We have a site that has been a victim for some hacking attacks.
The attack is quite strange, at least for me. The hackers were able to upload a file with the filesman backdoor. Usually this backdoor is somewhere implemented in a sourcecode/plugin/theme file. I had no ideas how they managed to get that file in there. It was placed in the www-root.
So, we downloaded a brand new copy of wordpress, I checked the theme for obvious backdoors/vulnerabilities and so on, removed all files in the www-root, changed all the passwords (for MySQL, FTP etc), removed all users in the db and implemented a new admin user with a new 16 chars password. We set all the writing permissions to ALL folders so that nobody except the owner could do anything, set very restricted permissions in .htaccess. I also set the define('DISALLOW_FILE_EDIT', TRUE); in wp-config.php. And we went live... And it was hacked again.
I did how ever look at the startpage hitting F5 to see if it went down, and suddenly I saw an file upload form on the top of the page. I have no clues how they managed to get that form there. How could they manage to get a form there?! The file edit was disabled? They ran the file, deleted all files, the whole DB and put a "hacked by.." index.html in the root.
So we did all the stuff mentioned above one more time, and set the db users permissions to read only. After that, they could not do anything (they could upload the file tho) but they could not do anything. And this obviosly means that noone can update the page as well.
The only thing we did not re-create was the database. I did how ever try to read it for strange stuff manually, but found nothing.
So, now I've created a new local database from scratch. At the host I've prepared a brand new database with this new stuff from my local machine. In this new DB I've manually copy/pasted all the pages (by clicking "create new page" for all pages). I've set another db prefix. The theme is completely re-written and contains nothing strange at all. The default themes are removed.
The version we were using was 3.7 and the plugins were:
- Baw anti CSRF
- TinyMCE Advanced
- Display widgets
Now we're on WP 3.8 with the same plugins.
Is there any known issues with these plugins? Is there any function in the theme that I could use wrong and exploit this vulnerability?
We're trying to get this stuff online in some hours. If there was a backdoor vulnerability left, my guess would be that this was some where in the DB. Which is brand new this time.
If this would fail again, what would my next step be? Changing the host?! We were in contact with them to see if there was anything bad with the account, but they said it looked all right. If it was my own web server i would re-install it. But we don't have that option now.
Any help at all is appreciated.