WordPress.org

Ready to get started?Download WordPress

Forums

my site just been hacked... (18 posts)

  1. san_sa_rocky
    Member
    Posted 4 years ago #

    some how my website just hacked.
    i had wordpress installed on it.. they could hack my frontpage and changed it like this
    http://kittyfish.org/2009/07/17/izzy-on-a-jet-plane/

    i deleted my ftp files and now uploading again my site.
    i have created many site using wp. how can i stop hacking like this?

    it says
    KuwaiTi HacKerz Are Here

    please respond me soon...

  2. magblogapi
    Member
    Posted 4 years ago #

    There are hundreds of ways to avoid hacking a WP site. Here are some of the obvious ones:

    1) Keep WP up to date. Pay attention to the update notices. Same for themes and plugins.
    2) NEVER hack the core. Only use plugins and themes to mod the site.
    3) Use the MINIMUM number of plugins. Make sure that you ABSOLUTELY NEED EVERY SINGLE PLUGIN. Don't carry "nice to have" plugins.
    4) Use the SIMPLEST theme possible.
    5) Use autogenerated "garbage" passwords (Example: "HG4E*f@s11lo*0f").
    6) Use different passwords for every site.
    7) This goes for your control panel and FTP access, as well; not just the WP login. In fact, these should be even harder.
    8) Don't enable SSH on your ISP account unless you absolutely need it. If you do enable it, filter for IP numbers, and use public-key encryption, if possible (SSH keys).
    9) Use common sense. Never give your passwords to any Web site, unless you are 100% sure who they are.
    10) Keep your machine clean. A lot of hacks, these days, are because of malware on webmasters' machines. Don't browse for pr0n, and don't use warez (at least, not on the machine you use for managing Web sites).

  3. ClaytonJames
    Member
    Posted 4 years ago #

    See if you can log into your back end using this - at least you might be able to look around a little;

    //kittyfish.org/wp-admin

    Then follow the steps and advice for cleaning up and securing a hacked blog in these links.

    http://codex.wordpress.org/FAQ_My_site_was_hacked
    http://wordpress.org/support/topic/268083#post-1065779
    http://smackdown.blogsblogsblogs.com/2008/06/24/how-to-completely-clean-your-hacked-wordpress-installation/
    http://ottodestruct.com/blog/2009/hacked-wordpress-backdoors/

  4. san_sa_rocky
    Member
    Posted 4 years ago #

    i was thinking about renaming the WP_admin folder then rename them from the core php files..

  5. san_sa_rocky
    Member
    Posted 4 years ago #

    my site is //sananddesign.com

    i already tried the wp_admin
    and i found the hacker already changed my pass..

    i requested a new pass and i had response from the password to my email.

    but i didnt follow, i was thinking he might be able to fishing my email too.

    so i deleted everything and redesigning the site... :D

  6. san_sa_rocky
    Member
    Posted 4 years ago #

    i was uptodate always. edited some style code only in stylsheet.css from the editor. i think the hacker decrypted the password from my wp_login.php file. am i correct?

  7. ClaytonJames
    Member
    Posted 4 years ago #

    i was thinking about renaming the WP_admin folder then rename them from the core php files..

    That is definitely not a solution, and it's also an introduction to more problems. You need to identify your weaknesses, fix the hack, and then secure your site and server to the best of your ability. That may include examining file and folder permissions, plugin and theme issues, reviewing your access logs, talking to your host, and even checking the computers you use to log in to your ftp or hosting account for possible password harvesting malware.

    There are literally hundreds of conversations on this topic in the forums.

    http://wordpress.org/search/hacked?forums=1

    You can modify and refine that search by using keywords that are relevant to your issue.

  8. san_sa_rocky
    Member
    Posted 4 years ago #

    i got an SFTP server for this site. i think the hacker decrypted the password from my wp_login.php file. am i correct?

  9. ClaytonJames
    Member
    Posted 4 years ago #

    No.

  10. san_sa_rocky
    Member
    Posted 4 years ago #

    yah! i checked it! its not there...

