Support » Fixing WordPress » 2.5 – maybe hacked

  • I think I’ve been hacked, but I’m not sure.

    I have found at least 3 files, added to my site on Apr. 15. ad_wp-password.php, and then in plugins ad_hello.php and inside plugins/akismet there was ad_akismet.php.

    So – I’ve removed or renamed the files in question. (They all seem to be the same php code with the different names).

    I changed my admin password. Deleted all of my subscribers (they are all questionable anyway); checked the user table with PHPMyAdmin and there is only one user which is the admin. I changed the mysql password as well.

    I’ve not seen any posts with hidden iframes (guess that’s the next thing to look for);

    The thing that made me look for something was the presence of some off the wall incoming links (spammy looking comments from non-existent websites like (the title and the date are appropriate for a post on my site, but host is all wrong – not even in the ballpark).

    Is there anywhere else I should look? I think this might be something that is indeed left over from being hacked under 2.3.2 or 2.3.3 a couple of months ago. that one just put a whole hidden folder of pages in wp-content.

    I have a copy of the code if anyone should see it in order to figure this out.

Viewing 6 replies - 1 through 6 (of 6 total)
  • Good so far, you should probably check all of the php files in your theme looking for the iframe insertion. Also check your plugins.

    Good luck

    Thanks – theme files are next.

    The dates on the plugin files seem ok, other than the ad_*.php files which were added on april 15. but I’ll look there as well.

    You might want to consider setting up some logging..

    Out of curiosity, how exactly does one go about checking for an iframe insertion? what would that look like? Thanks!

    You can search on iframe and find quite a few threads. Here’s one that will show in general what this hack looks like.

    i also believe i have been hacked. i have been experiencing problems with my site for some time now, perhaps the most noticible symptom was this:

    WordPress database error: [User ‘???????’ has exceeded the ‘max_questions’ resource (current value: 50000)]

    there is a discussion on this forum where i also posted my problem. then occassionaly my database would be hacked so that i would have to restore from a backup. this happened a few times over a month or so. i also noticed that i was getting high volumes of spam mail (viagra, watches, shoes and penis emlargement)

    i then checked the files and folders on my site and removed ones that looked suspect, restored my database and changed all user names and passwords. it worked….then all i got was a blank page but i am able to log in so i reselect my theme and view the site. its back and works perfectly….for a while then a blank screen again. so i select the classic theme and it works….until now when i tried to access my site i get the installation page, enter blog title and email. i am given a user name and password and am told my new blog has installed successfully. of course the database is gone.

    so i suspect that there must be some hack file within the plugins that i have installed or within the database backup that i keep restoring as i deleted all the other wordpress files and theme files, loading “clean” files.

    my question now is, how will i be able to screen the backup and plugin files (plugin not so important because i can download from original sites) but the backup contains all my posts, etc!!

    appreciate any help.



Viewing 6 replies - 1 through 6 (of 6 total)
  • The topic ‘2.5 – maybe hacked’ is closed to new replies.