Forums

WordPress › Support » How-To and Troubleshooting

Site Hacked - trying to clean it up before I upgrade (7 posts)

  1. misterwebmaster
    Member
    Posted 2 years ago #

    Working in 2.0.9 (yes, I know, I need to upgrade)

    I'm trying to salvage and clean up what's running now before I upgrade, so I don't bring in the bad with the good.

    site: toddseavey.com

    to normal browser user agents, it serves the pages as they should be. If the pages are viewed as a search engine - you can see the results for yourself - viagra spam.

    I don't see the offending material in the database entries for the posts. It's not in the themes, because switching the themes doesn't help. I'm *guessing* some of the underlying php is compromised but have no idea where to look.

    From where and how is the spam content being pulled in, and only so it is served to search engines?

    Anyway, I'd be grateful for advice on excising the spam so the upgrade goes smoothly. I don't want to inadvertantly carry on this problem.

  2. Samuel B
    moderator
    Posted 2 years ago #

    usual spots but not limited to
    wp-config.php
    index.php
    theme's index.php and header.php
    php files added to /uploads or /upgrade folder

    http://smackdown.blogsblogsblogs.com/2008/06/24/how-to-completely-clean-your-hacked-wordpress-installation/

    http://ottodestruct.com/blog/2009/hacked-wordpress-backdoors/

    http://codex.wordpress.org/FAQ_My_site_was_hacked

  3. misterwebmaster
    Member
    Posted 2 years ago #

    Yup, it was stray php files in the uploads folder. It's amazing, as the files are pure gobbledygook to my eye. If those russian hackers used their powers for good, they could cure cancer.

    What I wonder is if those stray php files in the image upload folder will be the only problem. Deleting them took away the problem, but is there a stray hook elsewhere?

    Thanks for the help, now to change passwords, cross my fingers, and upgrade, and get a new theme, as I doubt my old one is supported.

  4. Samuel B
    moderator
    Posted 2 years ago #

    if you combed the database...
    good luck with it

  5. misterwebmaster
    Member
    Posted 2 years ago #

    I searched the post and meta post tables for "viagra" and "cialis" with nothing showing up, but other than that, I wouldn't be sure what to look for.

    I almost posted the content of the wayward php files, but then came to my senses - that would be like releasing a live polio virus into a schoolbus.

    The hackers managed to add an additional user "Google" to the userdatabase, that was invisible to the web interface. I deleted the "Google" user, but that had no effect.

  6. Samuel B
    moderator
    Posted 2 years ago #

    one more thing you might search for in the db is "eval" and "base64"
    some plugins legitimately use eval's (like All in one SEO) but you can likely tell the difference

  7. misterwebmaster
    Member
    Posted 2 years ago #

    clean of sneaky "eval" and "base64". I got lazy and searched for "eval" as an exact phrase.

    So now to migrate from 2.0.9 to 2.9.2 .

    And hope that it isn't my shared server space that's compromised. Changing passwords and all that. And cross fingers.

Topic Closed

This topic has been closed to new replies.

About this Topic

Tags