To songdogtech and smartobject2,
Thank you for responding, I appreciate your thoughts. I have taken the day off to work on the site. I am currently backing up the files to my PC and will be looking over the files to find the bad code. I appreciate the links they should help point me in the right direction.
I was unaware that my WordPress software was so out of date. Once I clean up the files, I’ll be deleting files that are years old, I will install the latest WordPress update. Hopefully I can figure this out on my own.
If I can restore the site as it was, probably without the theme, I ask for additional links to bolster security, please. Obviously these five guys in Kosovo are having a good time taking it down each time. They have had a field day taking it back over each time. So if I am spending this time I really would like not to have to worry about this again in the future.
Smartobject2 I may be emailing you shortly. Site backup just finished so let’s see if I can find the problem code. Thanks again.
songdogtech my hosting company, 100megshosting (a small hosting provider I’m sure) http://100megswebhosting.com/ said the server remains secure. Are you suggesting this may be the only true way to keep them from taking over the site again?
I have looked through the files and there is a common “OwNeD.php” file in most all of the directories. However it contains no data in it. Although the main HTAaccess file looks normal I found many other HTAaccess files on the sever that have been altered. No doubt they have been easily able to access the site once we restored it and changed passwords, etc.
I will keep tinkering. This is all new to me and kind of a challenge. I like a challenge, usually…
Bassically I am looking to delete almost everything except uploads and main wordpress files. I am backing it up just in case though.
Delete everything EXCEPT
.htaccess
wp-config.php
/wp-content/
Yeah, kill the rest.
THEN go through wp-content and look for the OwNeD.php file. Delete them all.
THEN change ALL your passwords: SSH, FTP, email, Database etc. Everything on that host.
Only then should you upload a fresh version of your core WP files from a recent download from this location: http://wordpress.org/download/
Your site should come right back up.
Alright Ipstenu following the instructions that had been posted and with your tips I have done the following-and I have removed their image and what not but it has resorted to the “mailer” upload screen now. I have reinstalled all the new versions, kept the htaccess, wp-config and wp-content from original. If you take a look, http://www.adamfaragalli.com, you can see we are not back online fully yet.
Would you recommend starting a new wp-config file? Or what other options do I have currently?
Thank you for your help. At least we have removed their logo and info so far.
Okay all site is back-up online. My hosting company restored it using a backup a few weeks back. Please advise in clear steps if possible, what needs to be done to prevent this from happening again?
I am going to get cPanel access and update all passwords for the server, and WordPress. I just installed the latest version of WordPress. Anything else that can be done? Any pluggin’s you might recommend above the ones already mentioned?
Thanks again, I hope I never have to deal with hackers from Kosovo again…
Read through all FAQ’s etc. mentioned above. They will all support each other with the to-do items, File and Directory Permissions, Auth Keys, etc.
When you login with cPanel (or use a FTP application) change the permissions on directories to 755 (numeric for Read/Write/Execute for You, execute for Group, execute for World).
All Files should be 644 (RW, R, R) EXCEPT for wp-config which will be 600. Exceptions may be the Uploads Directory.
I dont want to get too wordy — but another good point is to completely remove any themes or plugins that are not used.
I have seen log entries on my site where hackers are trying to access plugins that I don’t have — maybe they have a list of exploitable plugins.
But bottom line is – you can do it with the tools/techniques mentioned above.
Get a dropbox account and install a backup plugin to place your stuff there.
Cheers,
Keep in touch
You should be suspicious of the restored database and use some SQL select statements from the phpMyAdmin screen that search the posts and comments tables for malware.
Sorry I dont see the specific entries here, but to show any suspect entries here are some sql commands (each is a individual command):
select * from wp_posts where post_content like ‘%base64%’
select * from wp_posts where post_content like ‘%eval%’
select * from wp_posts where post_content like ‘%strrev%’
select * from wp_comments where comment_content like ‘%base64%’
select * from wp_comments where comment_content like ‘%eval%’
select * from wp_comments where comment_content like ‘%strrev%’
A positive hit is not necessarily bad, but should be investigated.