WordPress.org

Ready to get started?Download WordPress

Forums

[resolved] Hacked Site (9 posts)

  1. espelled
    Member
    Posted 2 years ago #

    My site's been hacked.
    At first I found that the Index.php was replaced, so I recopied the original and the site became operational again.
    However, I could not access
    wp-admin
    The following error message comes up:
    {"error":["No key","No appid","No secret"]}
    I used filezilla to look at the site and found a hacked file under "themes" with the following code:
    > devilzShell <[php]> author: b374k greets: devilzc0der(s) and all of
    > you who love peace and freedom
    > Jayalah Indonesiaku
    > $shell_name = "devilzShell"; $shell_fake_name = "Server Logging
    > System"; $shell_title = " :: ".$shell_name." ::";
    > $shell_version = "v1"; $shell_password = "pro"; $shell_fav_port =
    > "12345"; $shell_color = "#374374";
    > $shell_code = "
    This was followed by a very long string of numbers and letters.
    I deleted this file, but still can't access wp-admin.
    Any ideas as to how I can re-access my wp-admin?

  2. Peter Butler
    Member
    Posted 2 years ago #

    If you reinstall wordpress via FTP, overwriting the current files (but NOT overwriting the wp-content folder), you'll probably be able to access your site. However - whoever hacked your site has probably left a backdoor in somewhere, and those are tricky to find and remove. If its a possibility at all, I'd hire someone to do it (unless you're technically inclined, have a penchant for learning, and a fair amount of free time).

  3. espelled
    Member
    Posted 2 years ago #

    Hi Peter,
    Thanks for your quick advice!
    I don't remember which WordPress version is running. Will it matter if I overwrite it with a more advance version?
    Thanks
    Shakhar

  4. Peter Butler
    Member
    Posted 2 years ago #

    It should be fine, as long as you're overwriting with a version that's relatively close (like, within 2 versions). You can check though, by looking at yoursite.com/readme.html.

    If you do want to match your old version (although, again - it's probably not a problem to upgrade this way), you can download older versions of wordpress here:

    http://wordpress.org/download/release-archive/

  5. espelled
    Member
    Posted 2 years ago #

    O.K., I've overwritten everything except the content directory, but still no joy.
    Can't access the site and I still get the message:
    {"error":["No key","No appid","No secret"]}

    In the meantime I also found the obvious hacking signs below in my awstats082011.txt file.
    Any ideas?

    # Worm ID - Hits - Bandwidth - Last visit
    # The 5 first Hits must be first (order not required for others)
    BEGIN_WORMS 0
    END_WORMS

    # Search engine referers ID - Pages - Hits
    BEGIN_SEREFERRALS 2
    google 29 34
    search 2 2
    END_SEREFERRALS

    # External page referers - Pages - Hits
    # The 25 first Pages must be first (order not required for others)
    BEGIN_PAGEREFS 28
    [removed spam links]
    END_PAGEREFS

  6. espelled
    Member
    Posted 2 years ago #

    Here's the .htaccess file.
    Can you see anything there?

    # BEGIN WordPress
    <IfModule mod_rewrite.c>
    RewriteEngine On
    RewriteBase /
    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteRule . /index.php [L]
    </IfModule>

    # END WordPress

  7. MickeyRoush
    Member
    Posted 2 years ago #

    I don't remember which WordPress version is running.

    The current version that you are using will be coded in your version.php file. It's located in the wp-includes folder. It should be near the top of the php file. Should look something like this:

    * @global string $wp_version
     */
    $wp_version = '3.2.1';
  8. espelled
    Member
    Posted 2 years ago #

    Thanks all. Solved!
    Overwrote with latest version.
    Found all contaminated files by their time-stamp. Deleted!
    Password was extremely weak - changed it.
    All's well that ends well.
    Thanks again
    Shakhar

  9. espelled - When you're posting logs, PLEASE remember to strip out links. Especially when they're to spam sites ;) You tripped the spam filter with those.

Topic Closed

This topic has been closed to new replies.

About this Topic