I’ve read those, but they don’t make sense because I can’t find the code.
I deleted a file they mentioned and it erased my ability to log in!
So I had to reupload the DB and start over.. thank God I had it backed up.
The smackdown link is too confusing… and usually I can find the malicious code… any hint on what file it might be in?
I just fixed about 10 of these a while back.. sigh.
This is what came up for the text in my Google alert:
Doxycycline Horny Goat Weed Where To Get Lipitor RX Price For Lasix Canada Amoxil Testimonials Toprol XL Discount Avapro Cheapest Pills Where To Get Nizoral Effects Female Viagra Buy Nizoral Hartford Phentrimine NoRX Generic Accutane Health Forum Natural Cytotec Italy.
The rest worked fine and I saw none of that in the actual post..
So I’m stumped!
I am not clear on how to use the MyPHP Admin to find where the bogus user has made it so this gets into the posts.
Funny thing is, I just searched on Google and their entry is fine. (I just reposted it)
Maybe I did remove the bogus user and don’t know it?
Even when I click on the bogus Google alert I did not see anything wrong.
In fact if you search on Google now, you will come up with my site with other posts that have that in it! DAMN!
Could be in your theme, plugins, database, core files, might be something dodgy in your htaccess…
10? How come you’re getting hacked so much?
I ran a query (I think) to look for those words and it said this, but WHERE IS LINE 1?????
#1064 – You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ‘Doxycycline Horny Goat Weed Where To Get Lipitor RX Price For Lasix Canada Amoxi’ at line 1
I think they are doing it through the server, not WP itself.
Anyway, how do I find Line 1?
Those specific words might not necessarily appear in the code on your site, but you may have some malicious code pulling spam in from an external site that’s generating those words.
So how do I find that?
I searched and it has the words in a post with the name of the blog which tells me it’s in a header somewhere….
So how do I fix it?
If you search you’ll see a post come up News and Views.. but no post, that’s the name of the blog… does that give you a hint as to where this is being pulled?
It only leads back to the blog, so I can’t see the purpose for the words.
OK I just made a new post and it’s on Google and say 4 mins ago, and it’s still putting in the words. I can’t for the life of me understand the purpose this hack as it goes NOWHERE.
You’ve not actually mentioned your URL, so I can’t search for it.
*Delete* all the core WordPress files and re-upload them with fresh copies from a new download of 2.9.1 (just follow the manual upgrade instructions).
*Delete* and re-upload all your plugins.
Ideally you’d do the same with your theme (or restore from a known good backup).
Delete your .htaccess and re-save your Permalinks (if you have them) – forcing WordPress to generate a new .htaccess. Be careful not to lose any customisations you might’ve done yourself.
Then read the Smackdown link above regarding your database. You might want to try things like Exploit Scanner too.
Getting hacked sucks I’m afraid. There aren’t really many shortcuts and it may require a lot of elbow grease on your part.
That said, have a look through your theme or plugin files first though. They’re quite popular targets as malicious code will survive even after you delete and re-upload the core WordPress files and well, people don’t change their theme or plugins that often.
Night.
I don’t use plugins, at all.
I”ve looked through every file, don’t see any users.
The only hint is I think the permalinks were reset to numbers and I fixed that.. but there is no code in there.
I can send you the URL by PM, don’t want to post it here…
Check this out also – http://ocaoimh.ie/did-your-wordpress-site-get-hacked/
Plus, found a solution to a friend’s WP site upgraded to 2.9.1 but had a leftover hack. This old youtube video shows the solution – http://www.youtube.com/watch?gl=IT&hl=it&v=Obqa6jDV-WQ
I read that site and he assumes you know how to mess with the MyPhpAdmin which I DON’T . I obliterated my ability to get back into one of mine after deleting a wrong file… sorry.
But I just did upgrade, the extra two users magically showed up in the user panel, I deleted them and saw why I had a red X in the MyPhpAdmin and now see what it ‘s supposed to look like.
Posts are now coming up clean.
I change the PW to my user, my cpanel, but how to change it on the DB without screwing up the works???? If I change it in the config file, isn’t there someplace I have to change it in the MyPhpAdmin?????
