Site icon Astra Security Blog

How to Find and Remove ‘IndoXploit’ WordPress Hack?

Are you seeing unexpected behaviors on your WordPress site such as your admin & user credentials changed, SMTP & CPanel credentials are stolen or any suspicious activity displaying that your site is defaced/hacked? If yes, then your site may have fallen victim to the IndoXploit backdoor hack.

Recently, we’ve seen a large number of websites getting targeted by hackers with this IndoXploit infection. And a lot of site owners have been seeking help to recover their websites from this hack. 

Want to know more about IndoXploit? Let’s dig straight in.

What is IndoXploit?

IndoXploit is a web shell (can also be defined as a PHP-based backdoor) that allows any hacker to plant a backdoor, bypass server security and specially deface WordPress websites. Besides defacing websites, this web shell has capabilities to do a lot more.

First spotted in 2016 targeting mostly WordPress-installed sites, IndoXploit is run by a hacking group named IndoXploit Coders Team.

IndoXploit’s login page, Image courtesy: GitHub

How can you find if your site is infected?

Defacement and abrupt change of credentials are the most common symptoms that website owners face with the IndoXploit hack. However, many WordPress IndoXploit hack cases also witnessed a blatant message ‘hacked by IndoXploit’ on their login pages as a sign.

In other cases, the addition of malicious files by the name indoxploit.php or adminer.php was also seen. To find out if you have been hacked with the WordPress indoXploit hack, do look for the above symptoms manually or simply scan your website with a file-system malware scanner.

How can you locate & remove the IndoXploit WordPress hack?

Removal of any website infection calls for a meticulous detection of the hack. Here are a few guidelines:

Locate the hack

You can follow the steps given below to locate the hack in your website:

  1. Look for any defacement messages
  2. Check if your credentials (including WP-backend, cPanel, SMTP) are working
  3. Scan your website with a malware scanner
  4. Search for malicious files by the name indoxploit.php or adminer.php or just about any unfamiliar files.

Remove the hack

  1. Take a complete backup of your website on your local
  2. Update the credentials of your admin account and database
  3. Compare your website’s core files with their checksum

    Note: If you’re an Astra customer, you can use the Astra Malware Scanner to detect and delete the malicious files with just a click.

Image: Malware detected by the Astra Malware Scanner

  1. Search for malicious files & folders and remove them
  2. Search for malicious scripts in the plugin/theme files
  3. Update/Uninstall any idle plugins or themes

Also check out: 10-Step WordPress hack removal guide

How can you prevent further attacks?

Backdoors like IndoXploit can be remotely exploited by the hackers to plant other malware on your sites, steal your data, highjack servers, download or upload sensitive information, perform DDoS attacks on other applications, and many more.

To prevent such attacks, it is recommended to periodically do security scanning for your website. And it is also advised to use a firewall and application monitoring tool. This kind of tool will ensure that your site is secured against any backdoor attacks in the future and can also help guarantee you that any suspicious activity or threats such as – unauthorized accesses to your WordPress site – are flagged and taken care of.

The IndoXploit Hack: Conclusion

WordPress IndoXploit hack has already troubled many and is still not quite inactive. Instances of WP indoXploit hack come to the fore every now and then. Further, it is challenging to protect against this web shell backdoor as it shrewdly bypasses even server security. Having said that, it is not impossible to stop the WordPress IndoXploit hack.

The ultimate solution if your site is infected with this IndoXploit is to get an effective security solution that will offer you the cleaning of such malware and backdoors from your site as well as offer you a rock-solid firewall to keep your website safe from future threats.

About Astra Security

Astra Security is a complete security suite for WordPress that offers WAF (Web application firewall), a malware scanner, malware removal solution, security audits for sites, and tons of other security features all packaged as a single ‘Suite’.

The Astra Security firewall monitors and protects websites 24*7 from known cyber threats such as Shell upload, SQLi, Bot attack, CSRF, XSS, Code execution, RFI/LFI, and many more. Install Astra Security plugin on your WordPress website and say goodbye to all security issues.

Exit mobile version