WordPress.org

Ready to get started?Download WordPress

Forums

WordPress Hacked (27 posts)

  1. aletheides
    Member
    Posted 5 years ago #

    My site freewiccaschool.com/blog/ has been hacked and is now redirecting to sattan.org. I have tried to upgrade my blog but I'm having no luck - the wordpress dashboard doesn't detect any files I upload (upgrades or plugins), although the FTP client tells me they are in fact there: http://wordpress.org/support/topic/218941?replies=2

    I'm pretty stuck as to what I should do ?

  2. admin95
    Member
    Posted 5 years ago #

    The wicca site comes up for me. Did you fix it?

  3. ClaytonJames
    Member
    Posted 5 years ago #

    This site (still in beta) is kinda cool to play with. http://www.unmaskparasites.com/

    Thanks to UseShots for the link.

    It shows you have a 302 redirect to the "sattan.org" blackjack site. Good place to start I guess.

    URL: //www.freewiccaschool.com/blog

    Redirects: 301 -> //www.freewiccaschool.com/blog/
    302 -> //sattan.org/feed/search.php?q=blackjack

    [Edit]...plus, your still using 2.5. Just sayin' ...

  4. Bob Smith
    Member
    Posted 5 years ago #

    go remove the crap that's probably in your wp-blog-header.php

  5. aletheides
    Member
    Posted 5 years ago #

    Damn this is really irritating because I've now found out its happening across about 10 of my sites and my traffic is really tanking because of it...

  6. aletheides
    Member
    Posted 5 years ago #

    Thanks to that tool you provided Clayton, very helpful.

  7. aletheides
    Member
    Posted 5 years ago #

    I found the solution to these hacks. They have been totally raping my sites for the past 3 weeks and my search traffic dropped like a rock. I've probably lost over $1,000+ from these hacks, so in case this has happend to anyone else I have figured out a fix. I am hoping these fixes eliminates everything and they won't come back.

    Go to PhPmyadmin and navigate to your wp_options table. Within this table go to active_plugins and scroll to the center. From here you will find it pointing to a copy of a plugin but with a weird ending file name. I found fake files ending in .bak and .old. Delete the little piece of code that looks something like this: a:9:{i:0;s:21:"fakefile.old" Deleting this piece of code will deactivate all your plugins, so go reactivate them. Sometimes I also found this "../../../../../../../../../../../../../../../../../../../../../../tmp/tmpYwbXT2/sess_779ceef92a4fdcc17bb5ee3f13348bfd" pointing to a fake plugin in the root.

    Also go to your FTP client and go to where the fake file is pointing and be sure to delete this file.

    Use the tool found at this page: http://www.akamarketing.com/blog/111-use-wordpress-check-the-source-of-your-google-cache-for-hidden-spa-links.html

    To pretend like you're the google bot and find out if all of your spam links are still showing up or not.

    I also took the advice of this post: http://linux.byexamples.com/archives/397/wordpress-exploit-we-been-hit-by-hidden-spam-link-injection/

    and deleted anywhere in wp_options that I found wordpress_options or internal_links_cache tables. I found internal_links_cache tables in my wp_options on every site.

    Also delete the "WordPress" user from the wp_users table.

    To prevent further hacking attempts I...

    ...installed the AMAZING AskApache Password Protect plugin. This will lockdown your wp-admin and wp-logins with .htaccess. I highly recommend it.
    ...Placed a blank index.html file in my plugins directory as suggested by Matt Cutts. This prevents hackers from exploiting my plugins.

  8. whooami
    Member
    Posted 5 years ago #

    everything you mentioned as a fix is already in these forums :)

    in any event, hope your your sites(s) see better days.

  9. UseShots
    Member
    Posted 5 years ago #

    Hi,

    @aletheides: Did you locate the redirect code? I can still see that your blog redirects search engine traffic to "sattan .org".
    http://www.unmaskparasites.com/security-report/?page=www.freewiccaschool.com/blog

    Did you check the .htaccess file in the /blog/ directory? Alternatively check for Redirect code in .php files.

