site hacked, 13 files – wordpress and/or theme

Resolved smmworld
(@smmworld)

7 years, 11 months ago

Hello,

Last night the web hoster shut down a small site that they say has 13 files with malicious code in them:

/CWC/wordpress/default.php
./app288880928/wp-content/default.php
./wsb5258811601/default.php
./default.php
./wordpress/mp3/default.php
./wordpress/_ej_.php
./wordpress/default.php
./wordpress/h_find.php
./wordpress/sys09725444.php
./wordpress/wp-admin/css/colors/blue/blues.php
./wordpress/wp-includes/default.php
./wordpress/wp-includes/class-wp-xmlrpc.php
./wordpress/wp-content/default.php

The web hoster said “These files should be removed and replaced with a clean copy from WordPress or the theme vendor via http://FTP.”

I already know the hacker entered through the CWC folder (older version of wordpress) and I will be deleting the whole folder.

For the rest of the 12 files, could someone please tell me which of the 12 are specific to the wordpress platform and how I can get fresh copies of those files?

Many thanks!

Viewing 9 replies - 1 through 9 (of 9 total)

Moderator Steven Stern (sterndata)
(@sterndata)

Volunteer Forum Moderator

7 years, 11 months ago

delete them all.

then delete the directories wp-admin and wp-includes

then delete all PHP files in the root except wp-config.php (but check it for odd stuff)

then upload a clean copy of wordpress onto the site

THEN look through wp-content/uploads for any .php files and remove them (except for the occasional empty index.php file)

THEN install WordFence and have it scan everything after checking all the boxes in the options section related to scanning

THEN dump your database and do a quick scan through the content looking for <script> tags. If you find them, you may have compromised content, too.

Good luck!

Thread Starter smmworld
(@smmworld)

7 years, 11 months ago

Thanks so much sterndata.

Quick question:

Shouldn’t the WordPress database be in the wordpress root folder? If not, where is it usually stored? Is it just one file? I am trying to locate it to back it up also, before doing the fresh installs.

Many thanks

Moderator Steven Stern (sterndata)
(@sterndata)

Volunteer Forum Moderator

7 years, 11 months ago

The WordPress database is not a file; it’s a series of files and processes managed by a MySQL or MariaDB server. If you have phpmyadmin available through your hosting control panel, you can use it to do an export of the DB as a backup.

Thread Starter smmworld
(@smmworld)

7 years, 11 months ago

Got it, site back up. Thank you again!

Thread Starter smmworld
(@smmworld)

7 years, 11 months ago

You wrote:

“THEN dump your database and do a quick scan through the content looking for <script> tags. If you find them, you may have compromised content, too”

How should this be done specifically?

Many thanks,

Moderator Steven Stern (sterndata)
(@sterndata)

Volunteer Forum Moderator

7 years, 11 months ago

I’d load the .sql file into an editor an look through it that way.

Thread Starter smmworld
(@smmworld)

7 years, 11 months ago

Thank you,
I found 5 instances of <script>

and they were all related to adwords from what I see:

EXAMPLE:
</ins><script>// <![CDATA[\n(adsbygoogle = window.adsbygoogle || []).push({});\n// ]]></script>\n\n<span style=”text-decoration: underline;”><a href=”

Is that what you meant?

Moderator Steven Stern (sterndata)
(@sterndata)

Volunteer Forum Moderator

7 years, 11 months ago

If you didn’t add those to the posts, then edit those posts through tne normal WP editor and remove the script. (Do not try to edit the .SQL file )

Thread Starter smmworld
(@smmworld)

7 years, 11 months ago

I just found out those adword ads are meant to be in every post. Thanks again Sterndata!

Viewing 9 replies - 1 through 9 (of 9 total)

The topic ‘site hacked, 13 files – wordpress and/or theme’ is closed to new replies.

site hacked, 13 files – wordpress and/or theme

Topics

Topics with no replies

Non-support topics

Resolved topics

Unresolved topics

All topics