WordPress.org

Ready to get started?Download WordPress

Forums

[closed] Hacked by hacker (48 posts)

  1. secretfocus
    Member
    Posted 1 year ago #

    A few hours ago on 14 Nov 2012 I could not log in to my WordPress admin which did not recognise either the name or password - not sure which was not recognised. My site http://www.secretfocus.co.uk no longer appears by my usual direct route or via Google.

    Only a blank page with 'hacked by hacker' appears.

    I am using the WordPress forum to look for solution but would appreciate any advice or suggestions - maybe you have seen this before.

    Contacted my host for advice but snails never travel fast!

  2. esmi
    Forum Moderator
    Posted 1 year ago #

  3. mvandemar
    Member
    Posted 1 year ago #

    My guess is you are hosting with either NetRegistry or HostPapa, in which case those solutions won't keep you safe, unfortunately. They are blaming it on a WordPress vulnerability but the evidence is much stronger to it being an insecurity with their servers. The fix is simple enough, replace the index.php in your root and in your theme with backups (or from a fresh WordPress zip in the case of the root directory one), but until they acknowledge and fix whatever the security hole is you might just get hit again.

  4. mrnra420
    Member
    Posted 1 year ago #

    @mvandemar Thanks for the info

    One more thing. I've replaced the index.php and replaced the Header file with a backup.
    But I still can't access the dashboard.. it states my email or username might not be on file.. I'm with hostpapa.

    How do I fix this?

  5. jbusacca
    Member
    Posted 1 year ago #

    every couple of days when I log into my account somebody sets up a USER ID and password for themselves and post stories about 'coach handbags " on my site like its real...I have updated , changed passwords multiple times but it keeps happening...any help would be appreciated!..Network solutions is my server BTW

  6. mvandemar
    Member
    Posted 1 year ago #

    @mrnra420 - go in to your database through the phpmyadmin in cpanel and look at the wp_users table. If they switched the admin username and email, edit the record to switch it back and then go through the Lost Password function on the WP login page.

    Also, if you don't mind, could you please check which version of phpmyadmin HostPapa is using and update this thread with that info? Thanks.

    @jbusacca - there are too many things that could be going on. I would suggest switching hosts for one (I prefer Hostgator, but there are others that work as well), and then going through the links that esmi posted above. One of those is my blog, if you get stuck and need more help feel free to contact me.

  7. esmi
    Forum Moderator
    Posted 1 year ago #

    @jbusacca: It is impolite to interrupt another poster's ongoing thread with a question of your own and it causes significant problems for the forum's volunteers. Please post your own topic.

  8. mrnra420
    Member
    Posted 1 year ago #

    @mvandemar They seem to be using phpMyAdmin 3.4.11.1 (is that what you wanted?)

    It worked!! All the posts are still there too.. :)

    I know some people might hate hackers.. but in away, they keep you on your toes and force you to learn more then you would have..

    Thanks again

    Now to backup...

  9. mvandemar
    Member
    Posted 1 year ago #

    @secretfocus - by the way, the same instructions I gave to mrnra420 should work for you as well.

  10. secretfocus
    Member
    Posted 1 year ago #

    @esmi & @mvandemar Thanks for the help and my site is on HostPapa who say "in your case we have realize that the exploit currently only replaced the index.php, index.html files, modified or replaced the header.php file of the active theme and changed the administrator password".

    HP say I should use the "forgot my password" option to get a new administrator p/w, reinstall WP and the theme. When I tried to get a new p/w it tells me my user name is invalid.

    As someone very inexperienced with this sort of thing I am confused before I start so all help will be appreciated.

    I do have access to the cPanel so will try to switch users in phpmyadmin.

  11. secretfocus
    Member
    Posted 1 year ago #

    I have managed to log in to my dashboard - thanks for that.

    Bearing in mind my low level of expertise.

    Q1. How do I reinstall WordPress to replace the index.php in the root - or is there another SIMPLE way to do this?

    Q2. HostPapa say I need to replace the wp-content/wpthemes/<theme-name>/header.php file. How do I do this?

  12. esmi
    Forum Moderator
    Posted 1 year ago #

    Re-upload a fresh copy of the theme to wp-content/themes.

  13. esmi
    Forum Moderator
    Posted 1 year ago #

    How do I reinstall WordPress to replace the index.php in the root

    Re-upload all files & folders - except the wp-content folder - from a fresh download of WordPress. Make sure that you delete the old copies of files & folder before uploading the new ones.

  14. secretfocus
    Member
    Posted 1 year ago #

    Thanks esmi. I know what I need to do - I need to know how to do it for both WordPress and the Sixhours theme.

