Hacked and Need Help!

AmandaNoelle82
(@amandanoelle82)

14 years, 11 months ago

My blog was hacked with spam links, and I don’t know for how long now. It’s not outwardly visible when you visit the blog, but when viewed through BlackBerry’s browser, they’re the first thing that shows up.

The spam links also hit my Gallery application, which is another issue.

You can see the spam code by “View Source” on the main page, starting with the <body> tag.

I’ve looked through all of my *.php pages and cannot find the links to delete. However, I did notice that in certain themes, new code appeared, and I can’t delete it. It’s always at the top of the page, and begins with <? /**/eval(base64_decode('aWYoZnVuY3Rpb25fZXhpc... (insert random string of letters and numbers)

However, this code is not in the new theme I just downloaded.

– Do you know how to get rid of the spam links?
– What should certain files be CHMOD’ed to in order to prevent this in the future?

Thanks for any help in advance.

Viewing 4 replies - 1 through 4 (of 4 total)

geraldz
(@geraldz)

14 years, 11 months ago

I had the same problem – this affects the default files on your server (index.php, index.html, default.html, etc.) Open these files and remove the malicious code (usually a script placed just below the </head> tag). Then save the cleaned file and change the permissions to read only (444).

Thread Starter AmandaNoelle82
(@amandanoelle82)

14 years, 11 months ago

Gearldz, unfortunately, it’s not allowing me to remove the malicious code.

whooami
(@whooami)

14 years, 11 months ago

@amandanoelle82,

whats the “it” you speak of?

—

fix advice:
http://ocaoimh.ie/2008/06/08/did-your-wordpress-site-get-hacked/
http://wordpress.org/search/hacked?forums=1

Make sure that your files on the server are clean. If that means deleting and reuploading, than you ought to do that. Files that you dont replace, should be looked at.

Check for files that dont belong, directories that dont belong. Image files with changed timestamps — look at those. Its VERY common for there to be scripts on sites that are named in such a way to mask the fact that theyre scripts.

Be suspicious, when youre looking at things. For instance, if you look at your wp-content/index.php — even that file has the malicious JS in it…

Look at your permissions. Do you have world writable files? Any world-writable directories? Are they necessary?

You need to check your database. Look for rogue plugins being loaded, look for rogue users (specifically look for a user named wordpress). You will NOT see rogue plugins or rogue users in your wp-admin/ area. You need to check your database.

Make sure ALL of your plugins are current.

Make sure your wordpress is current.

Change your mysql password that wordpress uses (update your wp-config.php with that new password).

change your ftp password.

Change any admin level passwords on your blog.

Look at any other software thats being used on your site. Is it current?

Thats just an outline and not a complete list.

There’s quite a bit to do, but it’s all necessary.

If you cant do it all — by all means dont hesitate to enlist the help of someone who can. Quite a few of us do work on the side.

—

If you arent archiving access logs, you ought to be, especially now.

there’s also this:

http://codex.wordpress.org/Hardening_WordPress

—

There’s also gumblar and various iterations, variations, clones, and whatnot, going around. Getting rid of gumblar, etc.. means you also need to make sure that the remote computers being used to access your site’s FTP are clean. By that, I mean.. they need to be scanned for malware, and any found, removed.

yaboymartell
(@yaboymartell)

14 years, 11 months ago

wow i think i’m going through the same thing with my site!!!

Viewing 4 replies - 1 through 4 (of 4 total)

The topic ‘Hacked and Need Help!’ is closed to new replies.

Hacked and Need Help!

Topics

Topics with no replies

Non-support topics

Resolved topics

Unresolved topics

All topics