WordPress.org

Ready to get started?Download WordPress

Forums

Help! My site was hacked... or something...?!?! (9 posts)

  1. garybeck
    Member
    Posted 3 years ago #

    This is the 2nd time in 3 days this has happend. When I go to my website richmondclimateaction.net, I get this error:

    Warning: Cannot modify header information - headers already sent by (output started at /home1/solarbus/public_html/richmondclimateaction/index.php(1) : eval()'d code:37) in /home1/solarbus/public_html/richmondclimateaction/wp-includes/pluggable.php on line 897

    one thing is, the site is fine when i include the WWW in the url, but when I remove the www, I get the error.

    when it happened last time I called the site administrator (at bluehost.com) and they fixed it while I was online with them. they said my site was hacked and I should upgrade WP and any plugins. I am running WP3.1 and only have one simple plugin that a lot of people seem to use (calendar). I'm not so sure how up-to-date my theme is however.

    anyway, since it happened again I think I should figure out what is going on. I'm going to ditch the calendar altogether and just import a google calendar instead and see if that helps.

    in the meantime, does anyone know how this could be happening and what else I can do to prevent it?

    thank you

  2. Generic answer: http://codex.wordpress.org/FAQ_Troubleshooting#How_do_I_solve_the_Headers_already_sent_warning_problem.3F

    But. Since you're saying it was a hack, try re-uploading a fresh copy of the WP files (no, this will not kill your site). If that solves it, change your passwords ASAP and read this:

    http://codex.wordpress.org/FAQ_My_site_was_hacked

  3. garybeck
    Member
    Posted 3 years ago #

    thanks, I will do this immediately.

  4. Maxaud
    Member
    Posted 3 years ago #

    Figure out what this was?

  5. garybeck
    Member
    Posted 3 years ago #

    argh. my websites have had big problems.... not sure what this one was. but my webhost found someone (or something) was editing some of my files without my permission.

    I had the IFRAME virus, that kept reappearing on various html and shtml pages every time I deleted the bad code. and another one too that inserted some weird code into various php pages that were part of wordpress, even though my WP was all updated.

    I think I finally got rid of it. Ultimately it was my webhost who sent me a list of files that had suspicious code on them and I removed it all manually.

    I was unable to find a scan tool on my own that could find the bad code or remove it.

  6. Maxaud
    Member
    Posted 3 years ago #

    Do you have a list of these files? were any of them WordPress core files?

    I'm having the same issue on a friends site and it's inserting a 64 ebit encoded string into index.php so I have to remove that but I want to find out where the source of the attack is coming from within the system.

  7. garybeck
    Member
    Posted 3 years ago #

    ok here ya go. this is an example of the code that kept re-inserting itself on several of my wordpress php pages:

    <?php eval(base64_decode(‘ZXJyb3JfcmVwb3J0aW5yYXkoI...

    It's nasty stuff.... keeps coming back.

    I was not able to determine what exactly was causing it to come back. I only know it finally stopped coming back when my webhost gave me a long list of files that had suspicious code in it, and I removed all of them.... i either removed the entire file if it seemed unused, or I removed the bad code from the file. there were a bunch of them. when I finally got rid of all of them, it stopped coming back. at least for now!

    as a note, the webhost (which is bluehost) gave me a list of bad files several times. it was like the 3rd time I kept going back to them and saying my site is still infected and then they finally gave me a longer list. I asked them what tool they used to find the bad code and they said it is in-house and it's not for public use.

    which leaves us in the dark.

    if there was a good tool I could use on my own to scan my site, I would use it.

    good luck. let me know if you find anything.

    oh and by the way sometimes you can get good help at stopbadware.com

  8. Not a good idea to post the malware string in the forum.

    Clean your site: See FAQ: My site was hacked « WordPress Codex and How to completely clean your hacked wordpress installation and How to find a backdoor in a hacked WordPress and Hardening WordPress « WordPress Codex and change all passswords. Scan your own PC.

  9. garybeck
    Member
    Posted 3 years ago #

    thanks. I only posted a tiny bit of the bad code so hopefully that won't screw anything up. i was only trying to help...

    i did change the passwords and scan my pc and it was useless. what tool would you suggest for scanning my PC? I even downloaded my entire website via FTP and scanned all the files with AVG and Malwarebytes and neither of them could find any problems, even though I knew exactly where there was bad code, neither could find it.

    I did try many things. I searched for a tool that could scan my site and none I found were effective.

    note.... i was also getting the IFRAME malware on some html files (not wordpress). in the same way I would remove the bad code and it would reappear. I'm not sure if this is related to the base64 stuff I was getting on my wordpress, but they both went away when bluehost gave me a good list of problem files and I nixed them.

    I will check out your links. thanks. this has been really frustrating and I'm hoping it doesn't start up again soon.

Topic Closed

This topic has been closed to new replies.

About this Topic

Tags