happened, but it’s at least worth pondering.
About The Hack
Only the sites that were upgraded to the latest version of WordPress were “100% affected”. The other sites just had some funkiness to it. The latest WordPress sites would display nothing but a link to Dr. Mister’s Facebook page (fb.com/dr.m1st3r). The ones that weren’t updated to the fullest version had some funkiness, such as messed up widget areas, a modified site-name that seemed to be a piece of broken code and other qwerks. I updated one site to the latest WordPress version, hoping it’d replace the core files necessary to fix the qwerks. As soon as I updated to version 4.2.1, the site was suddenly displaying nothing but the “fb.com/dr.m1st3r”.
Was The Attack Targeted / Malicious?
I’m hoping the attack wasn’t directed at me and malicious in nature. I’m assuming if Dr. Mister was targeting me specifically, all my sites would be #TangoDown. I’m assuming that it’s a random thing and I’m willing to assume many sites outside of mine were affected as well.
[New!] Easier Fix For Hack
Turns out it’s some malicious code inside of a widget. Deleting that widget will solve the issue. Note: Taking the widget out of an active widget space isn’t enough! In order for this to work you must delete the widget completely.
How To Fix The WordPress Hack
The hack wasn’t that difficult to recover from. The key part is making sure you don’t lose content. Here’s the steps I did to fix the hacking:
- Zip / download the “wordpress-content” file – This is the file that contains all themes, plugins and file uploads. It’s very important to maintain this, as if it’s overwritten, you’ll lose all your uploaded content.
- Export WordPress XML file – place the “/wp-admin/” into your admin bar and you’ll still be able to access the admin dashboard. Export the WordPress XML file.
- Reinstall WordPress – I originally tried tinkering with replacing individual PHP files to try to figure out what file was causing the “fb.com/dr.m1st3r”. Eventually I just said screw it, cause I knew this method would work as well. Requires tinkering with some site settings again, but it’s kind of whatever.
- Replace “wp-admin” folder – Replace the “wp-admin” folder from the new install with the previous one. I did this prior to uploading the WordPress folder to me site, but it can be replaced afterwards as well.
- Create new database – I didn’t know if it could have been an SQL hack or not, but I figured I’d be safe and create a new SQL database. This might not be required, but it was simple enough that I just did it.
- Import WordPress XML file – This will upload all your content.
- Tweak WordPress settings – You’ll have to retweak all the settings such as widget, site name, permalinks, ect. This was the most annoying part.
- Run a broken link check – There’s multiple WordPress plugins that can do this. I was using a 301 redirect plugin on one site and lost all my 301s. The broken link checker helped me find and recover this.
This is the right blog for anyone who wants to find out about this topic. You realize so much its almost hard to argue with you (not that I actually would want…HaHa). You definitely put a new spin on a topic thats been written about for years. Great stuff, just great!
I seriously love your website.. Very nice colors & theme. Did you develop this web site yourself? Please reply back as I’m attempting to create my very own website and would love to find out where you got this from or exactly what the theme is called. Appreciate it!
Somebody essentially help to make seriously posts I would state. This is the very first time I frequented your website page and thus far? I surprised with the research you made to create this particular publish extraordinary. Fantastic job!
Excellent write-up. I absolutely appreciate this website. Stick with it!
I have been exploring for a little bit for any high-quality articles or weblog posts on this kind of space . Exploring in Yahoo I ultimately stumbled upon this site. Studying this info So i¦m glad to convey that I have an incredibly just right uncanny feeling I came upon exactly what I needed. I most unquestionably will make sure to do not fail to remember this website and give it a glance on a constant basis.
When I originally commented I clicked the -Notify me when new comments are added- checkbox and now each time a comment is added I get four emails with the same comment. Is there any way you can remove me from that service? Thanks!
Hi! I know this is somewhat off topic but I was wondering if you knew where I could get a captcha plugin for my comment form? I’m using the same blog platform as yours and I’m having problems finding one? Thanks a lot!
I’m really enjoying the theme/design of your web site. Do you ever run into any internet browser compatibility issues? A couple of my blog visitors have complained about my blog not working correctly in Explorer but looks great in Firefox. Do you have any recommendations to help fix this problem?
I really enjoy studying on this site, it holds good articles.
Interesting blog post. Some tips i would like to make contributions about is that pc memory should be purchased should your computer can no longer cope with everything you do along with it. One can put in two RAM boards with 1GB each, in particular, but not one of 1GB and one of 2GB. One should check the manufacturer’s documentation for one’s PC to make sure what type of memory is necessary.
I’m very happy to read this. This is the kind of manual that needs to be given and not the random misinformation that’s at the other blogs. Appreciate your sharing this best doc.
Do you mind if I quote a few of your articles as long as I provide credit and sources back to your blog? My website is in the exact same niche as yours and my users would certainly benefit from a lot of the information you present here. Please let me know if this okay with you. Thank you!
Sure but please link the article from this site that you are referring on your website