My site's been hacked.
At first I found that the Index.php was replaced, so I recopied the original and the site became operational again.
However, I could not access
wp-admin
The following error message comes up:
{"error":["No key","No appid","No secret"]}
I used filezilla to look at the site and found a hacked file under "themes" with the following code:
> devilzShell <[php]> author: b374k greets: devilzc0der(s) and all of
> you who love peace and freedom
> Jayalah Indonesiaku
> $shell_name = "devilzShell"; $shell_fake_name = "Server Logging
> System"; $shell_title = " :: ".$shell_name." ::";
> $shell_version = "v1"; $shell_password = "pro"; $shell_fav_port =
> "12345"; $shell_color = "#374374";
> $shell_code = "
This was followed by a very long string of numbers and letters.
I deleted this file, but still can't access wp-admin.
Any ideas as to how I can re-access my wp-admin?
[resolved] Hacked Site (9 posts)
-
espelled
Posted 9 months ago # -
Peter Butler
Posted 9 months ago #If you reinstall wordpress via FTP, overwriting the current files (but NOT overwriting the wp-content folder), you'll probably be able to access your site. However - whoever hacked your site has probably left a backdoor in somewhere, and those are tricky to find and remove. If its a possibility at all, I'd hire someone to do it (unless you're technically inclined, have a penchant for learning, and a fair amount of free time).
-
Posted 9 months ago #Hi Peter,
Thanks for your quick advice!
I don't remember which WordPress version is running. Will it matter if I overwrite it with a more advance version?
Thanks
Shakhar -
Posted 9 months ago #It should be fine, as long as you're overwriting with a version that's relatively close (like, within 2 versions). You can check though, by looking at yoursite.com/readme.html.
If you do want to match your old version (although, again - it's probably not a problem to upgrade this way), you can download older versions of wordpress here:
-
Posted 9 months ago #O.K., I've overwritten everything except the content directory, but still no joy.
Can't access the site and I still get the message:
{"error":["No key","No appid","No secret"]}In the meantime I also found the obvious hacking signs below in my awstats082011.txt file.
Any ideas?# Worm ID - Hits - Bandwidth - Last visit
# The 5 first Hits must be first (order not required for others)
BEGIN_WORMS 0
END_WORMS# Search engine referers ID - Pages - Hits
BEGIN_SEREFERRALS 2
google 29 34
search 2 2
END_SEREFERRALS# External page referers - Pages - Hits
# The 25 first Pages must be first (order not required for others)
BEGIN_PAGEREFS 28
[removed spam links]
END_PAGEREFS -
Posted 9 months ago #Here's the .htaccess file.
Can you see anything there?# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule># END WordPress
-
MickeyRoush
Posted 9 months ago #I don't remember which WordPress version is running.
The current version that you are using will be coded in your version.php file. It's located in the wp-includes folder. It should be near the top of the php file. Should look something like this:
* @global string $wp_version */ $wp_version = '3.2.1'; -
Posted 9 months ago #Thanks all. Solved!
Overwrote with latest version.
Found all contaminated files by their time-stamp. Deleted!
Password was extremely weak - changed it.
All's well that ends well.
Thanks again
Shakhar -
espelled - When you're posting logs, PLEASE remember to strip out links. Especially when they're to spam sites ;) You tripped the spam filter with those.
Reply
You must log in to post.
