WordPress.org

Ready to get started?Download WordPress

Forums

2.5 - maybe hacked (7 posts)

  1. nicollb
    Member
    Posted 5 years ago #

    I think I've been hacked, but I'm not sure.

    I have found at least 3 files, added to my site on Apr. 15. ad_wp-password.php, and then in plugins ad_hello.php and inside plugins/akismet there was ad_akismet.php.

    So - I've removed or renamed the files in question. (They all seem to be the same php code with the different names).

    I changed my admin password. Deleted all of my subscribers (they are all questionable anyway); checked the user table with PHPMyAdmin and there is only one user which is the admin. I changed the mysql password as well.

    I've not seen any posts with hidden iframes (guess that's the next thing to look for);

    The thing that made me look for something was the presence of some off the wall incoming links (spammy looking comments from non-existent websites like demoniashoes.yourshoestore.com/2008/04/06/emmaus (the title and the date are appropriate for a post on my site, but host is all wrong - not even in the ballpark).

    Is there anywhere else I should look? I think this might be something that is indeed left over from being hacked under 2.3.2 or 2.3.3 a couple of months ago. that one just put a whole hidden folder of pages in wp-content.

    I have a copy of the code if anyone should see it in order to figure this out.

  2. mechx1
    Member
    Posted 5 years ago #

    Good so far, you should probably check all of the php files in your theme looking for the iframe insertion. Also check your plugins.

    Good luck

  3. nicollb
    Member
    Posted 5 years ago #

    Thanks - theme files are next.

    The dates on the plugin files seem ok, other than the ad_*.php files which were added on april 15. but I'll look there as well.

  4. whooami
    Member
    Posted 5 years ago #

    You might want to consider setting up some logging..

    http://wordpress.org/support/topic/169715?replies=4

  5. wingedmonkeys
    Member
    Posted 5 years ago #

    Out of curiosity, how exactly does one go about checking for an iframe insertion? what would that look like? Thanks!

  6. mechx1
    Member
    Posted 5 years ago #

    You can search on iframe and find quite a few threads. Here's one that will show in general what this hack looks like.

  7. clivesgt
    Member
    Posted 5 years ago #

    hi
    i also believe i have been hacked. i have been experiencing problems with my site for some time now, perhaps the most noticible symptom was this:

    WordPress database error: [User '???????' has exceeded the 'max_questions' resource (current value: 50000)]
    SHOW TABLES;

    there is a discussion on this forum where i also posted my problem. then occassionaly my database would be hacked so that i would have to restore from a backup. this happened a few times over a month or so. i also noticed that i was getting high volumes of spam mail (viagra, watches, shoes and penis emlargement)

    i then checked the files and folders on my site and removed ones that looked suspect, restored my database and changed all user names and passwords. it worked....then all i got was a blank page but i am able to log in so i reselect my theme and view the site. its back and works perfectly....for a while then a blank screen again. so i select the classic theme and it works....until now when i tried to access my site i get the installation page, enter blog title and email. i am given a user name and password and am told my new blog has installed successfully. of course the database is gone.

    so i suspect that there must be some hack file within the plugins that i have installed or within the database backup that i keep restoring as i deleted all the other wordpress files and theme files, loading "clean" files.

    my question now is, how will i be able to screen the backup and plugin files (plugin not so important because i can download from original sites) but the backup contains all my posts, etc!!

    appreciate any help.

    thanks.

    clive

Topic Closed

This topic has been closed to new replies.

About this Topic

Tags