WPorb
indoxploit wordpress

🔴 Indoxploit WordPress

Indoxploit shell ( IndoXploit WordPress Auto Deface) is a PHP-based backdoor that allows infiltration in wp-admin.

When someone says hacking you probably think of an old movie like War Games and a kid in some dark room typing on a keyboard really fast, right? Well not to discuss that stereotype, these days most of the hacking is done by bots and not actual humans. These days attacks are run by computers that run mostly simple security checks on millions of websites in order to explore any vulnerability.

Is Indexploit Hack also done by machines? Yes it is

Indoxploit shell (also known as IndoXploit WordPress Auto Deface) is a PHP-based backdoor that allows any experienced programmer to bypass the Linux server’s security effectively. Indoxploit web shell is often used to hack into CMS and as the most popular among them – WordPress itself.

If your WordPress website was hacked using the indexploit method, you should see a new file on your server in the uploads folder called indoxploit.php.

If unfortunately, you have this file on your web server, your first step should be to:

write down the date of the file creation and look for any other files with the same date.

At the same location where you’ve found the indexploit.php file, the script will automatically install adminer.php on your server. delete it immediately.

IndoXploit IDX Shell WordPress
  •      Capable of mass defacements.
  •      The ability to crack passwords of cPanel.
  •      A capability of reading files.
  •      Possible mass submissions to Zone-H.
  •      Option to leap into different user accounts. 
IndoXploit IDX Shell WordPress

After you have removed both indexloit.php and adminer.php files you should also check any other files that were modified at the same time as these two were created. Now you need to have a closer look, through the server, at two key things, i.e. the time and date of the entry.

Check for any suspicious or encrypted code that doesn’t look like its part of the WordPress itself and if you find it, simply replace that file with the original file from WordPress.org

In most cases, after the hacker places indexploit.php file on your server he password protects it to lock anyone out from exploring the same weakness as he did, and give the password to potential buyers in the future.

Another giveaway that your website is hacked using the Indexploit IDX Shell hack is a new folder named idx_config which will hold the content form of configuration files of all the WordPress installations on that cPanel account that the IDX can discover. Also, this indoxploit shell also saves the content as .txt files in the same folder.

  1.      To install the web shell, a hacker uses a misconfigured server or outdated software (abandoned WordPress plugin, nulled theme, etc.)
  2.      The next step for a hacker is to establish a connection with the web shell and grant access to upload any type of files to the webserver.
  3.     The final step is a confirmation message from your webserver telling the hacker that the upload was either a success or a failure.

If your website gets hacked, there are certain things that you should check in order to be sure that your website was hacked using the Indexploit method.

  •      “Last modified” date changed n files such as theme files.
  •      New files with strange names are created.
  •      New folders such as idx_config are created.
  •      Pages redirecting to other websites for not logged-in users.
  •      New Admin users added to the database.
  •     New posts/pages with spam content are published.

Really? Does this question make sense to you? A backdoor can be used by hackers to access your website with admin rights and do with it anything they want. There are different times of backdoors: in the form of a code, a hardware feature, an individual program, etc.

Backdoor can be used for the following purposes:

  •      DDoS – Your webserver can be used to attack other websites with the Distributed Denial of Service Attack. Denial of service attack takes place when the hacker attempts to make a machine or system asset unapproachable, for instance, by overpowering the asset with a lot of traffic.    
indexploit wordpress hack
  •      Distribute Malware – Another way that a backdoor can be used on your webserver is simply to upload malware to your website’s visitors. This malware can be anything from mining cryptocurrency in the browser to ransomware that will lock your visitors’ computers.

If your website is used to distribute malware to users, browsers and searc engines will notice it sooner or later and blacklist your website. 

wordpress malware attack notice
  •  Stealing Information – With the help of the backdoor, a hacker can potentially steal any information from your database, including personal information, email addresses, credit cards, etc.

Backdoors are characterised using various criteria, but Web Shell and system backdoors are the two most used backdoors currently on the web.

  • Web Shell Backdoor  Is a command-based script that allows remote administration of the machine.
  • System Backdoor – This is the favorite of hackers, offering them the utmost flexibility and permanency.

What makes your website vulnerable to attacks?

  • Outdated Plugins & Themes – Running outdated versions of WordPress plugins and themes will make your WordPress website more vulnerable to attacks.
  • Weak Passwords – You need to have strong passwords so take your time and ensure that your Admin password is a tricky one.
  • Using Poor Quality and Shared Hosting – Considering the server, where your WordPress site is being hosted, is being targeted by the hackers, using poor-quality or shared servers will increase the vulnerability of being compromised.
  • Using Themes and Plugins from Untrustworthy Sources – I see a lot of websites running plugins found on GitHub which is not a good practice! This plugins are not checked by anyone and can contain all sorts of malware in them.
  • The first step is to remove/replace all files that were created/modified at the same of the hack.
  • Download the server logs for the past couple of days; this will make you acquainted with the activities done by the hacker. This will give you the clue of what exactly happened.
  • Remove all the plugins that the hacker was able to exploit due to vulnerability.
  • Blacklist the IP address range of the hacker in the firewall settings of the hosting account.
  • Install a plugin that will help you patch possible security vulnerabilities such as iThemes Security and Block Bad Queries plugin.

In case you are not able to spare time to clean up your website after an Indexploit attack, you can take our expert services. If you don’t clean your website the right way and are unaware of all the vulnerable areas of your website, the hacker can still gain easy access in the future.

At WPorb, we perform regular scans to ensure that your website is free from malware. Besides, we also offer solutions to key WordPress hacks comprising of  Web Shell PHP ExploitWordPress Arbitrary File Deletion VulnerabilityWordPress Pharma Hack WordPress Backdoorseval base64_decode Php Hack Japanese Keywords Hack and many more WordPress vulnerabilities.

3 comments

  • I’m not sure exactly why but this blog is loading incredibly slow for me. Is anyone else having this problem or is it a issue on my end? I’ll check back later and see if the problem still exists.|

    • Hi Denny, thanks for reporting the slow speed issue. We checked on our part and everything seems fine, but since we relly on cdn and google fonts, you might be in an area where cdn’s are blocked (like China). Can u please clear your browser cache/cookies and let me know if you are still experiencing issues with the speed? thanks mate.