Forums

WordPress › Support » How-To and Troubleshooting

[resolved] Hacked, re-installing won't fix? (24 posts)

  1. richardpeters
    Member
    Posted 1 year ago #

    Hi all, my site was hacked this evening and I'm trying to re-upload all WordPress software. However, as soon as I upload the wp-admin and wp-includes folders, the modified date for all the php files in those folders reverts back to the time they were hacked and not the time I uploaded the files.

    Also, once new files are uploaded, when I go back to my admin login page it takes me there but via a redirect, with the URL having an extension to it that shouldn't be there. I've removed the site again for now but urgently need it back up and running.

    I'm not that good with this stuff, hacks in the past have just required re-installing all files and plugins but this time round there seems to be a bigger problem.

    Any help appreciated asap!

  2. richardpeters
    Member
    Posted 1 year ago #

    I've just re-installed the blog but pretty sure it's not fully cured! Could someone please check it out and see if they can spot the problem?
    Linky to blog

  3. richardpeters
    Member
    Posted 1 year ago #

    Is this the problem, I noticed this code is sometimes appearing in my source code at the bottom?

    <!--stats_footer_test--><script src="http://stats.wordpress.com/e-201037.js" type="text/javascript"></script>
    <script type="text/javascript">
    st_go({blog:'5341917',v:'ext',post:'0'});
    var load_cmc = function(){linktracker_init(5341917,0,2);};
    if ( typeof addLoadEvent != 'undefined' ) addLoadEvent(load_cmc);
    else load_cmc();
    </script>

    Any suggestions still appreciated as I'm not sure what to do!

  4. James
    Happiness Engineer
    Posted 1 year ago #

    Remain calm and carefully follow this guide. When you're done, you may want to implement some (if not all) of the recommended security measures.

    Also, the code that you posted above is the tracking code for the WordPress.com Stats plugin.

  5. richardpeters
    Member
    Posted 1 year ago #

    Thanks for the reply. I've done all that. My site has been hacked 4 times with the most recent being 2 months ago. Usually the guide above works fine and after I re-install fresh wordpress and theme files, but on this occasion, as I mentioned, some of my fresh files upload and revert back to the time of the hack as their modified date.

    If that is normal behaviour then I'm ok, but I've not noticed that happen with my last 3 re-installs after hacks which is why I'm still worried.

    Have you popped over to my site to see if anything is still amiss?

    EDIT: Thanks for clearing up the code posted above. One thing less for me to worry about!

  6. James
    Happiness Engineer
    Posted 1 year ago #

    Usually the guide above works fine but on this occasion, as I mentioned, some of my fresh files upload and revert back to the time of the hack as their modified date.

    You can't overwrite the files. You need to delete them first, then upload new copies.

    Have you popped over to my site to see if anything is still amiss?

    For obvious reasons, I'm rather not visit a potentially hacked site. Sorry.

  7. richardpeters
    Member
    Posted 1 year ago #

    I have deleted all the files before installing fresh ones, I never overwrite existing files.

  8. richardpeters
    Member
    Posted 1 year ago #

    Would it help if I posted my source code?

    EDIT: Also, when I go to my admin login I get this at the end of my admin login URL, redirect_to=http%3A%2F%2Fwww.richardpeters.co.uk%2Fblog%2Fwp-admin%2F which I've not noticed before (but I've been working on this for hours now and it;s 2am, so might be that I'm just confusing myself and it's always that way on the login url)

  9. James
    Happiness Engineer
    Posted 1 year ago #

    Sure, you can post it here:

    http://wordpress.pastebin.com/

  10. richardpeters
    Member
    Posted 1 year ago #

    Cool thanks, here's the source code.

  11. James
    Happiness Engineer
    Posted 1 year ago #

    Off hand, I don't see anything terribly wrong. Install and run this plugin just to be sure:

    http://wordpress.org/extend/plugins/exploit-scanner/

  12. webjunk
    Member
    Posted 1 year ago #

    What is the code below:
    <title>B&H Search Banner Small</title>
    looks like Perl, PHP or some server-side code.

    And besides looks at the Client-side pages, look at the PHP files on the server. Look for "eval(base64_decode" in them. That would be a problem.

  13. James
    Happiness Engineer
    Posted 1 year ago #

    What is the code below:
    <title>B&H Search Banner Small</title>

    It looks like a regular affiliate add for B&H Photo.

    And besides looks at the Client-side pages, look at the PHP files on the server. Look for "eval(base64_decode" in them.

    i didn't see any in the pasted source, but that doesn't mean such a thing couldn't be hiding in another template file. If it is, the Exploit Scanner plugin will find it.

  14. Roy
    Member
    Posted 1 year ago #

    Just as a thought, you don't keep using the same theme, don't you? When your site is hacked, theme files modified and you replace WP, but keep using the hacked theme, I wouldn't find it strange if the hack kept coming back. Also, are you sure the database is clean? Just replacing WP files doesn't do the trick.

    And another sidenote. If you keep getting hacked using the latest version of WP, talk to your host. Maybe there's some crappy website on the shared server, their security stinks, something like that.