  10. Bob Smith
    Member
    Posted 5 years ago #

  11. UseShots
    Member
    Posted 5 years ago #

    Most likely it's somewhere in (.php) scripts since it changes the search string on every load:
    'search.php?q=debt consolidation in honduras'
    'search.php?q=brazil casino clickbank gambling religion'
    'search.php?q=california auto insurance'
    ...

  12. dprickett
    Member
    Posted 5 years ago #

  13. aletheides
    Member
    Posted 5 years ago #

    Oh I haven't got around to fixing freewiccaschool yet that's why it's still redirecting. I have about 15 sites I was doing this for, and I was starting with the most important ones first.

    Thanks for the links, checking them out...

  14. aletheides
    Member
    Posted 5 years ago #

    By the way Dprickett, there is more to it than replacing wp-blog-header ... There is code within the database that needs to be removed, as well as fake files in your plugins folder that need to be deleted, as well as the WordPress user that needs to be deleted to make sure the hacker doesn't have permanent authentication to your site.

  15. UseShots
    Member
    Posted 5 years ago #

    15 sites! wow! Could you share the datailed clean up instructions, including fake file names, wordpress username, database tables, etc?

  16. lamar-1111
    Member
    Posted 5 years ago #

    Removed the hacker code from header file and unmaskparasites.com says i am clean, still getting the redirect loop error though...

    Is there another problem?

    Thanks for the info!
    Thanks for useshots direction here!

  17. whooami
    Member
    Posted 5 years ago #

    Is there another problem?

    did you read and follow all the posts in this thread?

  18. lamar-1111
    Member
    Posted 5 years ago #

    I deleted all the users but me and completely removed and replaced the plugins folder- if that is what you are referring to.

  19. lamar-1111
    Member
    Posted 5 years ago #

    found a solution. Something was messed up in the htacces file. switched my permalinks back to the default, and all is well. just can't do the permalinks like i want.

    special thanks to unmaskparasites.com for helping me out!

  20. aletheides
    Member
    Posted 5 years ago #

    You're going to have to go into your database and do some removing too. Like whooami said theres a post at the top that details everything I did to fix it, its really impossible to miss (or so I thought? lol).

  21. aletheides
    Member
    Posted 5 years ago #

    Looks like this hack is back again on many of my blogs that have been updated.

    I've also done some google searching today and found the hack on many popular blogs I was trying to search for info for, so its definitely hitting many blogs all across the web.

    So irritating, I think the best permanent fix for this hack would be to find whoever is doing it and shoot them in the head.

  22. Samuel B
    moderator
    Posted 5 years ago #

    are you running 2.7 and still getting hacked?
    your ver. says 2.5

  23. aletheides
    Member
    Posted 5 years ago #

    That's odd all my sites are 2.7 now. Which one are you talking about? I will check it out.

  24. UseShots
    Member
    Posted 5 years ago #

    Exploiting WordPress vulnerabilities is not the only way to hack a site.
    Make sure your FTP passwords have not been compromised. Change them ASAP and try not to store them unprotected. Some trojans steal passwords from FTP programs' settings.

    Not sure it's your case, but changing passwords after a hack is always a good idea.

  25. Samuel B
    moderator
    Posted 5 years ago #

    That's odd all my sites are 2.7 now. Which one are you talking about? I will check it out

    no that's ok - I meant here on the forum - in the right nav

  26. billc108
    Member
    Posted 5 years ago #

    I just discovered similar problems on many of my and my client's installs.

    One thing I noticed is that the bogus users all have nothing in the user_url field in wp_users table. I'm pretty sure (but haven't confirmed yet) that any users created through proper channels - the registration page or created by a real Admin account - always have *something* in there. Either the user's URL or at least "http://". I suspect that a spammer/hacker user account, being script generated, skips over that field.

    The other thing to watch for is the nickname in user_meta. If it appears blank or starts with " ...", look more closely. It's likely got some script in there. I've seen a couple real user accounts which appear to have been compromised this way.

  27. m0rdekai
    Blocked
    Posted 5 years ago #

    @aletheides I found a problem with your site. Please contact me @ m0rdekai.co.cc

Topic Closed

This topic has been closed to new replies.

About this Topic

Tags

No tags yet.