WordPress.org

Ready to get started?Download WordPress

Forums

Site Hacked (15 posts)

  1. davejuk
    Member
    Posted 2 years ago #

    Back in December 2011 one of my WordPress blogs was hacked. Stupidly I had not made a backup of the database but it wasn't a big site and I had a copy of all of the post content.

    When I reported this to my host (Mochahost.com) they were adament that it was not a problem with the server and that my WordPress installation must have been out of date. I was sure it was up to date but I left it at that. I re-entered all of the content manually.

    This week end (so 4 months later) the same blog was hacked again and was displaying a similar message from the hacker, complete with all the usual cliches (a skull, typoz, greetz, etc.) This time I am 100% sure it was up to date because I had set a reminder in Outlook to check every week, and there had not been a new version since January. All of the plugins were up to date as well.

    Again, my host insists it is caused by WordPress. However I find this hard to believe because I had 14 WordPress installations with various different ISPs and none of the others have ever been hacked.

    Should I be looking at ditching them or are they right to blame WordPress apparently without doing any investigation?

  2. esmi
    Theme Diva & Forum Moderator
    Posted 2 years ago #

  3. davejuk
    Member
    Posted 2 years ago #

    I think so - I deleted everything in the www root and created a new database.

  4. esmi
    Theme Diva & Forum Moderator
    Posted 2 years ago #

    In that case, it does look like it's a host problem. Sounds like the server is insecure for one reason or another. Maybe it is time to start looking for another host.

  5. The Hack Repair Guy
    Member
    Posted 2 years ago #

    Hi,
    Is your site still showing as hacked now, or do you feel you've managed to get the situation under control?

  6. davejuk
    Member
    Posted 2 years ago #

    I deleted all of the files and uploaded a clean copy of WordPress 3.3.1. I am using the same database though. All of my content is available again but I still need to set the theme up again and get the plugins working again.

  7. Nihad Nagi
    Member
    Posted 2 years ago #

    Check out the wp-config.php file at the root installation of your wordpress, navigate to the end of the settings, check out the last line and see if there are many white lines afterward, if you did, then go and check the rest till the end, you will find some strange code being appended, and you will have around 4k lines in this file, check it out and get back to me.

  8. davejuk
    Member
    Posted 2 years ago #

    wp-config is only 3kB, 91 lines. The final line is:

    /** Sets up WordPress vars and included files. */
    require_once(ABSPATH . 'wp-settings.php');

  9. Nihad Nagi
    Member
    Posted 2 years ago #

    no i meant 4000 lines, check out if there is empty space (many lines)after it.

  10. davejuk
    Member
    Posted 2 years ago #

    It's definitely only 91 lines. There is one blank line after the final line. I do appreciate your help though!

  11. Nihad Nagi
    Member
    Posted 2 years ago #

    Thanks but don't even mention it.
    Ok, check all your word-press plugins directories for the following files:

    wp-ajax-gadget.php
    zipper-class.php

    Please tell me, if you have any of these.

  12. davejuk
    Member
    Posted 2 years ago #

    All I have is the default plugins now - did you see that I deleted everything and uploaded a fresh copy of WordPress?

  13. Nihad Nagi
    Member
    Posted 2 years ago #

    Yeah, I can
    What I am asking about is a hack that stores itself in your database and not your installation files, no wonder, re-installing for million times won't work.
    However, if looking for these files inside your plugins folder, is a big issue, then forget it and forgive me.
    Thanks.
    Regards

  14. davejuk
    Member
    Posted 2 years ago #

    I didn't mean to sound ungrateful! In answer, no there is no wp-ajax-gadget.php or wp-ajax-gadget.php in the plugins directory.

  15. Nihad Nagi
    Member
    Posted 2 years ago #

    No problem

    Check out all your directories for names like:

    .akismet.db
    .akistment.cache

    any files or folders starting with a period "." in the plugins and wp-includes and wp-admin.

    Before, deciding whether it's a service provider or WordPress issue. Remember that all the plugins we install can be from experienced or inexperienced, aren't they a possible backdoor?. Isn't plugins the reason, wordpress.com was never breached? Right?. So, before we jump to any conclusions, there is a new suspect: not WORDPRESS but WORDPRESS PLUGINS. So, please be patiient, because a proper diagnosis is needed prior to any action that might be costly.

Topic Closed

This topic has been closed to new replies.

About this Topic

Tags

No tags yet.