WordPress › Support » Cleaning hacked Blog is beyond me

Forums

WordPress › Support » How-To and Troubleshooting

12 Next »

[resolved] Cleaning hacked Blog is beyond me (34 posts)

DomFontana
Member
Posted 2 years ago #

The comedian, Steve Martin, used to have a routine where he said he bought a book entitled, "How to make a million dollars and not pay taxes." The first sentence in the book was, "First, get a million dollars."

That's how I feel about the advice given in this forum about cleaning up a hacked blog. Everyone was very nice in steering me to all the appropriate posts and articles on the subject, but they basically all said the same thing:

1) Clean out the malicious code from your blog.
2) Upgrade to the latest verison of WP.
3) Add security features to your blog, so you don't get hacked again.

Well, I did #s 2 and 3, but nobody really explains how to remove the malicious code from your blog (#1). So now I have a fully updated WordPress with security features installed, but with the same malicious code in it.

I think removing the malicious code from my existing blog is beyond me. What should I do? Is there a program that will remove the code for me?

My Blog: http://blog.fontanafirm.com/

Thanks for any help.
Roy
Member
Posted 2 years ago #

Dom, there is no clear answer to your question. There are many different hacks. Some hacks change theme files, other hacks change WP 'core files', another abuses a plugin, another adds tables to your database or edits existing database tables, another adds a user with admin rights and makes fun in your admin surroundings, etc., etc., etc. I don't know what kind of hack you suffered, so it's impossible to give clear advice.

The bottom line if: if files have been changed, you have to clear out the added code. You can do this by comparing the files on your server by the files you downloaded from WP, the place where you got your theme, plugins, etc.
The same goes for database changes, users or tables that shouldn't be there should be cleared, the content of tables has to be checked.

Yep, that's a hell of a job, especially when it's your first time. I just hope I will never have to!
DomFontana
Member
Posted 2 years ago #

Hi and thanks for the response.

This much I do know. When I first posted I was hacked, a nice gentleman emailed me with this info. He said this code was in the source of my front page, but cautioned that was just the start of the links. So I think that the code may just be confined to my first page (the most recent post).

Malicious Code:

<u style='display:none'>Order Phentermine Online Fast Delivery ..........

I am not being redirected to any sites, but I am stuck on my first page. I can't access any of my other posts.

Here's another wrinkle. I have a paid hosting account with Yahoo and set up WordPress through Yahoo. I never downloaded any files to my computer. They're all on the Yahoo server, which I can access through my FTP program.

When I look in the wp-content folder on the server, I don't see any of my posts.

Would you know how I can access my posts or is this something I should be asking Yahoo?

Thanks.
UseShots
Member
Posted 2 years ago #

Hi,

The hack seemed to only injected hidden spam links to your blog web pages.
Since you use the default theme and the upgrade overwrites core .php files, the hidden links seems to have been removed. I don't see any hidden spam links. That's good.

You might want to give the WordPress Exploit Scanner plugin a try. It searches files and database of your website for signs of suspicious activity. It will show if your blog still contains some malicious code.

You can olso use my online service called Unmask Parasites ( http://www.unmaskparasites.com/ ) to check for hidden illicit content on your web pages.

I have found another problem with your site. Individual posts redirect to themselves and introduce infinite loop. Just try to click on any post link - it won't show. Or see this report:
http://www.UnmaskParasites.com/security-report/?page=fontanafirm.com/fontanablog/2009/02/18/where-are-my-courses/ - endless 302 redirects.

Looks like a problem with .htaccess file. Try to change the permalink structure and then revert it back to the one you prefer. Hope this will rewrite the .htaccess file with correct redirect rules.
Roy
Member
Posted 2 years ago #

You've got a nice week ahead of you :-/

Your posts are in your database, you can't see them using FTP, but of course you can use the "edit" post option in the WP admin to have a look at them (don't use the visual editor though).
Did Yahoo provide you with a file manager or something (it could be in your control panel/plesk/phpmyadmin/whateveryouhave)? That's a tedious way of looking through the files, but...
Also you can use FTP to download the whole WP pack from your server to your computer. Also get a 'fresh' pack from the wp website and start comparing the files. The same with your theme files.
DomFontana
Member
Posted 2 years ago #

Thanks, Gangleri. That's a good idea. I'll follow your advice and get back to you.

