WordPress.org

Ready to get started?Download WordPress

Forums

[resolved] [closed] hacked by hacker (36 posts)

  1. stuzphotography
    Member
    Posted 1 year ago #

    'Hacked by hacker' message appeared on my site when i opened my home page. Could not open site, could not open admin panel. What can I do?

  2. esmi
    Theme Diva & Forum Moderator
    Posted 1 year ago #

  3. stuzphotography
    Member
    Posted 1 year ago #

    Thanks, I'll get at it.

  4. johnnyspade
    Member
    Posted 1 year ago #

    I had the same thing happen to me today, on a bunch of different sites actually. Searching to see if it happened to anyone else, I found your message.

    It looks like what happened is that the hack changed the index.php file in a few different directories. Check the index.php file in your root as well as the index.php in the wp-content folder and any of your theme folders. I restored the sites affected from backups, just to be safe, though the database appeared to be untouched. There appears to be a bunch of index.html files that were created in the affected directories as well.

    One thing that all site affected seemed to have in common was that they were all hosted on the same box at my web host, if that helps you.

  5. jtoronto
    Member
    Posted 1 year ago #

    A couple of HostPapa.com servers had hundreds of websites hacked like this today simultaneously across multiple accounts and multiple servers..

    Also there are reports on Twitter from many other people as well on other hosts .. all today. So I have a feeling that there is a bigger problem here.

    The index.php file gets changed to "hacked by Hacker" and the header.php file in the theme folder also gets changed to the same thing ... and index.html file also gets added.

    This happened on an up-to-date minimal WordPress install with no plugins and the classic theme so not sure how it is happening. Almost seems like an issue with the host or server itself?

  6. stuzphotography
    Member
    Posted 1 year ago #

    So, is this a wait and see what happens situation before I try fixing myself?

  7. esmi
    Theme Diva & Forum Moderator
    Posted 1 year ago #

    No - never assume that unless you can confirm with your hosts that they have been hacked, are assuming full responsibility and that they will sort out your site. Generally speaking, you have to clean up your own site.

  8. stuzphotography
    Member
    Posted 1 year ago #

    Thanks, I'm looking forward to the discussion on how this gets sorted out. For me, lots to learn.

  9. jtoronto
    Member
    Posted 1 year ago #

    No you need to fix it yourself. That said if you are hosted with HostPapa according to their support department there was a security breach last night. But they are not saying much else.

    To fix this you need to get the following 2 files back:
    index.php in the root folder (get it from the default WordPress install) and header.php in your themes folder (if you don't have a backup of that file you will need to start with the original from the theme). Also remove index.html which is created because the hack affects none WordPress sites as well/

    I do think there is a larger security / vulnerability issue going on with this hack but we may have to wait for more reports.

  10. stuzphotography
    Member
    Posted 1 year ago #

    Ok. I am a Mac user and have located the various files but need to read more to make sure I make the correct changes.

  11. jtoronto
    Member
    Posted 1 year ago #

    Here some more info on it:

    As of yet there is no information about the exploit vector.

  12. jtoronto
    Member
    Posted 1 year ago #

  13. The Hack Repair Guy
    Member
    Posted 1 year ago #

    I'm only hearing one hosts name so far being mass hacked.

    If someone has specific details on another host mass hacked please post the details.

    Seems to be a rash of anecdotal comments and I'm not seeing any indication of some zero day vulnerability in the wild. I'm seeing no where near the traffic I would expect to see in the hacker forums if there were the case; and number of hacking reports don't appear to have spiked this week at all.

  14. Viscosity
    Member
    Posted 1 year ago #

    Potential the site has outdated plugins or exploited found in the plugins / wordpress that cause the malware infestion which lead to the massive hack. You can see the antivirus scan report.

  15. jtoronto
    Member
    Posted 1 year ago #

    Viscosity: alkeiyasings.com is hosted by HostPapa according to WHOIS.

    Most of these hacked sites seem to be hosted there.

  16. Viscosity
    Member
    Posted 1 year ago #

    If the massive hack come from a single web hoster, then it is very likely that web hoster has been rooted that lead to the massive hacks. It may /may not be the issue of a wordpress issues.

    alkeiyasings.com web hoster information

  17. John Heslop
    Member
    Posted 1 year ago #

    my site antidumping.com.au is also down.