  11. Bluetiereign
    Member
    Posted 4 years ago #

    You are not alone. I got an email from a blog today that said:

    Password Lost and Changed for user: admin1

    I have new members shut off but I open up the site - go to administration - and sure enough - admin1 is registered AND AN ADMIN ! What is the deal ? In all of my years running websites, I have NEVER seen software pwned like this. My passwords are 30 characters long - generated with a program with digits, upper and lower case, and odd symbols.

  12. hpguru
    Member
    Posted 4 years ago #

    You check your settings/options?

  13. ClaytonJames
    Member
    Posted 4 years ago #

    @Bluetiereign

    In all of my years running websites,

    You must then, also be aware that there is a HUGE list of variables besides just the platform you are using that need to be included in your statement, but you don't mention.

    What you describe above however, sounds a little like a well known vulnerability that allowed a remote admin password reset, in an older version of WordPress ( I think it was around version 2.8.3 or so ) that was patched quite some time ago. But that might not be the reason in your case. Just a thought.

    Take a look around the forums for recent issues ( last 30 - 60 days ) involving NetSol, GoDaddy, etc... There's some pretty interesting and lengthy discussions involving this very subject.

  14. Bluetiereign
    Member
    Posted 4 years ago #

    I'm not sure what or who you are asking about settings... but of course I checked the settings. I also only had two plugins - both now removed - and one of them should have been an option anyway with wordpress - Members Only.

    I put in the users email address and came up with this :

    Google Searched

  15. Bluetiereign
    Member
    Posted 4 years ago #

    @ ClaytonJames

    I'm using 2.9.2. Thanks for the links. I will check.

  16. Bluetiereign
    Member
    Posted 4 years ago #

    I'm not seeing any recent issues with JustHost. This is disturbing, to say the least. I am not losing anything by it being hacked as I don't really have a working blog going on.. but good grief - lol. Anyway, I will keep my eyes peeled to see if this starts being an issue...

  17. Bluetiereign
    Member
    Posted 4 years ago #

    Here is the HTTP access text of that particular user... I'm not coding guru - so this may or may not help. The ip is a proxy out of Korea.

