When someone says hacking you probably think of an old movie like War Games and a kid in some dark room typing on a keyboard really fast, right? Well not to discuss that stereotype, these days most of the hacking is done by bots and not actual humans. These days attacks are run by computers that run mostly simple security checks on millions of websites in order to explore any vulnerability.

Is Indexploit Hack also done by machines? Yes it is

What is Indoxploit Hack?

Indoxploit shell (also known as IndoXploit WordPress Auto Deface) is a PHP-based backdoor that allows any experienced programmer to bypass the Linux server’s security effectively. Indoxploit web shell is often used to hack into CMS and as the most popular among them – WordPress itself.

How do i know if my site is hacked using Indoxploit method?

If your WordPress website was hacked using the indexploit method, you should see a new file on your server in the uploads folder called indoxploit.php.

If unfortunately, you have this file on your web server, your first step should be to:

write down the date of the file creation and look for any other files with the same date.

At the same location where you’ve found the indexploit.php file, the script will automatically install adminer.php on your server. delete it immediately.

Features of IndoXploit IDX Shell WordPress hack 

•      Capable of mass defacements.
•      The ability to crack passwords of cPanel.
•      A capability of reading files.
•      Possible mass submissions to Zone-H.
•      Option to leap into different user accounts. 

After you have removed both indexloit.php and adminer.php files you should also check any other files that were modified at the same time as these two were created. Now you need to have a closer look, through the server, at two key things, i.e. the time and date of the entry.

Check for any suspicious or encrypted code that doesn’t look like its part of the WordPress itself and if you find it, simply replace that file with the original file from WordPress.org

In most cases, after the hacker places indexploit.php file on your server he password protects it to lock anyone out from exploring the same weakness as he did, and give the password to potential buyers in the future.

Another giveaway that your website is hacked using the Indexploit IDX Shell hack is a new folder named idx_config which will hold the content form of configuration files of all the WordPress installations on that cPanel account that the IDX can discover. Also, this indoxploit shell also saves the content as .txt files in the same folder.

Various Stages

1.      To install the web shell, a hacker uses a misconfigured server or outdated software (abandoned WordPress plugin, nulled theme, etc.)
2.      The next step for a hacker is to establish a connection with the web shell and grant access to upload any type of files to the webserver.
3.     The final step is a confirmation message from your webserver telling the hacker that the upload was either a success or a failure.

What are the symptoms of an affected website?

If your website gets hacked, there are certain things that you should check in order to be sure that your website was hacked using the Indexploit method.

•      “Last modified” date changed n files such as theme files.
•      New files with strange names are created.
•      New folders such as idx_config are created.
•      Pages redirecting to other websites for not logged-in users.
•      New Admin users added to the database.
•     New posts/pages with spam content are published.

Why Backdoor is a bad thing?

Really? Does this question make sense to you? A backdoor can be used by hackers to access your website with admin rights and do with it anything they want. There are different times of backdoors: in the form of a code, a hardware feature, an individual program, etc.

Backdoor can be used for the following purposes:

•      DDoS – Your webserver can be used to attack other websites with the Distributed Denial of Service Attack. Denial of service attack takes place when the hacker attempts to make a machine or system asset unapproachable, for instance, by overpowering the asset with a lot of traffic.    

•      Distribute Malware – Another way that a backdoor can be used on your webserver is simply to upload malware to your website’s visitors. This malware can be anything from mining cryptocurrency in the browser to ransomware that will lock your visitors’ computers.

If your website is used to distribute malware to users, browsers and searc engines will notice it sooner or later and blacklist your website. 

•  Stealing Information – With the help of the backdoor, a hacker can potentially steal any information from your database, including personal information, email addresses, credit cards, etc.

Types of Backdoors

Backdoors are characterised using various criteria, but Web Shell and system backdoors are the two most used backdoors currently on the web.

• Web Shell Backdoor – Is a command-based script that allows remote administration of the machine.
• System Backdoor – This is the favorite of hackers, offering them the utmost flexibility and permanency.

What makes your website vulnerable to attacks?

• Outdated Plugins & Themes – Running outdated versions of WordPress plugins and themes will make your WordPress website more vulnerable to attacks.
• Weak Passwords – You need to have strong passwords so take your time and ensure that your Admin password is a tricky one.
• Using Poor Quality and Shared Hosting – Considering the server, where your WordPress site is being hosted, is being targeted by the hackers, using poor-quality or shared servers will increase the vulnerability of being compromised.
• Using Themes and Plugins from Untrustworthy Sources – I see a lot of websites running plugins found on GitHub which is not a good practice! This plugins are not checked by anyone and can contain all sorts of malware in them.

How to Recover from IndoXploit hack? [ Solution ]

• The first step is to remove/replace all files that were created/modified at the same of the hack.
• Download the server logs for the past couple of days; this will make you acquainted with the activities done by the hacker. This will give you the clue of what exactly happened.
• Remove all the plugins that the hacker was able to exploit due to vulnerability.
• Blacklist the IP address range of the hacker in the firewall settings of the hosting account.
• Install a plugin that will help you patch possible security vulnerabilities such as iThemes Security and Block Bad Queries plugin.

How we can help you recover from Indexploit hack?

In case you are not able to spare time to clean up your website after an Indexploit attack, you can take our expert services. If you don’t clean your website the right way and are unaware of all the vulnerable areas of your website, the hacker can still gain easy access in the future.

Why trust your website security to WPorb?

At WPorb, we perform regular scans to ensure that your website is free from malware. Besides, we also offer solutions to key WordPress hacks comprising of  Web Shell PHP Exploit, WordPress Arbitrary File Deletion Vulnerability, WordPress Pharma Hack,  WordPress Backdoors, eval base64_decode Php Hack , Japanese Keywords Hack and many more WordPress vulnerabilities.