Sealight Hack Restore steps

Download PDF
My site got hacked by software-id.ru or someone pointing there. All was root caused to the use of “Sealight” a very popular theme by WooThemes.com. The issue is pretty much unnoticealbe if you don’t have a “catch-all” address in your email, as I did. 
I received emails from customer, news, consumer, @mydomain.com at a rate of 100+/hr many went to the spam folder many stayed in my inbox. 

Amazingly, I was able to restore it and erased it.
First check in your access_log if you see any activity using “yahoolinks.php” or sm3pg7.php
If you do, you are infected. The solution steps are quite simple:
1) Download wordpress again, http://www.wordpress.com/latest.zip 
2) You need to use the command line since it seems that Malware hacked also the management WP-admin module and you cannot turn on/off plugins.
3) Copy the wp-config.php file to a safe location.
4) You may need to loose all your plugins and may need to add them again later.
 cp /var/www/html/mydomain.com/wp-config.php  /tmp/wp-config.php
 mv /var/www/html/mydomain.com /var/www/html/mydomain.old.com
unzip latest.zip onto /var/www/html/mydomain.com/ 
mv wordpress to html
cp /tmp/wp-config.php html
and restored.
Check, you will see in your error_log of your apache browser:

[Fri Sep 02 08:52:27 2011] [error] [client 87.1.36.191] File does not exist: /home/87694/domains/www.ramobitech.com/html/wp-content/themes/sealight/sm3pg7.php
[Fri Sep 02 08:52:58 2011] [error] [client 93.56.179.192] File does not exist: /home/87694/domains/www.ramobitech.com/html/wp-content/themes/sealight/sm3pg7.php
[Fri Sep 02 08:53:19 2011] [error] [client 217.201.55.206] File does not exist: /home/87694/domains/www.ramobitech.com/html/wp-content/themes/sealight/sm3pg7.php
[Fri Sep 02 08:53:28 2011] [error] [client 151.26.73.78] File does not exist: /home/87694/domains/www.ramobitech.com/html/wp-content/themes/sealight/sm3pg7.php
and that will be considered you safe of problems.
I suuggest you upgrade your sealight plugin and change all your passwords that you used for your databases, as well as any other information stored in your plugins.

Leave a Reply