WordPress.org

Forums

WordPress › Support » How-To and Troubleshooting

Repairing a site after hacker attack (13 posts)

  1. quiq
    Member
    Posted 2 years ago #

    Hello!

    My site has been attacked by some hacker yesterday, but I handled to repair almost everything. There is one more problem which I do not know how to solve.
    Main page and articles looks good, but when I enter into other category or news or calendar, there is a picture of hacker and it turns (after about 2 seconds) into a blank page (within theme - there is an empty space in the middle of the screen, but my site is still open - every panel is visible). If you need screens or site address, write about it. I would be grateful if anyone could help me.

    Best regards

  2. Chase Adams
    Member
    Posted 2 years ago #

    Post a link to page?

  3. quiq
    Member
    Posted 2 years ago #

    Link for the site
    When you are on the site, enter to a News menu, calendar and categories. This is my actual problem.

  4. Chase Adams
    Member
    Posted 2 years ago #

    How different are your category.php & index.php files? Have you tried deleting the category.php file?

    If you have an original copy of your category.php file, delete the one from the server and replace it with the original.

  5. quiq
    Member
    Posted 2 years ago #

    It looks like there is no category.php file on my wp, is it possible? I cannot find one

  6. quiq
    Member
    Posted 2 years ago #

    index.php is original, nothing changed - i replaced hacked one

  7. Chase Adams
    Member
    Posted 2 years ago #

    It's possible. Do you have a front-page.php? Generally, with a site like yours there's a front-page.php and an index.php.

    If you can delete the index.php on your server and replace it with the index.php stored on your computer, that should resolve your issue.

  8. quiq
    Member
    Posted 2 years ago #

    index.php was replaced with original wordpress file at once after the attack. I cannot find a front-page.php file.

  9. Chase Adams
    Member
    Posted 2 years ago #

    Generally the way a Category page (such as news) works is that it will use category-slug.php with slug being whatever is being displayed (so news uses category-news.php) if the file exists. If it does not, it defaults to category.php. If that does not exist, it will default to index.php.

    Within your index.php, there is a div with the id of "archivearea". The code that's displaying the "turkish hacker" is:

    backticks<HTML><HEAD><TITLE>iskorpitx</TITLE>
     </p>
     <META http-equiv=Content-Type content="text/html; charset=windows-1252"><META content="Microsoft FrontPage 6.0" name=GENERATOR></HEAD><BODY text=#999999 bgColor=#000000 leftMargin=0 topMargin=0><STYLE type=text/css>A:link {
    COLOR: #999999; TEXT-DECORATION: none
    }
    A:visited {
    COLOR: #00ff00; TEXT-DECORATION: none
    }
    A:active {
    COLOR: #004500; TEXT-DECORATION: none
    }
    A:hover {
    COLOR: white; TEXT-DECORATION: none
    }
    </STYLE><STYLE fprolloverstyle>A:hover {
    COLOR: #ffffff
    }
    </STYLE><STYLE>BODY {
    SCROLLBAR-ARROW-COLOR: #000000; SCROLLBAR-BASE-COLOR: black
    }
    </STYLE><td width="16%" bgcolor="#000000"></td><P align=center>
    <img src="http://www.mavi1.org/atam.gif"></P>
    <P align=center>
    <P align=center><B><FONT size=7> </FONT><FONT size=6>BY iSKORPiTX</FONT></B></P>
    <P align=center><font size="5"><b>(TURKISH HACKER)</b></font></P>
    <P align=center><b>ALEMiN KRALI</b></P>
    <P align=center> </P>
    <P align=center><FONT size=5>best regards to all world</FONT></P>
    <P align=center> </P></BODY></HTML>backticks

    and it's between your "archivearea" and "sidebar". Can you find any code in your index.php that is between those two divs?

    What version of WordPress are you running and what is the name of the theme?

  10. songdogtech
    Moderator-Grizzly Bear Trapper
    Posted 2 years ago #

    That div is more than likely coming from the database. See FAQ: My site was hacked « WordPress Codex and How to completely clean your hacked wordpress installation and How to find a backdoor in a hacked WordPress and Hardening WordPress « WordPress Codex

  11. quiq
    Member
    Posted 2 years ago #

    @realchaseadams unfortunately, I cannot find the code in index.php. The code in the file is
    <?php
    /**
    * Front to the WordPress application. This file doesn't do anything, but loads
    * wp-blog-header.php which does and tells WordPress to load the theme.
    *
    * @package WordPress
    */

    /**
    * Tells WordPress to load the WordPress theme and output it.
    *
    * @var bool
    */
    define('WP_USE_THEMES', true);

    /** Loads the WordPress Environment and Template */
    require('./wp-blog-header.php');
    ?>
    and that's all. I believe I can manage to repair it without reinstalling WordPress, please, help me to do this.

  12. quiq
    Member
    Posted 2 years ago #

    I have just solved the problem, all I had to do was to replace invalid file.
    Everything works now.

    Thank you for supporting me,

    Best regards

  13. LindaPete
    Member
    Posted 1 year ago #

    I'm running 2010 Weaver. I found the suspect code here:
    Editor>Main Index Template

    All coding was gone except about 4 or 5 lines of Iskorptix stuff. I deleted the suspect code and then copied and pasted the correct code from another wordpress site that happens to be running the save theme.
    All seems ok now. Still waiting to hear from my hosting support outfit.

Topic Closed

This topic has been closed to new replies.

About this Topic

Tags