WordPress.org

Forums

WordPress › Support » How-To and Troubleshooting

Hacked :( what now? (11 posts)

  1. beetle8
    Member
    Posted 3 years ago #

    Hacked this evening by the "sniper-baghdad"

    I FTP'd a temporary index.html to show up before the hack to alert visitors that the site is being worked on.

    I only had one user_login, it was the default admin, the hack changed this to admin1. I went into phpMyAdmin and altered this to something arbitrary, to prevent further access, but what do I do now?

    I checked my statcounter and the last visitor to the site was from france and came from a search on http://lo.st/ and I was the top hit in the fairly broad seach query.

  2. esmi
    Theme Diva & Forum Moderator
    Posted 3 years ago #

    http://codex.wordpress.org/FAQ_My_site_was_hacked
    http://wordpress.org/support/topic/268083#post-1065779
    http://smackdown.blogsblogsblogs.com/2008/06/24/how-to-completely-clean-your-hacked-wordpress-installation/

  3. alism
    Member
    Posted 3 years ago #

    :-(

    Couple of links to get you started:
    http://codex.wordpress.org/FAQ_My_site_was_hacked
    http://smackdown.blogsblogsblogs.com/2008/06/24/how-to-completely-clean-your-hacked-wordpress-installation/

    You should really try and find out what the point of entry was too. Are you running some insecure scripts perhaps? Were you running an old version of WP or an out of date plugin perhaps? If you've got a good idea of what the attack vector was (whether it be via WordPress or not), you've got a good chance of preventing it re-occuring. This thread kinda degenerates a bit, but it'd be interesting if you've got anything in common with these folks: http://wordpress.org/support/topic/309103?replies=38

    Don't forget to change *all* your passwords, admin, database, FTP etc.

  4. whooami
    Member
    Posted 3 years ago #

    You should really try and find out what the point of entry was too. Are you running some insecure scripts perhaps?

    he sure is -- wordpress 2.8.4

    http://www.londonderryalert.org/

    'nuff said.

  5. beetle8
    Member
    Posted 3 years ago #

    That's not the site that was hacked thanks
    I've actually been trying to upgrade that one you pointed out but the upgrade automatically doesn't work.

  6. beetle8
    Member
    Posted 3 years ago #

    But how do you know that that is one of the ones I work with?

  7. beetle8
    Member
    Posted 3 years ago #

    referring to the 2.8.4

    I had asked for help here and got no response

    http://wordpress.org/support/topic/329997?replies=1

  8. beetle8
    Member
    Posted 3 years ago #

    OK I don't know a lot about code,
    In reading from Donncha's what to do, he says...
    Hidden Code

    The bad guys are using a number of ways to hide their ...... When you upgrade WordPress your theme files won’t be overwritten so make sure you double check those files for any strange code that uses the eval() command, or base64_decode()......
    -
    I'm trying to put things back together now, and have not reinstalled the plugin that has caused this error to show up on my page.

    Warning: include(/home2/champir8/public_html//wp-content/plugins/dynamic-content-gallery-plugin/dynamic-gallery.php) [function.include]: failed to open stream: No such file or directory in /home2/champir8/public_html/wp-content/themes/atahualpa/functions.php(478) : eval()'d code on line 1

    Warning: include() [function.include]: Failed opening '/home2/champir8/public_html//wp-content/plugins/dynamic-content-gallery-plugin/dynamic-gallery.php' for inclusion (include_path='.:/usr/lib/php:/usr/local/lib/php') in /home2/champir8/public_html/wp-content/themes/atahualpa/functions.php(478) : eval()'d code on line 1

    Does the "eval()'d" at the bottom of this mean trouble?

  9. alism
    Member
    Posted 3 years ago #

    Re the londonderryalert site, I'd do a manual upgrade:
    http://wordpress.org/download/
    http://codex.wordpress.org/Upgrading_WordPress

    With regards to the site you're talking about in this thread (championphotollc.com ?), it looks like that was running 2.8 last week (looking at Google's last cache), so that would seem a very likely reason for the hack.

    The eval()'d code on line 1 is going to be malicious/spam code.
    Delete the atahualpa theme folder, then download and upload a fresh copy. If you've previously customised it, restore it from a clean backup.

  10. beetle8
    Member
    Posted 3 years ago #

    I got the site back up and running,
    Then yesterday the same hack took over again.
    What it does is replace the index.php with it's own vulgar file.
    So this time I was able to get the site back and functioning by uploading a fresh index.php .
    So the problem now is that I don't have a clean back up, how can I scan my backup to find the back door?

  11. songdogtech
    Moderator-Grizzly Bear Trapper
    Posted 3 years ago #

    Talk to bluehost; the hack may be coming through shared hosting.

    See How to Completely Clean a Hacked WordPress Install and How to find a backdoor in a hacked WordPress.

Topic Closed

This topic has been closed to new replies.

About this Topic

Tags