I had two WP sites hacked over two days. Both on the same hosting server.
When viewing the website, it actually had webpage with blank background, starts and corny text saying that I have been hacked blah blah, and "Im proud to be Indian." Also with cheesy music.
I logged into the FTP and found a few files a had been added. index.html was added, index.php had been removed, 404.php had been added and this next file:
wysiwgPro_preview_eacf331foffc35d4b482f1d15a887d3b.php with a file type of application/x-httpd-php
Not sure what that is?!
How I knew was that WP sent me an email to say that I had forgotten my password and that it had been reset. I managed to get back in by changing the password in phpmyadmin. The guy had added his email address into my User Profile too.
What I want to know is; How did this guy get into the backend by changing my password and how did he alter the files in my FTP?
The other worrying thing is that he went and did it all over again to another website on the same server. Same method etc. Has this guy got details to my other sites?? If so, How?
I understand that it may be an impossible question to answer but I would love to find out if any of your guys have an idea?
Thanks in advance.