WordPress.org

Ready to get started?Download WordPress

Forums

How do I get rid of hacker script? (11 posts)

  1. Miserere
    Member
    Posted 4 years ago #

    Hi,

    I got hacked.

    So I was a good boy and did plenty of Googling. Basically, I followed what it said in all the links given in this post, and also here.

    It's now 5 hours since I discovered I was hacked, and while I've cleaned out almost 500 PHP files (filled with base64_decode stuff) there is still something inserting a <script> into my blog. If you look at the source code of any page on my site you'll see at the very bottom an attempt to redirect the visitor to a bad, bad site.

    Like I said, it's been 5 hours, and I don't know what else to do. If anyone can help me out, I'd appreciate it.

    If you're wondering what I've done so far:

    • "Updated" WP to 2.9.2 (which is what I was already using)
    • Changed my FTP password
    • Changed my SQL database password
    • Changed the WP password for both blog users
    • Deleted all base64_decode(blahblah) from PHP files
    • Deleted unused files and folders on my site
    • Cursed

    Thanks for any help you might provide.

  2. Saildude
    Member
    Posted 4 years ago #

  3. Miserere
    Member
    Posted 4 years ago #

    As I indicated in my post, I've read all those and pretty much gone through what they say. I still can't find where that <script> command is coming from, and I don't know enough WP-Fu to know where to look.

  4. Miserere
    Member
    Posted 4 years ago #

    In case anyone cares, I deactivated all my plugins, and the pages now load without the redirect script. It's hiding in one of the plugins, so I think I'll just reinstall all of them and let God sort them out.

  5. Kargo
    Member
    Posted 4 years ago #

    Man, I was hacked as well with exactly the same things as you listed!(see thread) What plugins were you using? It could be that the hackers got in to our sites through an SQL injection which means adding things to the database. I could be wrong though

  6. Miserere
    Member
    Posted 4 years ago #

    Kargo,

    I suspect I had a file (or more!) with 777 permissions, which is really stupid of me. It doesn't seem like they touched the database.

    I had a bunch of plugins, but none of the ones that you are using.

    Best of luck with your fight, man. You've got it tough :-(

  7. Miserere
    Member
    Posted 4 years ago #

    Great, I've been hacked again. Just woke up and found out; this time instead of redirecting to another site there is a Java script that tries to run. What a fantastic way to start the weekend.

  8. patricklondon
    Member
    Posted 4 years ago #

    Have you checked your computer for virus. malware or rootkit?

  9. Steve D
    Member
    Posted 4 years ago #

    Last hack hit me 00:48 Friday. Online scan reported malware java script. Ran full scan on my local system and found 3 new hi.class trojans and one new uut.class (malware) reported as less then a week old. Obviously came from my own site I am developing on shared hosting. Cleaned everything up checked the site on line no malware reported. Today's local and on line scan clean.

    These are newborns . . hacks-viruses so be aware to update your anti virus definitions.

  10. Miserere
    Member
    Posted 4 years ago #

    Thanks, Steve. I just finished cleaning all the files up and spent 2 hours combing the Database for dodgy code--I didn't find any.

    As soon as I finish activating plugins I'm going to run a scan on my computer.

    Fingers crossed that I can at least enjoy Sunday afternoon.

  11. Steve D
    Member
    Posted 4 years ago #

    These are the latest sneaking past name brand anti virus firewalls.

    twitters.class
    mailvue.class
    skypeqd.class
    ifology.class

Topic Closed

This topic has been closed to new replies.

About this Topic