    `119.70.40.102 - - [30/May/2010:10:32:09 -0500] "GET / HTTP/1.0" 302 - "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.9) Gecko/20100315 Firefox/3.5.9"
    [10:32:11 ] "GET /?page_id=29 HTTP/1.0" 200 6460 "-"
    [10:32:13 ] "GET /wp-content/themes/multi-color/style.css HTTP/1.0" 200 15219 "http://www.myblog.com/?page_id=29"
    [10:32:13 ] "GET /wp-content/themes/multi-color/style-black.css HTTP/1.0" 200 1362 "http://www.myblog.com/?page_id=29"
    [10:32:13 ] "GET /wp-includes/js/comment-reply.js?ver=20090102 HTTP/1.0" 200 786 "http://www.myblog.com/?page_id=29"
    [10:32:15 ] "GET /wp-content/themes/multi-color/js/multi-color.js HTTP/1.0" 200 1375 "http://www.myblog.com/?page_id=29"
    [10:32:13 ] "GET /wp-includes/js/jquery/jquery.js?ver=1.3.2 HTTP/1.0" 200 57276 "http://www.myblog.com/?page_id=29"
    [10:32:16 ] "GET /favicon.ico HTTP/1.0" 404 - "-"
    [10:32:16 ] "GET /wp-admin HTTP/1.0" 301 245 "-"
    [10:32:17 ] "GET /wp-admin/ HTTP/1.0" 302 - "-"
    [10:32:17 ] "GET /wp-login.php?redirect_to=http%3A%2F%2Fwww.myblog.com%2Fwp-admin%2F HTTP/1.0" 200 2018 "-"
    [10:32:18 ] "GET /wp-admin/css/login.css?ver=20091010 HTTP/1.0" 200 1851 "http://www.myblog.com/wp-login.php?redirect_to=http%3A%2F%2Fwww.myblog.com%2Fwp-admin%2F"
    [10:32:19 ] "GET /wp-admin/css/colors-fresh.css?ver=20091217 HTTP/1.0" 200 29053 "http://www.myblog.com/wp-login.php?redirect_to=http%3A%2F%2Fwww.myblog.com%2Fwp-admin%2F"
    [10:32:21 ] "GET /wp-admin/images/button-grad.png HTTP/1.0" 200 243 "http://www.myblog.com/wp-admin/css/colors-fresh.css?ver=20091217"
    [10:32:21 ] "GET /wp-admin/images/logo-login.gif HTTP/1.0" 200 4816 "http://www.myblog.com/wp-admin/css/login.css?ver=20091010"
    [10:32:22 ] "GET /favicon.ico HTTP/1.0" 404 - "-"
    [10:33:47 ] "GET /wp-login.php?action=lostpassword HTTP/1.0" 200 1697 "http://www.myblog.com/wp-login.php?redirect_to=http%3A%2F%2Fwww.myblog.com%2Fwp-admin%2F"
    [10:35:27 ] "GET /wp-admin/images/button-grad-active.png HTTP/1.0" 200 284 "http://www.myblog.com/wp-admin/css/colors-fresh.css?ver=20091217"
    [10:35:30 ] "POST /wp-login.php?action=lostpassword HTTP/1.0" 302 - "http://www.myblog.com/wp-login.php?action=lostpassword"
    [10:35:30 ] "GET /wp-login.php?checkemail=confirm HTTP/1.0" 200 1144 "http://www.myblog.com/wp-login.php?action=lostpassword"
    [10:36:08 ] "GET /wp-login.php?action=rp&key=uAzyUQkMNzfF1EizAvUU&login=admin1 HTTP/1.0" 302 - "http://webmail.rock.com/scripts/mail/read.mail?folder=INBOX&order=Newest&mview=a&mstart=1&pbox=0&msg_uid=1275233743&mprev=&mnext=1275233742"
    [10:36:09 ] "GET /wp-login.php?checkemail=newpass HTTP/1.0" 200 1140 "http://webmail.rock.com/scripts/mail/read.mail?folder=INBOX&order=Newest&mview=a&mstart=1&pbox=0&msg_uid=1275233743&mprev=&mnext=1275233742"
    [10:38:11 ] "GET /wp-login.php HTTP/1.0" 200 2008 "http://webmail.rock.com/scripts/mail/read.mail?folder=INBOX&order=Newest&mview=a&mstart=1&pbox=0&msg_uid=1275233845&mprev=&mnext=1275233743"
    [10:38:28 ] "POST /wp-login.php HTTP/1.0" 302 - "http://www.myblog.com/wp-login.php"
    [10:38:29 ] "GET / HTTP/1.0" 200 8134 "http://www.myblog.com/wp-login.php"
    [10:38:31 ] "GET /wp-content/themes/multi-color/images/date_icon.png HTTP/1.0" 200 2992 "http://www.myblog.com/wp-content/themes/multi-color/style.css"
