Support » Fixing WordPress » Site has been hacked I think?

  • Hi this site I’m helping this lady with is having some crazy issue.

    http://www.aspenreallife.com/about/

    There is a nutty message at the top,
    kZzzMNshhbCstSxGskkA
    Few days pill – Erection failure cure medicine that fjlhrqpsgg fjlhrqpsgg btyJppjLxWDtEftVVkMp

    Also, I can’t log into the wordpress backend, when I try to, there is the same message

    kZzzMNshhbCstSxGskkA
    Few days pill – Erection failure cure medicine that fjlhrqpsgg fjlhrqpsgg btyJppjLxWDtEftVVkMp

    Does anyone know how this site has been hacked or what I can do to fix this issue???

    PLEASE HELP

Viewing 10 replies - 1 through 10 (of 10 total)
  • Gwythan

    (@kevin-ashbridge)

    Yes, that’s a hack.

    From one other instance I’ve seen, the hackers usually change a WordPress file rather than database content – or perhaps your have been hacked via a trojan horse WP plugin.

    The best solution I know off is:

    (1) Deactivate ALL of your plugins
    (2) Re-install WordPress.

    Re-activate only those plugins you trust.

    That should get rid of it. Then change your FTP password with something stronger and try to use Secure FTP (SFTP) in the future – most host support this, but contact your hosting company.

    Thread Starter mixmastermichael

    (@mixmastermichael)

    Thanks for the reply Kevin.

    yeah the issue is though, that I can’t log in at all to the wordpress backend to login and deactivate plugins.

    Contacted the lady to get me hosting / ftp info. WOuld you recommend I modify the SQL file at all to resolve it? I only had to deal with a hacked site once before.

    I’m hoping that once I get ftp info I can remove or mess with the “pluggable.php” file I can get in there to at least log in. This is the error I get when I try to get to wp-admin

    Warning: Cannot modify header information – headers already sent by (output started at /mnt/target06/346262/394688/www.aspenreallife.com/web/content/wp-content/themes/GrungeMag/epanel/import_settings.php:38) in /mnt/target06/346262/394688/www.aspenreallife.com/web/content/wp-includes/pluggable.php on line 881

    Gwythan

    (@kevin-ashbridge)

    Once you get into your site via FTP then try first reinstalling WordPress from a fresh download. This should also clean up the ‘pluggable.php’ file.

    If the problem still persists, then yes, your database would the next place to look. Personally, I’d re install the database using a backup prior to the time you noticed the hack.

    @mixmastermichael: Work your way through the resources below and follow all instructions to completely clean your site or you may be hacked again.

    The error you are seeing now probably has to do with a deleted file; upload a fresh copy of all core WP files and folders.

    @evinashbridge: Simply reinstalling WordPress and changing an FTP password is not a complete fix.

    See FAQ: My site was hacked « WordPress Codex and How to completely clean your hacked wordpress installation and How to find a backdoor in a hacked WordPress and Hardening WordPress « WordPress Codex. Change all passwords. Scan your own PC. Use http://sitecheck.sucuri.net/

    Tell your web host you got hacked; and consider changing to a more secure host: Recommended WordPress Web Hosting

    Thread Starter mixmastermichael

    (@mixmastermichael)

    I’ve backed up the existing (broken) site, as well as a fresh installation of wordpress. Do you reccomend that I re-upload the fresh wp-includes folder first to see if that fixes it?

    I am thinking theres a few crazy plugins installed that corrupted stuff. It’s hard to pinpoint though, since I can’t even log into wordpress. If anyone has any tips on how I can resolve this I would very much so appreciate it.

    What a mess

    It is probably a Javascript injection like our old fav timbthumb.php happened ago. You can login to FTP/SFTP and rename the plugin folder with a dot before (.plugins), it will deactivate all the plugins.

    The source code is :

    <body data-twttr-rendered="true">
    kZzzMNshhbCstSxGskkA
    <p>
    Few days pill - Erection failure cure medicine that fjlhrqpsgg
    <a href="hxxp://www.hgecnekevo.com/">fjlhrqpsgg</a>
     btyJppjLxWDtEftVVkMp

    Result is here :

    http://sitecheck.sucuri.net/results/www.aspenreallife.com/

    It is impossible to detect from which file the problem is happening. But it is probably from your theme from Elegant Press (make sure to use an newly downloaded theme from official site for fresh installation again). These usually infects the core files of WordPress. It will fill with eval(function(p,a,c,k,e,d) one by one.

