There is another thread on this today and numerous posts on Twitter and the net about this hack which just started surfacing a few days ago..
“hacked by hacker”
To fix this you need to get the following 2 files back:
index.php in the root folder (get it from the default WordPress install) and header.php in your themes folder (if you don’t have a backup of that file you will need to start with the original from the theme). Also remove index.html which is created because the hack affects none WordPress sites as well/
That said I think you may get hacked again because it is unclear how they are doing it at the moment.
Moderator
Jan Dembowski
(@jdembowski)
Forum Moderator and Brute Squad
Just on a side note:
As a novice this hack makes me feel very queazy to install any wordpress blog at all… being thrown into the cops and robber game… What are the alternatives??
Jan this appears to be a new hack. I know cleaning the files does not close the door but the door is not obvious yet.
I’ve cleaned up many WordPress installs over the years but have not found the culprit yet on this one (which has been reported starting today on many many wp sites across multiple hosts) … i guess if it’s something new it will keep growing … otherwise hopefully someone will be able to report what the exact backdoor is to this one ..
@sambodhiprem
As a novice this hack makes me feel very queazy to install any wordpress blog at all
It’s definitely a pain now, but it’s also an extremely valuable learning tool at this point. This (hacking) isn’t an issue that happens only to WordPress, however. Every other platform out there is vulnerable at some point, and surprisingly enough some of the most common reasons for intrusions and ‘hacks’ are completely unrelated to vulnerabilities in the software itself.
People with bad intent defacing index.php and header.php files really isn’t anything new. It will be interesting to see what comes of it.
In the mean time, you really should take some time to examine the resources found in the links Jan left for you. There’s a ton of great information in them.
Sites I’ve seen so far with this type hack have had installed:
contact form 7
So far the contact form 7 plugin has been the only common denominator I’ve seen in the sites I’ve fixed this past week. However, this is totally speculative, given how popular this plugin is, it’s more likely just a coincidence.
None of the sites I’ve fixed today have Contact Form 7 …
The only common denominator I have seen is that they are all on Cpanel and multiple sites on the Cpanel server (under different accounts) get hacked at the same time when it happens.
This was the case with HostPapa hosted sites which seem to have the most hacks today .. and a company called NetRegistry according to some other forum I have been following … and a company called Syrahost …
No solid answers yet ..
Are you suggesting to us that the use of cPanel qualifies as a common denominator for these hacked sites?
Right, though 20 twitter posts in a week doesn’t exactly describe an incoming WordPress apocalypse…
No one said apocalypse.
There’s a trickle of info coming in on this hack which escalated today. Obviously hasn’t affected many people. But enough to warrant talking about it. It seems if your WordPress site was hosted on the aforementioned hosts you were likely to run into this hack today.
I sense sarcasm from you guys .. whereas I’m just trying to throw some observations out there to see if they click with others who are dealing with this as well.
Since there’s no traces in log files it would be nice to know how it happened is all.
In order to find the baddies I’d like to table:
On Nov 7th I installed a new WordPress blog (3.4.2) on an account hosted by Hostpapa. No plugins were installed, I created two posts and left it like that.
So my blog was hacked when it was still fresh off the shelve, without having a ‘history’…
My cash would be on the Hostpapa plus latest version of WordPress horse – not a happy marriage…
My website is hacked (again)
It only shows a smiley and this is second time in the last six months.
Kindly help me out. My developer (friend) is no more interested in fixing this up for me and I am unable to find enough information on the Internet to fix this up.
http://www.tarungoel.in is the URL of the website.
