Forums

WordPress › Support » How-To and Troubleshooting

[resolved] [closed] Website Was Hacked - WordPress not working (15 posts)

  1. yourlowm
    Member
    Posted 9 months ago #

    Hello,
    My website was hacked today by someone called Haxorsistz. When you typed in my URL you just got a message saying the site was hacked, nothing was deleted, but the Index page was changed. I also noticed the .PHP files in my root directory were deleted.

    I thought uploading new .PHP files along with the proper config file would fix the problem, but it didn't. You now get a server error when you type my URL and you get the same server error when you try to access wp-login. I also tried doing a manual update to the latest version of wordpress, but that did nothing. All of my content appears to still be in the proper place, but for some reason it isn't showing up on the internet. Not sure what I can do to get things working. Any help would be appreciated.

    Here is the link to my site

  2. Jan Dembowski
    Volunteer Mod. & Brute Squad
    Posted 9 months ago #

    You may actually want to post the link to your site... ;)

    If your site was hacked then you need to start working your way through these resources:
    http://codex.wordpress.org/FAQ_My_site_was_hacked
    http://wordpress.org/support/topic/268083#post-1065779
    http://smackdown.blogsblogsblogs.com/2008/06/24/how-to-completely-clean-your-hacked-wordpress-installation/
    http://ottopress.com/2009/hacked-wordpress-backdoors/

    Additional Resources:
    http://sitecheck.sucuri.net/scanner/
    http://www.unmaskparasites.com/
    http://blog.sucuri.net/2012/03/wordpress-understanding-its-true-vulnerability.html
    http://codex.wordpress.org/Hardening_WordPress
    http://www.studiopress.com/tips/wordpress-site-security.htm

  3. yourlowm
    Member
    Posted 9 months ago #

    Here is the link to my site. For some reason it didn't show up in the original post.

    I will look through the links provided. Thanks

    Brad

  4. The Hack Repair Guy
    Member
    Posted 9 months ago #

    I see this is still ongoing sadly. It's crazy that people do this, though you have some options.

    1. Contact your web host.
    If your web host maintains daily and weekly backups, hopefully they will be able to recover your website from prior to this event.

    Once they do so, you'll want to make sure all of your passwords are
    changed and likewise ensure all scripts on your site are updated.

    2. Web host has no backups.
    Ok, so your web host has no backups. If this is the case, you'll need to log into your website via FTP and start looking around for newly dated files, then work to remove any hacker code you find in them.

    In summary, there's really not much we can do here in the forum.
    Someone will need to log in and remove all the hacked pages and any
    lingering back door scripts. There is no magic bullet or quick and simple way to do this.

  5. yourlowm
    Member
    Posted 9 months ago #

    Thanks for all of the great advice. Unfortunately my hoster does not back up my account. I will dig around in my site and see if I can find files that are not supposed to be there.

    I have one last question, if you don't mind. I have already uploaded the recent version of WordPress including the index file, however, my URL does not seem to point to my site. When you type http://www.YourLowMortgage.ca in a browser the screen just turns white (or gives a server error depending on the browser you use).

    The .htaccess file looks like this:
    Options FollowSymLinks MultiViews Indexes ExecCGI

    AddType application/x-httpd-cgi .izri

    AddHandler cgi-script .pl
    AddHandler cgi-script .pl

    Could that be my problem?
    Thanks

  6. yourlowm
    Member
    Posted 9 months ago #

    Thanks

  7. jifrici
    Member
    Posted 6 months ago #

    I have the same problem with my site right now. I have seen you could fix your own site. Do you remember the way? Which folders have hacked?
    Thanks

  8. esmi
    Theme Diva & Forum Moderator
    Posted 6 months ago #

    As per the Forum Welcome, please post your own topic. Your problem - despite any similarity in symptoms - is likely to be completely different.

  9. yourlowm
    Member
    Posted 6 months ago #

    The hackers said they only changed the index file within the site template, so reinstalling that should fix the issue. However, the site you are now looking at is new and not the original site that was hacked. I was unable to fix it so installed a new template and things seemed to work.