    [10:38:31 ] "GET /wp-content/themes/multi-color/images/searchdiv_left.png HTTP/1.0" 200 3232 "http://www.myblog.com/wp-content/themes/multi-color/style.css"
    [10:38:31 ] "GET /wp-content/themes/multi-color/images/searchdiv_right.png HTTP/1.0" 200 3046 "http://www.myblog.com/wp-content/themes/multi-color/style.css"
    [10:38:31 ] "GET /wp-content/themes/multi-color/images/searchtxt_bg.png HTTP/1.0" 200 3253 "http://www.myblog.com/wp-content/themes/multi-color/style.css"
    [10:38:31 ] "GET /wp-content/themes/multi-color/images/searchbtn_bg.png HTTP/1.0" 200 3452 "http://www.myblog.com/wp-content/themes/multi-color/style.css"
    [10:38:31 ] "GET /wp-content/uploads/2010/05/cropped-earth-3.jpg HTTP/1.0" 200 38845 "http://www.myblog.com/"
    [10:38:32 ] "GET /wp-content/themes/multi-color/images/black/sidebar_heading_bg.png HTTP/1.0" 200 146 "http://www.myblog.com/wp-content/themes/multi-color/style-black.css"
    [10:38:32 ] "GET /wp-content/themes/multi-color/images/gray/footer_bg.png HTTP/1.0" 200 283 "http://www.myblog.com/wp-content/themes/multi-color/style-black.css"
    [10:38:32 ] "GET /wp-content/themes/multi-color/images/black/background.png HTTP/1.0" 200 85 "http://www.myblog.com/wp-content/themes/multi-color/style-black.css"
    [10:38:32 ] "GET /wp-content/themes/multi-color/images/comments_icon.png HTTP/1.0" 200 3069 "http://www.myblog.com/wp-content/themes/multi-color/style.css"
    [10:38:42 ] "GET /wp-admin/ HTTP/1.0" 500 1201 "http://www.myblog.com/"
    [10:38:44 ] "GET /wp-admin/css/install.css HTTP/1.0" 200 2200 "http://www.myblog.com/wp-admin/"
    [10:41:48 ] "GET /wp-admin/ HTTP/1.0" 200 24715 "-"
    [10:41:50 ] "GET /wp-includes/js/thickbox/thickbox.css?ver=20090514 HTTP/1.0" 200 3864 "http://www.myblog.com/wp-admin/"
    [10:41:50 ] "GET /wp-admin/load-styles.php?c=1&dir=ltr&load=dashboard,plugin-install,global,wp-admin&ver=17aa35fdf22036c3f75256fc16b16184 HTTP/1.0" 200 15149 "http://www.myblog.com/wp-admin/"
    [10:41:50 ] "GET /wp-admin/load-scripts.php?c=1&load=jquery,utils,quicktags&ver=b64ae9a301a545332f1fcd4c6c5351b4 HTTP/1.0" 200 25117 "http://www.myblog.com/wp-admin/"
    [10:41:54 ] "GET /wp-admin/load-scripts.php?c=1&load=hoverIntent,common,jquery-color,wp-ajax-response,wp-lists,jquery-ui-core,jquery-ui-resizable,admin-comments,jquery-ui-sortable,postbox,dashboard,plugin-install,thickbox,media-upload&ver=e7dd2696b99d6664702753286996fc2d HTTP/1.0" 200 31436 "http://www.myblog.com/wp-admin/"
    [10:41:56 ] "GET /wp-admin/images/visit-site-button-grad.gif HTTP/1.0" 200 136 "http://www.myblog.com/wp-admin/css/colors-fresh.css?ver=20091217"
    [10:41:56 ] "GET /wp-admin/images/fav-arrow.gif HTTP/1.0" 200 334 "http://www.myblog.com/wp-admin/css/colors-fresh.css?ver=20091217"
    [10:41:56 ] "GET /wp-admin/images/fav.png HTTP/1.0" 200 214 "http://www.myblog.com/wp-admin/css/colors-fresh.css?ver=20091217"
    [10:41:56 ] "GET /wp-admin/images/menu.png HTTP/1.0" 200 11548 "http://www.myblog.com/wp-admin/css/colors-fresh.css?ver=20091217"
    [10:41:56 ] "GET /wp-admin/images/menu-bits.gif HTTP/1.0" 200 1194 "http://www.myblog.com/wp-admin/css/colors-fresh.css?ver=20091217"
