IndoXploit – WordPress Hackers
by Bernd Hansen
Went to start work on a client’s live WordPress site this morning, and was met with a message something like “hacked by IndoXploit” when I tried to login to the admin dashboard. So here’s the scoop, including recovery steps, for anyone faced with aÂ similar problem.
Step 1: Google “IndoXploit”. The search came up with less helpful results than I had hoped for, but they DID tell me that WordPress installations were one of the favorite targets of this hacker group based in Indonesia. They even have their own website. Brazen.
Step 2: Identify the changes the hack made to website files/folders, and database entries. I found a bunch of files and folders that had been added, and deleted everything I could spot. They had changed my user account in the database, so I cleared their entry, and put in a new one so I could have a login route. I also zipped the complete website on the server, downloaded the zip file to my local computer, and then did a text search of the files for the word “indoxploit”. Found a plugin file that had been hacked, deleted it, and replaced it with an older, safe version. All these changes let me finally log into the dashboard.
Step 3. Look for clues in the server logs. I downloaded the server logs for the past several days, and found entries of activities done by the hacker. They gave me additional clues into what had happened.
Step 4: I removed a plugin that MAY have had a vulnerability that the hacker was able to exploit. (We’ll see). I also blacklisted the hacker’s ip address range in the firewall settings in the hosting account. I also installed a plugin that helped identify possible security vulnerabilities, and tightened them up. It will also do regular scans of the files and database, and email me any reports of suspicious activity, (It’s a well-reviewed, highly used security module for WordPress). I also installed a module that hides the login page from users that don’t know its exact location, and also includes a number of protections against brute force attacks.
Conclusion: protecting against hackers is a bit like military strategy – you use the tried and true best you can, make sure you have a warning system in place in case attacks are attempted in the future, do your research and implementations, and then cross your fingers – and hope that all your efforts have real and positive results.
Time will tell! Will post updates as needed, or desired.
May 5, 2018
October 7, 2017
February 4, 2016