I know there are file comparer programs out there. They compare the contents of 2 files and highlight the differences. Is there one you can recommend?
figaro
Member
Posted 2 years ago #

I use Winmerge:

http://winmerge.org/

But, you really shouldn't need to compare a lot of files. Just replace the source code with a fresh copy of WP. Delete all your plugins and install all new ones. If you use a custom theme that you haven't made code changes to, then download a fresh copy of it and install it new as well...then all your code (with the exception of your upload data) will be new...and should be clean of any hacks.

As always, backup before doing anything...
jasonjm
Member
Posted 2 years ago #

It always helps to use:

ls /dir-of-your-wordpress-install/ |xargs md5sum
ls /dir-of-a-default-wordpress-install/ |xargs md5sum

Compare the hashes and any file not matching will most likely have your 'malicious' code.

I'm not in front of a (*nix) box at the moment but i'm sure someone here who is can combine the above two and just pump out the hashes that don't match.

This is one way of doing things,

Jason
DomFontana
Member
Posted 2 years ago #

Gangleri,

I had already viewed my front page in the WP editor using html mode, but I didn't find anything.

I just checked all my theme templates and stylesheets and everything looked okay.

Also, I used the Yahoo File Manager and it works very well. I could see all the files on the server and it allows you to view and edit any file. It's actually quite well done.

The only thing is I still can't find my actual posts. Where is the database that you spoke of? The Yahoo server has wp-admin, wp-content, and wp-includes folders, plus a bunch of php files. I checked them and everything seems okay.

Should I just view each of my posts from the WP Admin panel using the HTML editor? Will that show me the malicious code or is it hidden in the editor?

My Blog: http://fontanafirm.com/fontanablog/

Thanks.
DomFontana
Member
Posted 2 years ago #

figaro:

I just got WinMerge and installed it. It's a good program to have around. Thanks.

A few questions: I just upgraded WP. I actually went from 2.0.2 to 2.7.1, so I was behind the times. I forgot the exact procedure, but wouldn't that replace the most sensitive files? As far as my theme goes, I'm using the default theme with a custom header. But I looked at all the theme templates and they seemed fine.

I will delete all my plugins and reinstall them. Should I do the same for my widgets? As far as my upload data goes, in my last post I have 10 links for YouTube videos. Maybe that caused the problem.

Thanks for your help. I'll do everything you said and report back here.
DomFontana
Member
Posted 2 years ago #

Hi, jasonjm.

Thanks for the help, but I'm sorry, I don't really understand what you mean.

> ls /dir-of-your-wordpress-install/ |xargs md5sum
ls /dir-of-a-default-wordpress-install/ |xargs md5sum <

Are these commands I'm supposed to use?
figaro
Member
Posted 2 years ago #

Are you sure the malicious code is still there? I don't see anything suspicious in the source code of your site.
jasonjm
Member
Posted 2 years ago #

They are Unix/Linux commands, ignore them if you don't have access to a *nix command line. Winmerge will do the job for you just as well.
DomFontana
Member
Posted 2 years ago #

Hi.

Figaro, first, I'm not sure if the malicious code is still there. I actually never saw it. Someone emailed me and said they saw the code. Thanks for the commands anyway, Jason.

UseShots: I don't know how I missed your response earlier. I must have been posting as you were and didn't see it until now. I'll use the ExploitScanner and your site now.

As far as not being able to view any posts, that's the only problem I'm having with the blog and that's what I'm trying to fix. I thought it was because of the malicious code, which apparently is now gone. I did run a security widget (forgot the name) on my blog and it reported a problem with the .htaccess file. When I checked, the file is not there on the Yahoo server.

