Link to home
Create AccountLog in
Avatar of Richard Korts
Richard KortsFlag for United States of America

asked on

Website Hacked?

It appears our congregation website may have been hacked. It's a WordPress site. The words "Bitcoin Digital" appear on every page with a link to https://cryptominded.com/bitcoin-digital-review-legal-or-scam/.

Is this a scam & if so how do we get rid of it.?

Thank you
Avatar of Bembi
Bembi
Flag of Germany image

I can not see that there is any connecteion between WordPress and this page, so possibly scam.
As it is on every page, your stylesheets maybe writable and used it to change the content.
But not quite easy to say without seeing it. 
Avatar of Richard Korts

ASKER

Our website is www.chaliceuucongregation.org. It is on the main page near the upper right. It is in various places on other pages (the minister says on ALL pages).
Avatar of Kimputer
Kimputer

Did you already fix it? I don't see it anywhere. Though that might be the hack's special way to exclude some specific visitors.
Anyway, steps to take:

change all ISP and hosting related passwords, logging into the cpanel, FTP, etc etc.
Restore all web server files. Restore database backup.
Update EVERYTHING possible, WP version, plugins etc etc, even the theme used, if there's an update availlable.

Then it's time to investigate the logs, maybe it will give you a clue on the attack vector. If possible, ask hoster for some extra help. In case the hoster gets flooded with problems, sometimes the attack vector is actually through them.
Kimputer,

Thanks. It is still there for me. It melds in very easily. It is right after the words “a regular spiritual practice” on the home page. It is in the exact red color on the pages.

I can probably do all you suggest, having trouble contacting the host, Saturday night, etc. My cPanel password does not work, etc.

Thanks for your inputs.

Richard
On the mainpage, the source look like this...


User generated image

It looks like as it is added on every page after the first text block.
But no special formatting or similar.

Interesting is this page... (as empty)....
https://chaliceuucongregation.org/worship-2/weddings/

here you see the "Upcoming Worship Service" Block is affected while on other pages, this block is not affected.
So it happens exactly once a page. And that means, there is a kind of system behind it. 

I would do now the following:
beside the cleanup...
- you should search the folder structure in Wordpress if you find the sequence ot the URL, i.e. cryptominded or bitcoin.
As I see only the result coming out ot Wordpress, it may be connected somewhere to a template or similar.
- Check again the folder permissions according the install instructions of wordpress. If the folder permissions are different, check all files with a newer date inside this folder which look unusual.
- Make sure your user ID and password for administration is not weak, better to change it.
- Review lately changes, i.e. templates, themes etc. or whatever was changed shortly.
- Also check for wordpress plugins and the according configuration.
- Review the articlesjust to verify, if the link comes up from the content or is connected to a more basic part of Wordpress (Styles, Themes, Templates etc.)

This may lead you to the way, how they injected your site.
And also give you a hint, if you can easily remove ot or have to change every single site.


  
Fellow UU here.

Yes, the site was hacked. Pretty common with Wordpress sites. It often happens due to an insecure Wordpress plugin.

Do you have a complete backup of all pages? Ideally the site would be wiped, and reloaded clean with updated plugins.
I agree with kevinhseih.  Any time you get hacked you are always best to delete the entire site, this include removing WordPress completely and then performing a fresh installation.  You simply have no way of knowing what else was compromised and other treasures they've left behind, backdoors, ...
ASKER CERTIFIED SOLUTION
Avatar of David Favor
David Favor
Flag of United States of America image

Link to home
membership
Create an account to see this answer
Signing up is free. No credit card required.
Create Account
Kevinhseih,

We have plenty of backups, our hosting company thinks it’s coming from one post.

Our minister told me this PM that some other UU congregations were experiencing the same issue. We use the UUA template. Seems it might be coming from a plug-in. She asked me to hold off on a restore from a backup. We will certainly change logon credentials for cPanel, WordPress, etc.

So it’s still up in the air.
Unfortunately... CPanel is a common exploit vectors where hackers gain site control.

I avoid all Panel systems, as they're to permeable to hackers.

If you're using CPanel, at least install latest version... which of course... will usually crash all your sites, to you figure out what's changed in CPanel... then... accomodate all CPanel changes...

Just remember, primary focus is to find + fix all the potential ways hackers are accessing your site, else you'll do a cleanse, then shortly thereafter the site will be hacked again.
CPanel should only be available on the Internal IPs, not on public facing IPs.

What version of WordPress do you have?  You may need to update to a newer version to remove security hole.

You likely just have a php script that's producing that code and just need to remove it.  These types of hacks don't always need a wipe and replace.
To all,

The Minister removed a plugin & the Bitcoin link is gone.

So I could say we "found our own solution", but I appreciate all your participation so I will give all of you recognition.

Richard
Be careful, since your site was compromised you have no way of knowing to what extent.  You truly should be starting over with a fresh install.  Just removing a plugin thought to be the original source does not by any means guarantee your site to be clean/safe in any way.
As @Daniel Pineault mentioned... Just removing a plugin... is likely a flag to the hacker to take down the site in far more drastic ways.

Tip: Reinstall the plugin immediately (before hacker notices), then fully cleanse the site.

It's doubtful... removing a plugin... or any other simple measure... will cleanse every site backdoor.
Thanks for your comments.

I have conveyed them to the minister, it is her decision.

Richard
Do you know which plugin it was that has been compromised?

@Richard, you're correct...

The customer is always right... even when they're wrong... :-)
David Favor,

The Minister is a micromanager & holds all the details of managing the content & updates of the congregation web site to herself. She only brings me in if there is a problem. You can lead a horse to water but you cannot make it drink.

I have to try to stay in good stead with her for many reasons that go WAY beyond the web site.

Richard
Yep.

Hang in there.

Tip: I never say "No" to any client request.

I just point out the various options of pain verses full cost (sometimes over years).

Then kick back with popcorn + watch the show.
David,

Yeah, wish it was that simple.

I told her the MINIMUM we should do is change the WP login passwords & the cpanel password. No response yet. But Monday is her day off (after Sunday being a work day), she may come around. In fairness to her, she has a lot of things she needs to tend to with some congregants in Hospice care or with other issues.
"The Tao of Micromanagers."

I tend to... refer this type of client to a competitor, as I know the day will come... when a project circles the drain... usually in the middle of the night or when... the Micromanager is vacationing... and all I can do is watch the project burn to the ground...

Hang in there!