WordPress.org

Ready to get started?Download WordPress

Forums

Website got infected and now i have questions (7 posts)

  1. bstharp
    Member
    Posted 2 years ago #

    PLEASE HELP! My website was compromised with exploitive code a few months back, and i'm only now discovering it with a few errors when people try to visit the site...

    My web server tech found files that were infected, tracing it back to a bad timthumb file. But I don't know what these files do, and therefore how to delete the bad code (where the good ends and the bad begins, that is). So, I went to the 3.3.2 version of wordpress and downloaded it again, I could not find those three files in the current folder of wordpress files. Are they created at the time of installation only? Or are they invalid files and not needed at all?

    ./wp-includes/js/gCountdown.php
    ./wp-includes/newsticker.php
    ./wp-admin/js/jquery-min.php

    These are currently on my site, with bad code. But before I simply remove them in the cleanup process, I need to be sure they will NOT break my website!

  2. michael.mariart
    Member
    Posted 2 years ago #

    Those are all files that were added by the hacking attempt. Delete them all NOW.

    The best thing that you can do for these sort of situations is have a full back up of all the files that you have on your site before it became infected. That way you can safely delete everything and just re-upload it to get the site back and working. It won't do much for fixing the source of the infection but it's a start.

  3. bstharp
    Member
    Posted 2 years ago #

    Thank you Michael - I was comparing them to my archived site - what I hoped was a clean archived site, and didn't see them there so I figured they might be added, but didn't want to further my problem since I'm a neophyte when it comes to debugging stuff like this. I'll delete now and see how it goes...

  4. peter achutha
    Member
    Posted 2 years ago #

  5. esmi
    Forum Moderator
    Posted 2 years ago #

  6. bstharp
    Member
    Posted 2 years ago #

    Thank you Esmi and Peter - all of you in fact, for your help. I was able to find the bad files by reading some of the info shared above, and I believe I've cleaned it all up now and the server scans are coming back 'clean' without any malicious code or attack messages currently. But I will continue to research using the links above so I'm certain that I got it all cleaned up and also how to protect from this happening again.

  7. bstharp
    Member
    Posted 2 years ago #

    Well, I ended up doing a complete re-install of wordpress and my theme and I'm back up and running, with changed database and server passwords, so hopefully this won't happen again. It all began with a timthumb file that was vulnerable and got infected last year, and then things went unnoticed until just recently when another infection attack occurred.

    Thank you all for your help. It's this kind of support that makes a community work!

Topic Closed

This topic has been closed to new replies.

About this Topic