Recently on a client site some of the pages were showing suddenly hacked by dr.m1st3r and that happened in the blink of an eye, as i was working on localhost after transferring the site from live.
I am copy pasting the whole article below:
Sites Hacked By Dr Mister (dr.m1st3r)
Just got off the Grand Canyon (16 day river trip) and I knew there would be much shit to deal with when I return back into society. The one thing I wasn’t ready for was having to deal with hacked sites. The sites that got hacked weren’t major sites, and not the sites that really gets me paid (thank god, I don’t want tanked SEO!) but it’s a major inconvenience just the same. Luckily none of my clients sites were hacked either.
Only Sites On A2 Hosting Were Hacked
I don’t know how relevant this is, but it was only my sites hosted on A2 Hosting that were affected. None of my sites on HostGator were hacked. This might be coincidence, but it makes me wonder if either A2 Hosting was being targeted, or if there’s a vulnerability with the solution. I only recently switched to A2 Hosting after the “#HostgatorDown” incident, where basically all the HostGator reseller plans had gone offline. After this event (and the serious lack of concern from the support ticket I created) I’m 99% sure I’m going to be switching over to SiteGround, which is EIG free (never go with an Endurance International Group company) and has come highly recommended by some local web developers that I highly trust.
All Hacked Sites Were WordPress Sites
I don’t know if there’s a vulnerability in the WordPress platform that the hacker managed to exploit or not. It might just be a coincidence and if the site was html, php or a different CMS, who knows whether they’d also be hacked, or if it would have only been the WordPress sites.
Softaculous Causing Security Risks?
These WordPress sites were also all created using Softaculous. Softaculous is an auto-installer for WordPress. Doing some Googling, it appears that software installers might be capable of creating security risks. It’s worth mentioning, and I highly doubt I’ll ever do any WordPress installs outside of manual installs again. Not saying this is for sure why this happened, but it’s at least worth pondering.
About The Hack
Only the sites that were upgraded to the latest version of WordPress were “100% affected”. The other sites just had some funkiness to it. The latest WordPress sites would display nothing but a link to Dr. Mister’s Facebook page (fb.com/dr.m1st3r). The ones that weren’t updated to the fullest version had some funkiness, such as messed up widget areas, a modified site-name that seemed to be a piece of broken code and other qwerks. I updated one site to the latest WordPress version, hoping it’d replace the core files necessary to fix the qwerks. As soon as I updated to version 4.2.1, the site was suddenly displaying nothing but the “fb.com/dr.m1st3r”.
Was The Attack Targeted / Malicious?
I’m hoping the attack wasn’t directed at me and malicious in nature. I’m assuming if Dr. Mister was targeting me specifically, all my sites would be #TangoDown. I’m assuming that it’s a random thing and I’m willing to assume many sites outside of mine were affected as well.
[New!] Easier Fix For Hack
Turns out it’s some malicious code inside of a widget. Deleting that widget will solve the issue. Note: Taking the widget out of an active widget space isn’t enough! In order for this to work you must delete the widget completely.
How To Fix The WordPress Hack
The hack wasn’t that difficult to recover from. The key part is making sure you don’t lose content. Here’s the steps I did to fix the hacking:
- Zip / download the “wordpress-content” file – This is the file that contains all themes, plugins and file uploads. It’s very important to maintain this, as if it’s overwritten, you’ll lose all your uploaded content.
- Export WordPress XML file – place the “/wp-admin/” into your admin bar and you’ll still be able to access the admin dashboard. Export the WordPress XML file.
- Reinstall WordPress – I originally tried tinkering with replacing individual PHP files to try to figure out what file was causing the “fb.com/dr.m1st3r”. Eventually I just said screw it, cause I knew this method would work as well. Requires tinkering with some site settings again, but it’s kind of whatever.
- Replace “wp-admin” folder – Replace the “wp-admin” folder from the new install with the previous one. I did this prior to uploading the WordPress folder to me site, but it can be replaced afterwards as well.
- Create new database – I didn’t know if it could have been an SQL hack or not, but I figured I’d be safe and create a new SQL database. This might not be required, but it was simple enough that I just did it.
- Import WordPress XML file – This will upload all your content.
- Tweak WordPress settings – You’ll have to retweak all the settings such as widget, site name, permalinks, ect. This was the most annoying part.
- Run a broken link check – There’s multiple WordPress plugins that can do this. I was using a 301 redirect plugin on one site and lost all my 301s. The broken link checker helped me find and recover this.