Here’s how to fix letsmakeparty3 attack in your website
First of all, calm down! Let’s see how it affected one of my websites and compare it to your case.
What happened to my website?
In the second week of July 2020, one of my websites got affected by SQL Injection Attack from letsmakeparty3. My website redirects to letsmakeparty3’s website. Even when I try to login or access mysite.com/login my site still redirects.
After checking my files and database, what this attack did to my other website were accessing my database and changed some critical values in my database tables such as wp_options. I haven’t found anything suspicious in my files yet. You should definitely double-check your files for a scripting attack as well.
This “letsmakeparty3” attack changed my website’s URL in home and siteurl to their website’s URL. Which is why my website redirects to their website.
It is clear that this is an SQL Injection Attack. SQL injection, also known as SQLI, is a common attack vector that uses malicious SQL code for backend database manipulation to access information that was not intended to be displayed.
A SQL injection occurs when malicious SQL statements are “injected” into a user input field, such as a contact form. Attackers can then sneak their way into your site’s back end database and steal your information, modify or destroy data, or gain full control of your website. Unprotected submission forms can be an easy point of entry for cybercriminals, which is why sanitizing form input, or preventing the entry of code, is critical to website security. SQLi occurs so frequently that it has been named one of the top 10 security risks every year for a decade.
What made my website vulnerable?
Well, there are couple of factors to here.
- I’ve promoted my website recently on Facebook (Boosted Post). Which led to high traffic on a landing page with, of course, a form.
- Unupdated plugins, namely contact form 7 and Mailchimp for WP which are the forms I am using for contact forms, landing pages, and newsletter.
- Other un-updated plugins.
I’m still monitoring my website for any suspicious behavior as well as checking my files. But here are the other factors that SQL Injection loves to attack.
- Unsanitized input forms. These could be the login form, reset password form, contact form, newsletter form, comment form, checkout form, etc. Generally, a form-based POST request.
- Unsecured WordPress administrator username “admin”.
- Unsecured database credentials.
You may check other stories from WordPress Forum:
https://wordpress.org/search/letsmakeparty3
Steps to fix letsmakeparty3 attack
The isolation of every attack is a bit tricky. Make sure to backup your website first. And run these steps to your local machine before doing on your production or live website.
1. Access Phpmyadmin
Login to your Cpanel account and change the values of home and siteurl with your website URL. This way, you will now be able to login to your WordPress Dashboard.
2. Clean your database
Your main goal here is to remove all the signs of letsmakeparty3 from your database. Here is some workaround.
- You may restore your
databaseto the state before you were attacked. Some hosting company does this like siteground. But, by doing this you might also lose your recent updates. - You may also use premium plugins to clean your
database. - Or, do this manually. Let’s just stay with what I did on my website.
Aside from wp_options, letsmakeparty3‘s shenanigans might be stored in other tables or fields. In my case in transient options, which need to be removed. You can use wp-optimize plugin to delete the transient options like these:
Check if letsmakeparty3‘s data are still present in your database. In your Phpmyadmin select your database and click the search tab and search for letsmakeparty3 as shown below:
Remove these party *****!
3. Improve your website security
After removing these letsmakeparty3‘s data in your database. It is time to improve your database security. You may refer to WordPress Hardening tips to improve your security.
Here’s what I did specifically for SQL Injection Attack,
First, change your database credentials that connects your WordPress files to your database. These are set in your wp-config.php. You may change the username and password in your Cpanel under the database section. After updating the database, make sure to update your wp-config.php as well.
After updating the credentials, I changed my database table prefixes which is wp_before the attack. Hackers assume your database tables to have wp_ as prefixes, changing these will improve your security and prevents SQL Injection easily.
Select all your table and select Replace Table Prefix from the dropdown/
Enter your desired prefix that is meaningful to you. It is a good idea to have a combination of letters and numeric characters.
Updated prefixes
After updating your table prefixes select your database and head to SQL tab, paste this code and update the new and old prefixes accordingly.
This will update the fields that need to be referred to the new tables that you renamed. This is really tricky, make sure to backup your database first.
4. Check your website
Now, check if everything is running as it should. You may check your website from malware using these links for free or any other similar website.
https://sitecheck.sucuri.net/
https://www.siteguarding.com/en
So far the party ***** did not come back to my website.
5. Keep monitoring
Double your monitoring routine for a couple of weeks to see if everything is okay or if the security of the website still needs improvement. Follow these tips for more. WordPress Hardening tips.
Hey, Mel.
Thanks a lot for detailing these steps. I had 3 of the websites I’m managing were infected with this bugger, and luckily found the URL in the database and cleaned it.
But, what I later found out is, a random file was being generated in the “mu-plugins” folder, named “rms_unique_wp_mu_pl_fl_nm.php” this was responsible for the attack as well.
What I did is, clean out the content of that file, and set it’s permission to 000. So far I haven’t had any issues. Though, I’m still in the process of cleaning out my Plugins and Themes to see if they’re infected.
Thanks for the info. Will check that too!
I also have some update after checking the files. My cache folder have been infected and all the index.html have been over written. Thankfully, it was just the cache folder. I guess I was just lucky.
I scanned the files of each website infected with avira locally, i downloaded a copy on my computer and found a lot of trojans, so i think you should include that also, it its efficient and al the mu plugins and endurance_page_cache files were infected in my case, so with avira and malwarebytes i deleted all that infected files locally then i use all your method in the server with phpmyadmin and wp optimize
My website http://everythingforall.com doesn’t seem to have any letsmakeparty3 strings in it’s database and I can’t find that string anywhere in the files as well. Still when I try to access it, the website redirects to letsmakeparty3 … Can you please tell me how can I solve it?