This is probably good news. That must be the problem. I don't have an .htaccess file. If I can recreate it, then I think the problem will be solved.

Now for the million dollar question:

How do I recreate or get the .htaccess file?

As always, thanks for any help.
DomFontana
Member
Posted 2 years ago #

Okay, I used ExploitScanner, as per UseShots suggestion, and it came up with a ton of things. It tagged a lot of Suspicious Files, but cautions that some of them could be legitimate code. Here is one example:

"String.fromCharCode" Javascript code used to hide suspicious code, but can also be legitimate code.
/fontanablog/wp-admin/js/revisions-js.php
on(c){return(c<a?'':e(parseInt(c/a)))+((c=c%a)>35?String.fromCharCode(c+29):c.toString(36))};if(!''.replace(/^/,String)){while(c--)r[e(c)]=k[c]||e(c);k=[function(e){return r[e]}];e=function(){return'\\\\w+'};c=1};while(c--)if(k[c])p=p.replace(new RegExp('\\\\b'+e(c)+'\\\\b','g'),k[c]);return p}('6(4

So, how do I know if I should delete it or if it's legitimate?

The good news, it reported:

No suspicious plugins found
Hooray! No suspicious plugins found in the active_plugins database record.

No suspicious posts or comments found
Hooray! No suspicious text found in your posts or comments tables
iridiax
Member
Posted 2 years ago #

So, how do I know if I should delete it or if it's legitimate?

Download a fresh copy of WordPress (same version) and compare.
DomFontana
Member
Posted 2 years ago #

iridiax.

I just upgraded WP a few days ago. For now, I think I'll try to figure out how to get the .htaccess file back and see if that fixes the problem.

What is the .htaccess file anyway? Can I just download it and insert it in the proper place on the Yahoo server or is the file specific to each blog?
iridiax
Member
Posted 2 years ago #

.htaccess is an invisible file used for pretty permalinks and other things.

http://codex.wordpress.org/Using_Permalinks#Where.27s_my_.htaccess_file.3F

Added: I just noticed that you mentioned you were using Yahoo. They are restrictive about this file, so try a forum search for: .htaccess yahoo
DomFontana
Member
Posted 2 years ago #

Hi.

You're right. I remember I had a problem when I first set up my blog a few years ago, and the Yahoo server wouldn't display the file because it's an extension that starts with a period.

I changed my permalinks from the default to numeric and saved it, but still no .htaccess file.

When I run the WP - Security Admin Tools plugin, this is what it reports:

WordPress version: 2.7.1 You have the latest stable version of WordPress.
Your table prefix should not be wp_. Click here to change it.
Your WordPress version is successfully hidden.
WordPress DB Errors turned off.

WP ID META tag removed form WordPress core
No user "admin".
The file .htaccess does not exist in wp-admin/.

I think if I solve the .htaccess problem, I'll be okay.

Thanks.
iridiax
Member
Posted 2 years ago #

If you are not using pretty permalinks, then you do not need an .htaccess.

The file .htaccess does not exist in wp-admin/

This is just a security recommendation, not a requirement, and it can be ignored.
DomFontana
Member
Posted 2 years ago #

Well, thanks for the link, iridiax. It was very helpful, but I still have a problem.

I created a blank file in Wordpad and saved it as 1.htaccess and FTP'ed it to the Yahoo server. I put it in the root directory of the blog. I chmod'ed it to 666, just as the article said. But when I try to change the name of the file to .htaccess, it won't let me do it.

With SmartFTP, it doesn't give me an error message, it just keeps the same name. With the Yahoo File Manager, it says Invalid filename.

What's the trick to changing the file name once it's on the server?
DomFontana
Member
Posted 2 years ago #

iridiax. No, I'm not using pretty permalinks. In my Admin settings, I have the regular Permalinks, plus a plugin called External Permalinks.

