2.5 - maybe hacked (7 posts)

  1. nicollb
    Posted 8 years ago #

    I think I've been hacked, but I'm not sure.

    I have found at least 3 files, added to my site on Apr. 15. ad_wp-password.php, and then in plugins ad_hello.php and inside plugins/akismet there was ad_akismet.php.

    So - I've removed or renamed the files in question. (They all seem to be the same php code with the different names).

    I changed my admin password. Deleted all of my subscribers (they are all questionable anyway); checked the user table with PHPMyAdmin and there is only one user which is the admin. I changed the mysql password as well.

    I've not seen any posts with hidden iframes (guess that's the next thing to look for);

    The thing that made me look for something was the presence of some off the wall incoming links (spammy looking comments from non-existent websites like demoniashoes.yourshoestore.com/2008/04/06/emmaus (the title and the date are appropriate for a post on my site, but host is all wrong - not even in the ballpark).

    Is there anywhere else I should look? I think this might be something that is indeed left over from being hacked under 2.3.2 or 2.3.3 a couple of months ago. that one just put a whole hidden folder of pages in wp-content.

    I have a copy of the code if anyone should see it in order to figure this out.

  2. mechx1
    Posted 8 years ago #

    Good so far, you should probably check all of the php files in your theme looking for the iframe insertion. Also check your plugins.

    Good luck

  3. nicollb
    Posted 8 years ago #

    Thanks - theme files are next.

    The dates on the plugin files seem ok, other than the ad_*.php files which were added on april 15. but I'll look there as well.

  4. whooami
    Posted 8 years ago #

    You might want to consider setting up some logging..


  5. wingedmonkeys
    Posted 8 years ago #

    Out of curiosity, how exactly does one go about checking for an iframe insertion? what would that look like? Thanks!

  6. mechx1
    Posted 8 years ago #

    You can search on iframe and find quite a few threads. Here's one that will show in general what this hack looks like.

  7. clivesgt
    Posted 8 years ago #

    i also believe i have been hacked. i have been experiencing problems with my site for some time now, perhaps the most noticible symptom was this:

    WordPress database error: [User '???????' has exceeded the 'max_questions' resource (current value: 50000)]

    there is a discussion on this forum where i also posted my problem. then occassionaly my database would be hacked so that i would have to restore from a backup. this happened a few times over a month or so. i also noticed that i was getting high volumes of spam mail (viagra, watches, shoes and penis emlargement)

    i then checked the files and folders on my site and removed ones that looked suspect, restored my database and changed all user names and passwords. it worked....then all i got was a blank page but i am able to log in so i reselect my theme and view the site. its back and works perfectly....for a while then a blank screen again. so i select the classic theme and it works....until now when i tried to access my site i get the installation page, enter blog title and email. i am given a user name and password and am told my new blog has installed successfully. of course the database is gone.

    so i suspect that there must be some hack file within the plugins that i have installed or within the database backup that i keep restoring as i deleted all the other wordpress files and theme files, loading "clean" files.

    my question now is, how will i be able to screen the backup and plugin files (plugin not so important because i can download from original sites) but the backup contains all my posts, etc!!

    appreciate any help.



Topic Closed

This topic has been closed to new replies.

About this Topic