    Take a MySQL backup and restore only important tables related to WP functions. On the FTP side, only restore the uploads folders (usually the post images). You will not get MySQL injection, still if again malware comes back, open each table and rows as text file to check manually.

    Google has already detected Malware and in meta description it is showing up (This site may be compromised.). Search with full domain name in Google to see it.

    Your first work is to put it under maintenance by using maintenance plugin. Who ever will click that website without protection in this condition can get infected.

    If you / that lady is Windows PC user, please visit Avast forum and ask them for the probable reason or needed scans. Usually scanning with Malwarebytes Antimalware (free one) is enough. Another scan is suggested with an Antivirus software that is well known like Calm, Norton etc.

    Use a better web hosting as said before. You can use HP Cloud server now for temporary shelter as they are giving 3 months free usage (limitation will cover that website’s usage). Otherwise use Amazon or Rackspace. Amazon also has some free usage tier.
    If you love cPanel like thing, install Free OpenPanel on these servers (Ubuntu and Debian only).

    You can ask Jeff Starr of PerishablePress.com if you need paid help or ask him as comment on that blog.

    Do not ask Google to reconsider from webmasters tool before you are 100% sure about getting free of malwares. Do not distribute clickable link to your website now here and there. Null it by using hxxp instead of http.

    Thread Starter mixmastermichael

    (@mixmastermichael)

    Thanks for the reply. That gives a good guide on what to do.

    Here’s what I’ve done so far and some notes.

    -FTP/SFTP and rename the plugin folder with a dot before (.plugins)
    Renamed that folder but didn’t really change anything on the site though unfortunately

    -in doing a search in all files of that site, I found out where that message was included on this file. /wp-content/themes/GrungeMag/includes/widgets.php, so I removed it. I noticed that all files within this folder were modified within the past couple of days, which I did not do… so I am thinking that the entire theme needs to be installed.

    nobody can click on that link any more however since I removed that weird message.

    -I still can’t log into wordpress, the error message still is this.
    Warning: Cannot modify header information – headers already sent by (output started at /mnt/target06/346262/394688/www.aspenreallife.com/web/content/wp-content/themes/GrungeMag/epanel/import_settings.php:38) in /mnt/target06/346262/394688/www.aspenreallife.com/web/content/wp-includes/pluggable.php on line 881

    -I’m already using Rackspace as the host of that site actually.

    Any other advice? I am trying to track down my php admin info so I can get into the sql database and see if I can clean up unnecessary tables.

    I’m already using Rackspace as the host of that site actually.

    I understood its Rackspace from your Linux path. It appears you are using a Cloud Sites client account (from /346262/394688/).

    Set the error log on from control panel. It seems it is done through timthumb.php. It is impossible to find the real one, they replicates itself.

    Its very easy for Rackspace. Take backup of each table from PHPMyAdmin and read my method for limited table transfer in Rackspace Cloud. Create a new WP installation (does not matter where), restore your sql backup on that. You can contact through my blog directly for being Rackspace co-user for difficulty on that post.

    What you will do is – just download the .htaccess, robots.txt etc. files from SFTP and the uploads folder. Forget others. Keep them as backup, but forget them.
    We can actually do whatever we need on a Cloud Setup with FQDN MySQL.

    You will delete all the files from that account’s root. Then upload a new WordPress. Use that database’s details without installing in wp-config.php file in new install (Edit – You can install it and later change the MySQL, it will be easier).
    Remove any bash scripts, cron etc. from cgi or other folders. Delete that same named table and replace with backup. One by one. You will see the change. Very interesting actually. Do not restore wp_usermeta and wp_users in your case in first attempt.

    Forget that theme. Please report it to Rackspace for security and ask if they have any special tips.

    Thread Starter mixmastermichael

    (@mixmastermichael)

    Thanks, once I get the login to the cpanel, I will try these steps.

    Sounds like I might need your help though… I can even pay you for your services if necessary. This is a bit beyond my scope of expertise as I’ve never had to recover a hacked site. It’s a huge site, rebuilding it might be a pain. I’ll try to contact you through that blog of yours if I need to.

    Seriously thanks for the help, good to know there are nice people like you out there thwarting the not so nice hacker butt munches out there.

    You are welcome.
    First try yourself, because you will learn to fight and solve.

Viewing 10 replies - 1 through 10 (of 10 total)
  • The topic ‘Site has been hacked I think?’ is closed to new replies.