The reason I thought it was the .htaccess file is that earlier in this post, UseShots said:

I have found another problem with your site. Individual posts redirect to themselves and introduce infinite loop. Just try to click on any post link - it won't show. Or see this report:
http://www.UnmaskParasites.com/security-report/?page=fontanafirm.com/fontanablog/2009/02/18/where-are-my-courses/ - endless 302 redirects.

Looks like a problem with .htaccess file. Try to change the permalink structure and then revert it back to the one you prefer. Hope this will rewrite the .htaccess file with correct redirect rules.

So does anyone know if it's a problem with .htaccess or not? The bottom line is the problem I'm trying to fix is that I can only display the first post on my Blog. I can't access any older posts. It just hangs when I try to change posts.
DomFontana
Member
Posted 2 years ago #

I'm been working on this problem for hours, but still haven't been able to solve it. I've read all the topics here and searched for my problem, but still can't fix it. Again, the problem is that I can only display the first post on my Blog. I can't access any older posts. It just hangs when I try to change posts.

According to UseShots (above), this is what the UnmaskParasites site found:

I have found another problem with your site. Individual posts redirect to themselves and introduce infinite loop. Just try to click on any post link - it won't show. Or see this report:
http://www.UnmaskParasites.com/security-report/?page=fontanafirm.com/fontanablog/2009/02/18/where-are-my-courses/ - endless 302 redirects.

Any help in solving this problem would be appreciated.
UseShots
Member
Posted 2 years ago #

Hi,

Links that use meaningful words instead of "?p=123" are called "pretty permalinks". Your blog does use them. I noticed you'd changed them. They now look like "fontanablog/archives/549". This sort of permalinks require adding some .htaccess redirect rules. WordPress creates them for you when you change the permalink structure in the Admin Interface.

I'm not sure what the "External Permalinks" plugin does. Maybe it's misconfigures, since individual posts are still inaccessible. I have the "Redirect Loop" error in my FireFox when I try to open them.
DomFontana
Member
Posted 2 years ago #

Hi, UseShots.

You know, I just figured that out. People are using the term "pretty permalinks" generically to refer to any program that allows you to change the default way links are displayed. At first, I thought it was the name of a plugin. So yes, I am using "pretty permalinks."

Originally (a few years ago), I changed the permalinks to numeric. After I just upgraded, I was checking it earlier and it was set to default, so I changed it back to numeric.

Also, I deactivated External Permalinks, but it didn't fix the problem, so I activated it again. Here's a link to tell you what it does:

http://www.improvingtheweb.com/wordpress-plugins/external-permalinks/

Also, I can't view the source code for the earlier posts because I am unable to display them.

So, after all is said and done, does anyone know where I go from here to solve the problem?

Thanks for any help.
UseShots
Member
Posted 2 years ago #

Do you have a file called .htaccess in the blog root directory (not wp-admin/)? This file is "hidden" so be sure to configure your FTP program to view hidden files.

If you have this file, post its content here and we'll try to figure out what's wrong with it.
DomFontana
Member
Posted 2 years ago #

Hi, UseShots.

No, I do not have the .htaccess file in my root directory or anywhere else.

I don't know if you saw what I wrote in an earlier post:

I created a blank file in Wordpad and saved it as 1.htaccess and FTP'ed it to the Yahoo server. I put it in the root directory of the blog. I chmod'ed it to 666, just as the article said. But when I try to change the name of the file to .htaccess, it won't let me do it.

With SmartFTP, it doesn't give me an error message, it just keeps the same name. With the Yahoo File Manager, it says Invalid filename.

What's the trick to changing the file name once it's on the server?

So I don't have the .htaccess file and can't create one. What do I do now?
DomFontana
Member
Posted 2 years ago #

Oh, great. Thanks, figaro. I'll email everything to you right now.

I really appreciate this.
figaro
Member
Posted 2 years ago #

@DomFontana: I have some time this morning. If you want, you can email me with a login to your Yahoo account, along with a description of the problem you are currently having, I'll take a look at it for you. 234figaro432[at]gmail[dot]com
DomFontana
Member
Posted 2 years ago #

figaro.

Do you want my WordPress login or Yahoo login info?