    [10:41:57 ] "GET /wp-admin/images/menu-arrows.gif HTTP/1.0" 200 330 "http://www.myblog.com/wp-admin/css/colors-fresh.css?ver=20091217"
    [10:41:57 ] "GET /wp-admin/images/wp-logo.gif HTTP/1.0" 200 1096 "http://www.myblog.com/wp-admin/css/colors-fresh.css?ver=20091217"
    [10:41:57 ] "GET /wp-includes/images/blank.gif HTTP/1.0" 200 43 "http://www.myblog.com/wp-admin/"
    [10:41:57 ] "GET /wp-admin/images/screen-options-left.gif HTTP/1.0" 200 640 "http://www.myblog.com/wp-admin/load-styles.php?c=1&dir=ltr&load=dashboard,plugin-install,global,wp-admin&ver=17aa35fdf22036c3f75256fc16b16184"
    [10:41:57 ] "GET /wp-admin/images/screen-options-right.gif HTTP/1.0" 200 276 "http://www.myblog.com/wp-admin/load-styles.php?c=1&dir=ltr&load=dashboard,plugin-install,global,wp-admin&ver=17aa35fdf22036c3f75256fc16b16184"
    [10:41:58 ] "GET /wp-admin/images/media-button-image.gif HTTP/1.0" 200 69 "http://www.myblog.com/wp-admin/"
    [10:41:58 ] "GET /wp-admin/images/media-button-video.gif HTTP/1.0" 200 68 "http://www.myblog.com/wp-admin/"
    [10:41:58 ] "GET /wp-admin/images/media-button-music.gif HTTP/1.0" 200 188 "http://www.myblog.com/wp-admin/"
    [10:41:58 ] "GET /wp-admin/images/gray-grad.png HTTP/1.0" 200 213 "http://www.myblog.com/wp-admin/css/colors-fresh.css?ver=20091217"
    [10:41:59 ] "GET /wp-admin/images/white-grad.png HTTP/1.0" 200 210 "http://www.myblog.com/wp-admin/css/colors-fresh.css?ver=20091217"
    [10:42:00 ] "GET /wp-includes/js/thickbox/loadingAnimation.gif HTTP/1.0" 200 5886 "http://www.myblog.com/wp-admin/"
    [10:42:01 ] "GET /wp-admin/images/icons32.png HTTP/1.0" 200 12233 "http://www.myblog.com/wp-admin/css/colors-fresh.css?ver=20091217"
    [10:42:00 ] "GET /wp-admin/index-extra.php?jax=dashboard_primary HTTP/1.0" 200 1785 "http://www.myblog.com/wp-admin/"
    [10:42:01 ] "GET /wp-admin/index-extra.php?jax=dashboard_secondary HTTP/1.0" 200 2527 "http://www.myblog.com/wp-admin/"
    [10:42:02 ] "GET /wp-admin/index-extra.php?jax=dashboard_incoming_links HTTP/1.0" 200 253 "http://www.myblog.com/wp-admin/"
    [10:42:02 ] "GET /wp-admin/index-extra.php?jax=dashboard_plugins HTTP/1.0" 200 1394 "http://www.myblog.com/wp-admin/"
    [10:42:03 ] "GET /wp-admin/theme-editor.php HTTP/1.0" 200 18574 "http://www.myblog.com/wp-admin/"
    [10:42:04 ] "GET /wp-admin/load-styles.php?c=1&dir=ltr&load=theme-editor,global,wp-admin&ver=82cd6abb819d7fe96521a25504995eeb HTTP/1.0" 200 13620 "http://www.myblog.com/wp-admin/theme-editor.php"
    [10:42:04 ] "GET /wp-admin/load-scripts.php?c=1&load=jquery,utils&ver=d24248fe4b0cd62086633fd42ef1019b HTTP/1.0" 200 22334 "http://www.myblog.com/wp-admin/theme-editor.php"
    [10:42:07 ] "GET /wp-admin/images/menu-dark.gif HTTP/1.0" 200 245 "http://www.myblog.com/wp-admin/css/colors-fresh.css?ver=20091217"
    [10:42:07 ] "GET /wp-admin/load-scripts.php?c=1&load=hoverIntent,common,jquery-color&ver=975a66473369e28f12fa81a4deb3836d HTTP/1.0" 200 3478 "http://www.myblog.com/wp-admin/theme-editor.php"
    [10:42:13 ] "POST /wp-admin/theme-editor.php HTTP/1.0" 200 27456 "http://www.myblog.com/wp-admin/theme-editor.php"
    [10:42:25 ] "GET /wp-admin/theme-editor.php?file=/themes/default/404.php&theme=WordPress+Default&dir=theme HTTP/1.0" 200 17978 "http://www.myblog.com/wp-admin/theme-editor.php"
