My wordpress theme files have been compromised

[josejavier]

Hi

Today my theme account was disabled and when I contacted the developer I was told that the wordpress theme software that I bougth from them is available in many downloading websites. The know it is my copy because of the license... I am using the default Atomic secured default configuration and I really really believed that it was bullet proof but apparently there is a hole on my server. I use a Godaddy VPS linux server with parallels.
Has this happened to anyone before? Is there any settings that I should look at? I do not know how hackers had access to those files but is there anything I can look for on the log files?
I have already changed all the passwords but those passwords were quite secure so I am not sure if that will solve anything.

Please any suggestion or comments will be appreciate?

Thanks in advance

[mikeshinn]

I'm sorry to hear about that. And when you say your theme files were compromised, do you mean someone copied the theme file your purchased or they have been modified on your server? It sounds like you're saying someone stole your theme files, or have I misunderstood your post?

[josejavier]

Yes the stole the theme files and share them in various file share websites. The reason I found out is because the theme developer has found my licensed files on those sites but other than that I did not noticed anything strange on my site which is working totally fine.

[mikeshinn]

OK, if I understand you, your site hasnt been compromised however someone made a copy of some files and the developer of this theme is accusing you of making unauthorized copies of his files. And you believe someone copied them from you. Is that correct?

So how and where did you download and extract the theme files? Do they email them to you? Do you download them to your desktop, extract them and upload them to your server? Whats the developers procedure to download, extract and prevent someone from making an unauthorized copy of these files?

And are you sure that someone copied your copy of the developers theme files, and the developer isnt just mistaken and the files were copied some other way or from someone else?

[josejavier]

The version that the developer has found everywhere is the latest which I downloaded on the 28th of October from their website into my laptop which is using Norton 360 premier Edition.So the issue happened between then and now.I usually extract them in my laptop and transfer them into the server by using Filezilla.

I am not sure what procedures developers use for the files not to be copied but I can ask.However he said that he is 100% sure that those files were mine so I assume that he can check that by some hidden license on the files or something like that.

[faris]

(if you don't mind me butting in....)
This situation must be very distressing for you.

I'm disappointed the developer has not investigated this properly. The most likely way for those files to have been obtained would be from your username/password at the developer's site being compromised, especially if they were a username/password combination used elsewhere (e.g. a forum which could have been compromised). I would have expected the developer to at least have checked their logs, looking for the IP address that actually accessed the files and also to check for a brute-force attack.

I say this because of all the things the bad guys might do with access to your server and or your PC, stealing a theme (only) is absolutely the last thing they would do.

Without knowing how the files are identified, another possibility is a permissions issue of some kind that might somehow have made the theme directory contents remotely readable in some way.

Other things to check might be your FTP access log, to make sure your FTP details have not been compromised. But again, with FTP access to the site, stealing a theme file seems absolutely the last thing the bad guys would do.

So I caution against assuming your server has been compromised, especially if it has ASL on it and rkhunter and so on all give it a clean bill of health and there's nothing unusual in the logs. I'd be looking at pretty much everything except the server. Of course they could be biding their time and testing the water, but that's not the usual MO for these guys.
(butting out now ...)

[josejavier]

Thanks for your responses.

I agree with you Faris, this bad boys are a bit strange...I have checked my site and the logs and I do not find any sign of hacking but again I am not an expert on hacking procedures. I have also send an email to the developer so he can check his logs as well.
If anybody can think of any procedures or test that I could run on my site to find out how this could happen please let me know.

Thanks again

[mikeshinn]

If the developer is positive the files were stolen from you, then I would also check your laptop/desktop for malware first. Its fairly common for attackers to just compromise desktops through viruses and worms, and just steal your credentials for your servers and take what they want from your desktop and servers automatically and without hacking anything (well except your desktop).

It sure saves them time to just steal your username and password, and if you configure a tool like filezilla to save your credentials they may have just stolen the password file and your files were simply copied automatically by a worm. So you could check your FTP and SSH logs for logins from different IPs to see if they logged into the server. If you have web file managers, then you'll want to check their access logs too (many dont log much sadly, so you may not find any logs available). Also, what WP extensions have you added?

But if it were me, I'd definitely check your desktop for compromise first. Run a bunch of different virus and malware scanners on it. However, since the stolen files were on your desktop, and few desktop OSes log or audit much if they compromised your desktop you may not be able to find out much from your desktop if a virus/malware scan doesnt turn up much.

Let us know what malware scanners you ran, and what they turned up.