  10. Jan Dembowski
    Volunteer Mod. & Brute Squad
    Posted 6 months ago #

    The hackers said they only changed the index file within the site template, so reinstalling that should fix the issue.

    I'm afraid that reinstalling doesn't fix anything it just treats the symptom. You really need to lock down your installation or someone will be able to modify the files again.

  11. whelanwebdesign
    Member
    Posted 6 months ago #

    Hi Guys.

    Same has happend me with same Hacker Team. Database looks ok and I was running latest WordPress. This is also a Mortgage site like yourlowm above.

    I've spent the past few hours trying to fix this with my painfully slow hosting provider.

    They might have a backup but still awaiting them to get back to me. I am hoping that this will restore my site and that I can make some changes to it for better securiry.

    steps I have taken to try resolve this.

    I was using a modifyed twetyeleven theme for this webite and found the following infected files

    themes/twentyeleven/header.php
    themes/twentyeleven/404.php
    themes/twentyeleven/index.php

    I replaced them with a fresh copy ( No effect )

    I downloaded a fresh copy of wordpress and overwrote all site files ( No effect )

    I cannot login to the dashbard area with my username or passwrods as the seem to have changed. Even the forgot password does not seem to remember my email address.

    If I do get this resolved I will post full details here.

  12. wpfixes
    Member
    Posted 6 months ago #

    For this problem check theme files, sometime header.php is totally replaced.

    And they hide a javascript in database, wp_options table. Find and delete an option_name called widget_text, value beginning with:
    <script>document.documentElement.innerHTML = unescape(''%3c%68%74%6d%6c%3e%0d%0a%3c%74%69%

    If you have doubts about the content, deobfuscate here
    http://www.patzcatz.com/unescape.htm

    And of course do the rest... check you computer for trojans, update wp and plugins, change passwords, change Authentication Unique Keys and Salts in wp-config, backup etc

  13. maidbloke
    Member
    Posted 6 months ago #

    Thank you. I was asked to repair a site infected with Haxorsistz and this thread was instrumental in me being successful.

    The site actually had multiple infections, including 2 instances of infected data in table wp_options as suggested by wpfixes. There were 5 modified/new files: functions.php and 404.php in the theme folder of the theme being used, a new file called gay.php in the wp-admin folder, a new file called selli.php in the root and a modifed index.php file in the root.

    I have changed passwords and done all the other more general suggestions too. Thanks again!

  14. harrischeng
    Member
    Posted 3 months ago #

    Hi All,

    My website got hacked by Haxorsistz as well.. now I got back the control of the site and am working on everything to recover it. Does anybody happen to know how to recover from the garbled code within wp-admin? something like: 銝€�游��迭�◢摮�璇典�

    It looks fine outside but it's a mess within wp-admin. I tried to delete wordpress, reinstalled, but found it's still broken if I connected to previous database. Could anyone advise if is there anything I could do?

  15. Andrew Nevins
    Volunteer Moderator
    Posted 3 months ago #

    If your site was hacked then you need to start working your way through these resources:
    http://codex.wordpress.org/FAQ_My_site_was_hacked
    http://wordpress.org/support/topic/268083#post-1065779
    http://smackdown.blogsblogsblogs.com/2008/06/24/how-to-completely-clean-your-hacked-wordpress-installation/
    http://ottopress.com/2009/hacked-wordpress-backdoors/

    Additional Resources:
    http://sitecheck.sucuri.net/scanner/
    http://www.unmaskparasites.com/
    http://blog.sucuri.net/2012/03/wordpress-understanding-its-true-vulnerability.html
    http://codex.wordpress.org/Hardening_WordPress
    http://www.studiopress.com/tips/wordpress-site-security.htm

    As per the Forum Welcome, please post your own topic. Your problem - despite any similarity in symptoms - is likely to be completely different.

Topic Closed

This topic has been closed to new replies.

About this Topic

Tags