By
Michael Karp
Michael Karp on March 16, 2015

How to Fix the Moroccan Agent Secret Hack

How to Fix the Moroccan Agent Secret Hack

If you see this image, then you have been hacked by the Moroccan Agent Secret. We have some simple steps to get your webiste back.

Moroccan Agent Secret Hack Fix

There are several other images this group has used in the past, some of which are below, but this seems to be the latest one.

Moroccan Agent Secret Hack Fix Moroccan Agent Secret Hack Fix

Is The Hack Dangerous?

The hack seems to be politically motivated and appears to do nothing else but deface your home page and bring your website down. Your website hosting provider will more than likely send you an email indicating your website has been compromised and has been shut down pending verification that you have resolved the hack.

The removal of the hack is not as bad as you may think, since the attack does not seem to gather personal or business information. But it is a pain, nevertheless. Especially, if you can’t find your web developer to help you through the process.

How Did They Gain Access?

The attack appears to be aimed at WordPress websites and more specifically WordPress plugins. The organization sends out bots, a software program that runs automated tasks over the internet at a much higher rate than humans could do, to search for vulnerabilities in these plugins. Once a vulnerability is found, the bot reports back to hackers giving information on which websites and plugins are vulnerable and what to do next to gain access to your server.

We found that the WordPress plugin, “Revolutionary Slider,” was probably the culprit on a recent hack. Follow the instructions below and you should be able to fix the problem.

The Fix

If you have received an email from your hosting provider, then follow their instructions. Sometimes, the instructions are a bit vague, especially if you trying to fix the hack by yourself. There a couple of things you can do right away.

 

  1. Get FTP access to your server

Hopefully, you already have this access, but if not, download an FTP program like Filezilla and connect to your server. You may need to contact your hosting provider for the FTP instructions, but once you have them you’re in business.

  1. Look for any file in the root directory that was modified on the day you were hacked.

You may find the following couple of files:

  • error_log.php
  • google (17 digits).php.

 

The error_log.php is the bad file, and the google file appears to be a copy of the error_log.php. If you remove only the error file, they can probably still get access.

Your file names may be different, so look for the modification date to identify them.

Remove these two files if they show the modification date of the day you were hacked. This modification date will only work if the hackers haven’t changed their bot program to rewrite the modification date. Fingers crossed.

Now try logging into your WordPress admin portal and see if you can get in. If you find that your login details no longer work, you may need to create a new user account so you can gain access. To do this, you need to add the following code into your functions.php file. This is why the FTP access is crucial!

 

function add_admin_acct(){

$login = 'myusername';

$passw = 'mypassword';

$email = 'myemailaddress';

if ( !username_exists( $login ) && !email_exists( $email ) ) {

$user_id = wp_create_user( $login, $passw, $email );

$user = new WP_User( $user_id );

$user->set_role( 'administrator' );

}

 

Make sure you change “my……….” to your information.

Upload the new functions.php via your FTP program and try to login with the credentials you just created.

Now that you have access you can start to upgrade all your plugins and themes, as well as any other software applications running on your account. Also, make sure you have the latest version of WordPress.

Make sure you delete the code mentioned above from the functions.php file once you have access. You can create additional user accounts once you are in.

Audit your account for any additional files that may have been modified on the same day and determine if they should be removed also. If you are not sure, contact your hosting provider for assistance.

Change the password to your database just in case that was compromised also. If there are additional software applications using the database, make sure you change the password in those application configuration files or they won’t work.

Once you have completed these steps, notify your hosting provider so they can remove the block on your IP address and get your website showing up again.

If you have any doubts at all about the safety of your website going forward, you should restore the latest good backup to your website. You may need to add any content that you uploaded during the last good backup and the date of the hack, but you’ll have the confidence knowing the site is untainted. Upgrade everything and you should be fine.

If you do not have any backups, your hosting provider should have one or two that they can upload for you for a fee. There are some good backup plugins, like Backupbuddy, that can help you once you get your website stable again. However, deleting the two files mentioned earlier, upgrading everything and changing the database password, should take care of the problem.

Add More Security

Plugins and themes all have vulnerabilities from time to time. If you do not keep your plugins, WordPress and theme versions up to date, then hacks can happen. Adding an additional level of security to your website can help keep your website safer and more secure. Wordfence is a pretty decent plugin and it is free. The premium version is a paid version. If you prefer to have someone else help protect you then WPProtectors has a great service to keep you protected and your website backed.

Hackers are here to stay and you are responsible for your own website’s security. Your hosting provider can only supply so much security, the rest is up to you. Be prepared in case of a hack, and the restoration process will be a breeze.

Does your website need a facelift

Get Free Widget

Michael Karp

Author of The Content Marketing Guidebook | Content Marketing, SEO, Traffic