    [10:42:39 ] "POST /wp-admin/theme-editor.php HTTP/1.0" 302 - "http://www.myblog.com/wp-admin/theme-editor.php?file=/themes/default/404.php&theme=WordPress+Default&dir=theme"
    [10:43:10 ] "GET /wp-admin/theme-editor.php?file=/home/bluetie1/public_html/wp-content/themes/default/404.php&theme=WordPress+Default&a=te&scrollto=79548 HTTP/1.0" 200 277072 "http://www.myblog.com/wp-admin/theme-editor.php?file=/themes/default/404.php&theme=WordPress+Default&dir=theme"
    [10:43:15 ] "GET /wp-content/themes/default/404.php HTTP/1.0" 200 5475 "-"
    [10:43:17 ] "GET /wp-content/themes/default/404.php?act=img&img=home HTTP/1.0" 200 209 "http://www.myblog.com/wp-content/themes/default/404.php"
    [10:43:18 ] "GET /wp-content/themes/default/404.php?act=img&img=forward HTTP/1.0" 200 119 "http://www.myblog.com/wp-content/themes/default/404.php"
    [10:43:18 ] "GET /wp-content/themes/default/404.php?act=img&img=search HTTP/1.0" 200 250 "http://www.myblog.com/wp-content/themes/default/404.php"
    [10:43:18 ] "GET /wp-content/themes/default/404.php?act=img&img=ext_lnk HTTP/1.0" 200 572 "http://www.myblog.com/wp-content/themes/default/404.php"
    [10:43:18 ] "GET /wp-content/themes/default/404.php?act=img&img=sort_asc HTTP/1.0" 200 85 "http://www.myblog.com/wp-content/themes/default/404.php"
    [10:43:19 ] "GET /wp-content/themes/default/404.php?act=img&img=small_dir HTTP/1.0" 200 164 "http://www.myblog.com/wp-content/themes/default/404.php"
    [10:43:19 ] "GET /wp-content/themes/default/404.php?act=img&img=ext_php HTTP/1.0" 200 71 "http://www.myblog.com/wp-content/themes/default/404.php"
    [10:43:20 ] "GET /wp-content/themes/default/404.php?act=img&img=change HTTP/1.0" 200 290 "http://www.myblog.com/wp-content/themes/default/404.php"
    [10:43:20 ] "GET /wp-content/themes/default/404.php?act=img&img=ext_css HTTP/1.0" 200 134 "http://www.myblog.com/wp-content/themes/default/404.php"
    [10:43:20 ] "GET /wp-content/themes/default/404.php?act=img&img=ext_png HTTP/1.0" 200 175 "http://www.myblog.com/wp-content/themes/default/404.php"
    [10:43:21 ] "GET /wp-content/themes/default/404.php?act=img&img=up HTTP/1.0" 200 199 "http://www.myblog.com/wp-content/themes/default/404.php"
    [10:43:21 ] "GET /wp-content/themes/default/404.php?act=img&img=back HTTP/1.0" 200 119 "http://www.myblog.com/wp-content/themes/default/404.php"
    [10:43:21 ] "GET /wp-content/themes/default/404.php?act=img&img=buffer HTTP/1.0" 200 163 "http://www.myblog.com/wp-content/themes/default/404.php"
    [10:43:22 ] "GET /wp-content/themes/default/404.php?act=shbd HTTP/1.0" 200 3899 "http://www.myblog.com/wp-content/themes/default/404.php"
    [10:43:23 ] "GET /wp-content/themes/default/404.php?act=img&img=back HTTP/1.0" 200 119 "http://www.myblog.com/wp-content/themes/default/404.php?act=shbd"
    [10:43:23 ] "GET /wp-content/themes/default/404.php?act=img&img=buffer HTTP/1.0" 200 163 "http://www.myblog.com/wp-content/themes/default/404.php?act=shbd"
    [10:43:32 ] "POST /wp-content/themes/default/404.php?act=shbd HTTP/1.0" 200 3962 "http://www.myblog.com/wp-content/themes/default/404.php?act=shbd" `

  18. hpguru
    Member
    Posted 4 years ago #

    Do you have a backup?

Topic Closed

This topic has been closed to new replies.

About this Topic

Tags

No tags yet.