  15. Jay Versluis
    Member
    Posted 1 year ago #

    Same thoughts here as Roy said.

    If you're getting hacked on a regular basis, do change your password every 4 weeks or so. Don't use anything you can remember, generate something with http://strongpasswordgenerator.com. Make sure both FTP and your WordPress Passwords get changed (preferrably to something different).

    I had several sites hacked sue to an FTP exploit, and the hack kept coming back. Since I've changed the FTP passwords, the hackage has stopped.

    I just had a look at your site and it looks OK so maybe all is well now.

  16. richardpeters
    Member
    Posted 1 year ago #

    Thanks so much for all the replies everyone. I re-upload wordpress and theme files after every hack.

    This was the first hack since moving to wordpress 3.0.1, I upgraded to that after the last hack.

    THanks for the tip about looking at php codes on the server but I'm not entirely sure how to go about doing that, I'll google it and see if I can make some sense out of it (server side stuff all seems a bit complicated and easy to break things...!).

    I'll look in to the password thing as well, thank you.

  17. Roy
    Member
    Posted 1 year ago #

    The Exploit Scanner that James linked to seems to scan the database for you.

  18. richardpeters
    Member
    Posted 1 year ago #

    I've just run that and it came back with a few results, although I understand it can return false positives.

    For Level Severe it came back with 4 warnings:
    wp-content/uploads/js_cache/tinymce_80806e63a3f51b917a6b6ee9d5fd76c1.js:36

    Which contained this huge bit of code.

    Plus this:
    wp-content/plugins/twitter-goodies/jscolor.js:78
    Which contained
    eval('prop='+m[3]);

    wp-content/plugins/featured-content-gallery/scripts/mootools.v1.11.ext.js:3
    and
    wp-content/plugins/featured-content-gallery/scripts/mootools.v1.11.js:3
    which both contained
    eval(function(p,a,c,k,e,d){e=function(c){return(c<

    Then under Level Warning I got 23 returns but the top two were:
    wp-content/uploads/js_cache/tinymce_80806e63a3f51b917a6b6ee9d5fd76c1.js:36
    ){v=a[i];if(v==34||v==38||v==60||v==62)continue;l[String.fromCharCode(a[i])]=a[i+1];v=parseInt(a[i]).toString(16);re

    And this one, which contained another huge bit of code:
    wp-content/uploads/js_cache/tinymce_80806e63a3f51b917a6b6ee9d5fd76c1.js:802
    Link to big bit of code.
    There were more but they were the main ones.

    Does any (or all?!) of that look like something that shouldn't be there?

    Again thank you. Being a bit of a novice makes it hard to know what I'm looking at :(

  19. richardpeters
    Member
    Posted 1 year ago #

    Guys, just one last bit of info. Remember how I said in my first post that many of the fresh files I was re-uploading, where reverting back to a modified date of that at the time of the hack?

    Well I've just logged in to my ftp again, and all the fresh files now report the correct modified date i.e. the time that I re-uploaded them!

    So it would appear that I am in fact clean again?

    Still appreciate any thoughts though on the previous post with the code I mentioned, or any other thoughts as to why the modified times changed!

    Thanks again.

  20. webjunk
    Member
    Posted 1 year ago #

    Unfortunatly the saying goes "your system is clean until it is not clean." Not sure about the code you posted. If you use the same plugins, themes and other files than it is possible you are placing the same security problem back on.
    WHat I said earlier was you need to look directly at your PHP files on the server. If you have an FTP Client you open the files FROM THE ERVER within that to a text editor or use a File Manager from within your hosts cPanel, Plesk or Control Panel. WHen you see "eval(base64_decode" usually near the top, that is code that is encrypted. Often it is code that is dangerous. Occassionally (but rarely with WordPress related files) its used simply to allow an author to hide his code or have seen it used to put hidden links in Free WP themes.
    Also be sure you are using a High-level password for your database if you are on a shared server. Include !@# or some symbols.

  21. richardpeters
    Member
    Posted 1 year ago #

    Thanks webjunk, appreciate the reply. As an aside, my theme is a paid theme, not free. Although I doubt that makes any difference?!

    I've replaced all the server side .php files with clean ones and an initial check would suggest they are still clean. Before I re-installed yesterday, the source code and masses of extra code at the top of the page but that is all gone now. I've also changed all my passwords and the featured content gallery that I have on the blog home page, which stopped working when the hack kicked in, is also working again now.

    So I'm keeping my fingers crossed that I'm clean again, for now!

  22. James
    Happiness Engineer
    Posted 1 year ago #

    Every looks okay in the quoted warnings except for what was at /wp-content/uploads/js_cache/. Since this is a cache directory, you can safely delete everything in it. The cache files will then be regenerated as necessary.

  23. richardpeters
    Member
    Posted 1 year ago #

    Thank you James, appreciate you replying. I've deleted the content of that folder now.

  24. James
    Happiness Engineer
    Posted 1 year ago #

    You're welcome!

Topic Closed

This topic has been closed to new replies.

About this Topic

Tags