by

On August 20, I recieved an email from my hosting provider (www.Arvixe.com) saying they deleted something bad from my directory and I was likely part of a phishing scheme. When I went to the website every page  said:  "hacked by Hwins2005"    Bummer....

So here I am on August 23 after 20 hours of deep dives into WordPress,  (opening more PHP files than God intended), a bit of Apache, every tool CPanel offered and I'M BACK!  I still have a ticket with my provider which is making it's way up the queue.

This is a record of those lovely hours. I hope it is helpful for anyone that has to go through it.  First however is the emotional aspect... it is a mini version of a feeling I had many years ago when my house was broken into.  A feeling of invasion, violation of personal space and anger. People have this feeling  and it is why privacy is manifesting itself politically, whether it's the NSA, Scott McNealy's 2009 quote: "You Have Zero Privacy Anyway. Get Over It" or Facebook data-mining your friends to  get a better credit score on you... GET THE F*%$ OUT OF HERE!

So here's what I did:

TRY TO FIX THE EXISTING SITE

1. Read about the first 6 or 7 search items on "WordPress Hacked"  (half were advertisements)
2. Logged into wp-admin and realized that my backup settings were not scheduled and my backup was months old (while fearing I was doing something bad by logging in)... more Bummer
3. Ran a backup because the searches said to
4. Downloaded a malware plugin and ran it ( $ to get the fix-it plugin)
5. Deleted that plugin then downloaded and ran another ( $ to get the fix-it plugin)
6. Ditto for that plugin
7. Spent some time cruising WP directories and opening files hoping for a hail mary
8. Gave up

Qnap NAS Storage Server

ABANDON THE EXISTING SITE AND REBUILD ON A STAGING SITE

1. Decided to build a "staging version" and was always intrigued what the performance of a WordPress stack would be  on my QNAP TS-419U II NAS
2. Built a clean MySQL/WordPress/Apache stack on the QNAP and the
   performance SUCKED (minutes to do  single digit second tasks on my hosting provider)!
3. BTW I'm a BIG fan of QNAP and their hardware/software. This server has a Marvell  2GHz single core processor and it just wasn't up to managing the RAID as well as the WP Stack.
4. Before the hack I was moving my trading  code (C#.Net, C++, Amibroker and Matlab) to the cloud using virtual machines in Virtualbox mixing Win7 and Centos.  I intended to automate the configuration and provisioning with Vagrant.
5. Great stuff but  realizing I was getting far away from fixing my blog,  I Gave Up ( ummm..... more like postponed to  fix the specific, instead of the general problem  )

TRY TO FIX THE EXISTING SITE OR REBUILD AT THE HOSTING PROVIDER

1. I started running phpmyadmin browsing the SQL tables and removed a bunch of users, changed my admin account Usernames and Passwords and the character code from UTC-7??? Back to UTC-8.
2. Deleted (not just de-activated) all plug-ins except the most basic.
3. Without a terminal on CPanel to "grep" my way through all the WP files I kept wondering how long it would take to build a diff tool to compare my site to the WP release on GITHUB. Then I found Anti-Malware and Brute-Force Security by ELI.  I installed and ran it.
4. The plug-in did not find the problem but gave me about 10 suspect files. I opened them with the CPanel editor and pasted the current GIT versions.  When saving, the editor informs whether anything changed, two files had changed.
5. The site and pages still redirected to the "hacked by Hwins2005".  I figured if my php files were cool there must still be issues in the javascript
6. I deleted my Theme and reloaded it
7. I'M BACK

Whew....   probably saved $250 to have someone clean it for me but I learned alot about WordPress' architecture and improved my CPanel and overall web stack chops. I'll be attempting to harden things more going forward.

Cheers,

by