    There are some residual pages from my last provider so I assume it is an attack on wordpress formats (I bought striking)

  18. wonderotter
    Member
    Posted 1 year ago #

    Easy to fix...not so sure about preventing it. I had 3 sites hacked on Hostpapa. The solution for me was to upload a new blank index.html in the root and the re-upload the theme's header.php. Fixed it right away. Both of those files had been overwritten by the hack.

  19. Viscosity
    Member
    Posted 1 year ago #

    Then it can be quite certain that the hack is done through exploit in the theme. Probably you can provide what is the theme name you are using that other site which may uses the same theme as you host on the same web hoster.

  20. sbock3
    Member
    Posted 1 year ago #

    Ah help me, please! I just deleted the infected theme header.php file...where do I find a new, clean one? My site looks completely messed up now. I didn't have a backup of that file. Does that mean I can never return the site its original look/state??

  21. GP23
    Member
    Posted 1 year ago #

    @sbock3: download a fresh copy of your theme and unzip it.

  22. mrnra420
    Member
    Posted 1 year ago #

    I've been hacked as well.

    I can't access the dashboard via http://www.mywebsite.com/wp-admin

    I'm also using Hostpapa. And the index files have been modified(yesterday). My theme was a slightly modified 'twenty ten'.

    How do I gain access to the dashboard? Should I simply replace the index?

  23. mrnra420
    Member
    Posted 1 year ago #

    I replaced the modified index and header file with a back up.The website is up.. But I still can't access the dashboard..?
    I went to 'forgot password' but it state my email isn't on file... neither is my user name..
    What is the dashboard linked to? is it linked to my files on my server or doesn't wordpress.org maintain that information?

  24. esmi
    Theme Diva & Forum Moderator
    Posted 1 year ago #

    @mrnra420: As per the Forum Welcome, please post your own topic. Your problem - despite any similarity in symptoms - is likely to be completely different.

  25. Viscosity
    Member
    Posted 1 year ago #

    I got a suspected attack on my site as well this morning. You can refer to the image which the attacker is focus on timthumb.

    Here is a good explaination for the timthumb attack and mass infection.

  26. jtoronto
    Member
    Posted 1 year ago #

    NONE of the sites I cleaned yesterday with the "Hacked by Hacker" had Timthumb vulnerabilities ..

  27. esmi
    Theme Diva & Forum Moderator
    Posted 1 year ago #

    That's because these are not the same hacks. Please, people, post your own topics.

  28. Viscosity
    Member
    Posted 1 year ago #

    Who me?

  29. esmi
    Theme Diva & Forum Moderator
    Posted 1 year ago #

    Yes. Everyone but the original poster. Every one of these hacks could be quite different.

  30. stuzphotography
    Member
    Posted 1 year ago #

    In answer to my ticket from Host Papa here is what they say:

    Hello,

    Your hosting account has been exploited/hacked, most likely due to an outdated script on your account. The hack has compromised all of your files and your account must be either restored from a backup or reset completely. Either of these actions will clear out any potentially harmful things like viruses or malware that may have been uploaded.

    If you have a full backup made with the Backup Wizard from cPanel, please upload this file to your account. Let us know the name of the file and where we can find it. We will restore the backup for you.

    If you have a partial backup or a backup file made some other way, you will need to restore the backup yourself.

    If you do not have a backup file, you will need to reset your account. Unfortunately, you will lose ALL data including website files, email addresses and databases. As this is a destructive process, we need you to provide us with some information before we proceed.

    1. Please provide the appropriate security verification information:
    -----------------------------------------------------------------------------------------------------------
    The last four digits of the number on the front of the credit card we have on file for you:
    -----------------------------------------------------------------------------------------------------------
    If there is no credit card on file, please provide your zip/postal code and original cPanel password:
    -----------------------------------------------------------------------------------------------------------
    2. Please put YES next to each of the following to indicate you understand what will happen with your account:
    -------------------------------------------------------------------
    I understand all website files will be deleted:
    -------------------------------------------------------------------
    I understand all email messages and addresses will be deleted:
    -------------------------------------------------------------------
    I understand all addon domains/subdomains will be deleted:
    -------------------------------------------------------------------
    I understand all databases will be deleted:
    -------------------------------------------------------------------

    Once we have your reply, we will proceed with resetting your account.

    So, that's pretty clear. As I said earlier I am new to this and did not back up properly. It would seem that I will lose all my files. Too bad. All that work gone. Wish there was a better way.

Topic Closed

This topic has been closed to new replies.

About this Topic

Tags

No tags yet.