WordPress.org

Ready to get started?Download WordPress

Forums

Website hacked (4 posts)

  1. tal1481
    Member
    Posted 7 months ago #

    Hi,

    I recently took over a new website to do some SEO for them.

    The version of wordpress that they were using was 3.4.2 - I hadn't gotten around to doing anything on the site yet and got up this morning and noticed that the website has been hacked. this is what it says:

    Hacked By ./N0V3MB3R
    Dont Panic Admin !!
    FP :
    https://www.facebook.com/AtjehCyberArmy
    My Email :
    ilhamgayyers404@hmamail.com
    =============================
    [+] Thanks To [+]

    [+] Gaim404 [+]
    [+] ./xCAD [+]
    [+] MR XGhoLund [+]
    [+] ./KIKI404 [+]
    [+] Nabilah Dot ID [+]
    =============================
    [+] Special Thanks [+]
    [+] Allah [+]

    [+] Atjeh Cyber Army [+]

    I have downloaded the files and can see that some of the theme files have malicious code injected into them and has over written the theme template files: index.php and 404.php

    I have contacted their host "fasthosts" and they have no backup, I have contacted the original theme developer and he claims not to have any backups of his design - I was going to load a fresh wordpress install and then copy a fresh theme install and rebuild the pages but that is a dead end.

    When I delete the code from index.php and 404.php - wordpress tells em that the theme is incomplete.

    I have looked at the SQL database and it appears to be ok.

    What can we do now besides a complete site redesign? I have read through all the tutorials but I cannot clean the theme files because the original code in the theme files have been replaced??

    Thanks,

  2. ClaytonJames
    Member
    Posted 7 months ago #

    Some reference materials:

    FAQ My site was hacked

    Hardening WordPress

    http://smackdown.blogsblogsblogs.com/2008/06/24/how-to-completely-clean-your-hacked-wordpress-installation/
    http://ottopress.com/2009/hacked-wordpress-backdoors/

    http://sitecheck.sucuri.net/scanner/
    http://www.unmaskparasites.com/
    http://blog.sucuri.net/2012/03/wordpress-understanding-its-true-vulnerability.html

    I have contacted their host "fasthosts" and they have no backup, I have contacted the original theme developer and he claims not to have any backups of his design

    Without backups or copies of original or custom work, you're out of luck. If the former website admin did not take regular backups, it will mean starting over.

    Is the theme a complete original, or based on a theme that is still available?

  3. tal1481
    Member
    Posted 7 months ago #

    It's a complete original looking at the code.

    Do you think this was hacked due to it being an old version of wordpress?

  4. ClaytonJames
    Member
    Posted 7 months ago #

    Do you think this was hacked due to it being an old version of wordpress?

    It should definitely be considered a contributing factor. It might also be a good idea to make sure that the hosting account credentials, as well as the credentials for all FTP user accounts for the domain are changed a.s.a.p. Make sure that all ftp account users are known to you.

    You should also identify and verify all legitimate administrative users in the WordPress database at some point.

    It's a complete original looking at the code.

    Just to be sure, check in theme style.css sheet and see if there is any reference to a theme not related to the current domain. Often you will see something like this:

    /*
    Theme Name: My Theme
    Theme URI: http://myurl.com/mytheme
    Author: ThemeCreator
    Author URI: http://myurl.com
    Description: My Theme: Based on some Original Theme XXX by YYY...etc..
    /*

    If there isn't anything there that references a theme that the site may have been based on, then you may truly be out of options for file recovery.

    [edit] It's also important to contact your hosts support group as soon as possible, and let them know that you have had a compromise (if you didn't already mention that when you contacted them previously). They will want to know, and may have additional information and instructions that could help prevent it from happening again.

Reply

You must log in to post.

About this Topic