WP theme site hacked and defaced!

See: http://killmalware.com/wordpress-themes.us/#
As always defacement not detected on VT: https://www.virustotal.com/en-gb/url/c05fb265e9fec4c47364c91c391b5fcf70a7f4a5142a4a50c85e90fa40e879d8/analysis/1434984812/
Web site defaced. Details: http://sucuri.net/malware/entry/MW:DEFACED:01

Hacked By nXu WordPress Version 3.8.8 Version does not appear to be latest 4.2.2 - update now. How the hack was being performed, probably via Directory Indexing Enabled In the test we attempted to list the directory contents of the uploads and plugins folders to determine if Directory Indexing is enabled. This is an information leakage vulnerability that can reveal sensitive information regarding your site configuration or content.

/wp-content/uploads/ enabled
/wp-content/plugins/ disabled
See source: http://fetch.scritch.org/%2Bfetch/?url=+http%3A%2F%2Fwordpress-themes.us&useragent=Fetch+useragent&accept_encoding=

Defacement Check:
Suspicion of Defacement

atilxrdk/s36/12.gif"> hacked by nxu html,body{margin:0;padding:0;}#t

Site-wide check: suspicious

gnc8iauovy2lgqi5g2-ctosa7fxq">hacked by nxu

wordp

polonus

The hack code was found to reside at: htxp://5.172.198.110/cgi-sys/defaultwebpage.cgi
[ + ] 1n73ct10n Shell V3.3 [ + ] (-> http://paste.security-portal.cz/view/67ff0644 )
wXw.medisales.gr/system/injek.php?y=/…
Translate this page
Via cgi-sys and img-sys for defaultwebpage.cgi via go.cpanelnet/cleardns.cache
webmaster@PC etc. That is how this is being performed.
FILE##_index_defaultpage.html 0 0 0 1 1 0 0 0 -1 0 0 0 0 0 1
FILE##IP_changed.png 0 0 0 0 1 0 0 0 -1 0 0 0 0 0 0
FILE##server_misconfigured.png 0 0 0 0 1 0 0 0 -1 0 0 0 0 0 0
FILE##server_moved.png 0 0 0 0 1 0 0 0 -1 0 0 0 0 0 0
FILE##powered_by_cpanel.png 0 0 0 0 1 0 0 0 -1 0 0 0 0 0 0

polonus (volunteer website security analyst and website error-hunter)

Here my good friends we see how Avast could detect this for

Such patterns could be detected, a noble task for the new HIPS!
Moreover read this advice here: https://blog.avast.com/2014/11/21/how-to-change-your-router-dns-settings-and-avoid-hijacking/ (info credits go to LISANDRO CARMONA ).

pol