WordPress.org

Ready to get started?Download WordPress

Forums

[closed] Hacked by hacker (48 posts)

  1. esmi
    Forum Moderator
    Posted 1 year ago #

    So are you able to login to your site using FTP?

  2. secretfocus
    Member
    Posted 1 year ago #

    The good news is that I have uploaded wp-admin & wp-includes into my cpanel file manager.

    I have also deleted Contact Form 7 plugin to remove one area of potential back door hacking - I spent a lot of time working on this immediately before the hack and will re-install it again later

    My next task is to re-install my theme (Sixhours) but once again how to do this is a problem as there seems to be no delete facility unless I substitute a different theme and the re-install it.

    Would this work?

  3. mvandemar
    Member
    Posted 1 year ago #

    Just delete the theme from wp-content/themes and re-upload the new copy.

  4. secretfocus
    Member
    Posted 1 year ago #

    Done that and the hacked by hacker line in header.php has gone.
    However, my website still does not display properly ans still has the white page saying hacked by hacker on it.

    Is it likely that HostPapa need to now about the repair?

  5. mvandemar
    Member
    Posted 1 year ago #

    You replaced the index.php file in the public_html directory as well, correct? Can you see what the last_modified date is on that file?

  6. esmi
    Forum Moderator
    Posted 1 year ago #

    @secretfocus: You also need to delete all files in the root WordPress folder except your wp-config.php and your .htaccess files and re-upload fresh copes.

    Next - download your wp-config.php and make a note of your database access details. Use the wp-config-sample.php file to create anew wp-config.php file and upload this new file to the root WordPress folder.

    Examine your .htaccess file for anything unusual. A basic WordPress .htaccess file only contains:

    # BEGIN WordPress
    <IfModule mod_rewrite.c>
    RewriteEngine On
    RewriteBase /
    RewriteRule ^index\.php$ - [L]
    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteRule . /index.php [L]
    </IfModule>
    # END WordPress
  7. esmi
    Forum Moderator
    Posted 1 year ago #

    Is it likely that HostPapa need to now about the repair?

    From what I have read today, it sounds like their poor server configuration may have been responsible for the spread of the hack across so many sites. In your shoes, I'd be looking for another hosting company.

  8. secretfocus
    Member
    Posted 1 year ago #

    @mvandemar. The phot version used by HostPapa is Version information: 3.4.11.1, latest stable version: 3.5.3.

    I have now replaced index.php in public.html but still no page display. I have contacted HP to inform them of the repair.

    By coincidence I had started looking for a new host and HostGator seemed to have what I need. I think this incident will bring that forward!

    @esmi. Your post about deleting root files has confused me. Had a long look through cpanel file manager (public.html) and cannot see anything like .htaccess files. In addition, the files etc. that are in there are licenses, read me, sitemap.xml, text/html and what I assume are important php files.

    There is another folder for access logs at the same level to public.html but this is completely empty. Can you advise me further on this?

  9. esmi
    Forum Moderator
    Posted 1 year ago #

    Had a long look through cpanel file manager (public.html) and cannot see anything like .htaccess files.

    Don't worry about it. If you were not using a custom permalink structure, you may not have ever had an .htaccess file.

    In addition, the files etc. that are in there are licenses, read me, sitemap.xml, text/html and what I assume are important php files.

    Delete the sitemap.xml file. You can re-create this at a later stage. General rule of thumb - if you can manage without a file, delete it after a hack and create a new copy.

    The only .html file should be the readme.html file. You can delete and re-upload this. Ditto the license.txt file. All of the .php files can be deleted and re-uploaded except for the wp-config.php file as I mentioned above.

    here is another folder for access logs at the same level to public.html but this is completely empty. Can you advise me further on this?

    Leave it alone. It's almost certainly nothing to do with WordPress.

  10. secretfocus
    Member
    Posted 1 year ago #

    OK - thanks for all the help. I guess I just wait for HostPapa to do their stuff now!

  11. secretfocus
    Member
    Posted 1 year ago #

    @esmi. Replacing the php files and I see that there are no replacements for some = feed, pass, rdf, register, rss, rss2.

    Do I leave the existing files or delete them?

  12. esmi
    Forum Moderator
    Posted 1 year ago #

    Where are these files? Did you install WordPress a while ago? Generally speaking, if the file is not present in your fresh download of WordPress, it should be deleted,.

  13. secretfocus
    Member
    Posted 1 year ago #

    They are all December 2010 or 2011 and in public.html

  14. esmi
    Forum Moderator
    Posted 1 year ago #

    Delete them.

  15. ichadwick
    Member
    Posted 1 year ago #

    Another place to look is in your current theme directory. there is a header php file that has likely been hacked as well. That's what happened to me - even after I replaced all the old files with new ones, I still saw the message. Once I replaced the theme header file from a backup, it was restored.

    Hit me on a Hostpapa site, too.

  16. ichadwick
    Member
    Posted 1 year ago #

    As a footnote, for another package and a different attack, one suggestion posted on their forum was to add the following to your php.ini file:

    allow_url_fopen=Off
    allow_url_include=Off
    disable_functions=popen,passthru,escapeshellarg,escapeshellcmd,exec,passthru,proc_close,proc_get_status,proc_nice,proc_open, proc_terminate,shell_exec,system,blob,exec,escapeshellarg,pfsockopen,stream_get_transports,stream_set_blocking

    If you could discover the IP of the attacker, you could use the deny command in .htaccess like this (just IP samples):

    order allow,deny
    deny from 174.143.11.
    deny from 91.123.195.
    deny from 99.251.104
    allow from all

    Check your logs for recent visitors - the log should show what files were accessed and the IP. If it happened a few days ago, unless you archive your logs, you won't see anything more than a day or so old. You can download the logs, then add a .txt extension to open them.

  17. travisobvs
    Member
    Posted 1 year ago #

    Hey everyone.

    I needed to replace the header in my theme. That is where the "hacked by hacker" was.

    If anyone has some security ideas on how to prevent this (other than leaving Host Papa) please let me know.

    Cheers.

  18. esmi
    Forum Moderator
    Posted 1 year ago #

    See Hardening_WordPress. And next time, please post your own topic.

Topic Closed

This topic has been closed to new replies.

About this Topic