    For example. do I go into my cpanel and delete sixhours - there is no delete facility through my dashboard unless I load a different theme to replace it.

    The same applies to WordPress - do I delete it and then install it again?
    This seems a bit extreme!!!

  15. esmi
    Forum Moderator
    Posted 1 year ago #

    do I go into my cpanel and delete sixhours

    Yes

    The same applies to WordPress - do I delete it and then install it again?

    You delete and then re-upload all files & folders - except the wp-content folder, your wp-config.php file and any .htaccess files - from a fresh download of WordPress.

    This seems a bit extreme!!!

    This is what's needed to recover from a hack. Have you checked for any hacker back doors yet?

  16. secretfocus
    Member
    Posted 1 year ago #

    Just to clarify: In cpanel File manager, Public FTP Root, public_html I delete the following folders: cgi-bin, wp-admin, and wp-includes

    NEED TO KNOW: Where from, and how, do I then upload the WordPress into public_html?

    Sorry if I seem a bit useless but I have never had to do this before and I don’t want to create a worse situation!

    I have not checked for 'hacker back doors' yet. My head is still spinning with the above. HOW DO I DO THIS?

  17. esmi
    Forum Moderator
    Posted 1 year ago #

    I delete the following folders: cgi-bin, wp-admin, and wp-includes

    No. Leave cgi-bin alone. It has nothing to do with WordPress.

    Where from, and how, do I then upload the WordPress into public_html?

    You can download a fresh copy from http://wordpress.org/download/
    Unpack the downloaded archive, open the wordpress folder and then start uploading it's content - deleting each file in the public_html folder before you upload the fresh one.

  18. secretfocus
    Member
    Posted 1 year ago #

    Should I open a new folder in cpanel where I can download and open the new WordPress. Then I can delete and copy the new versions into public_html.

  19. esmi
    Forum Moderator
    Posted 1 year ago #

    Whatever works for you is fine.

  20. secretfocus
    Member
    Posted 1 year ago #

    Having a lot of trouble with this. I have WP on my PC but I cannot delete any folders for wp-admin or wp-includes from my cpanel file manager.

    Do I simply empty files from those folders and refill them with the new version?

  21. esmi
    Forum Moderator
    Posted 1 year ago #

    I cannot delete any folders for wp-admin or wp-includes from my cpanel file manager

    Why not? Have you tried using FTP?

  22. mvandemar
    Member
    Posted 1 year ago #

    @secretfocus, they may have messed with your file permissions. If you go in via ftp and right click on either of those folders, and click on "file permissions", what does it show you?

  23. secretfocus
    Member
    Posted 1 year ago #

    Never used FTP or got an account, so here goes!

    OK. I think I have just managed to set up a new FTP account with FileZilla but cannot see anything to click beyond my own PC. I can't see anything remotely like the file manager.

    The box titled 'remote site' is completely empty but does have a folder icon with /. What do I do now?

  24. mvandemar
    Member
    Posted 1 year ago #

    @secretfocus - unfortunately I don't think you are going to be able to do this on your own. If you want I can take a quick look to see what's going on. You can send me an email to michael at endlesspoetry dot com if you like.

  25. esmi
    Forum Moderator
    Posted 1 year ago #

    Did you obtain your FTP login details from your hosts?

  26. secretfocus
    Member
    Posted 1 year ago #

    Latest: I have managed to delete the wp-admin folder from my cpanel file manager and can do the same for wp_includes - but not yet. However, the upload system will net let me upload a replacement folder - it only seems to permit the upload of individual files. Do I have to this file after file to rebuild the wp-admin folder?

    YES - I got the FTP details from HostPapa

  27. mvandemar
    Member
    Posted 1 year ago #

    @secretfocus - to do it via the file manager, zip them up, upload the zip, then unzip them using the file manager. Make sure that you can see both folders in the zip file at the top level (ie. when you open it you can see both wp-admin and wp-includes without having to go into any other folders), upload it so that it is at the same level where wp-config.php is, click on the zip file, then click the Extract button at the top.

  28. mvandemar
    Member
    Posted 1 year ago #

    @secretfocus - also, your main ftp credentials should be the same as your cpanel login, for future reference.

  29. esmi
    Forum Moderator
    Posted 1 year ago #

    Have you created a new site in FileZilla and added your ftp login details?

  30. secretfocus
    Member
    Posted 1 year ago #

    @mvandemar I don't see wp-config. UPDATE _ Found it.

    @esmi I added the ftp credentials copied from HostPapa.

Topic Closed

This topic has been closed to new replies.

About this Topic