because it’s not just wordpress being hacked at godaddy
Indeed, as I also found infected PHP files in a directory entirely different than WordPress’.
Hmm hopefully I got it all. It seems to be ok. I contacted GoDaddy support and I got pretty much a big long automated replay back stating the hazards of viruses and hacks AND that there was nothing they could do. Plus a recommendation to have a good password. Yeah, DUH!!
NOw I just have to get the WordPress Classic_Theme back since I deleted it, but it is not in the Themes listed to Install.
I did find an AntiVirus Plugin so hope that helps as well.
Hi Krkhan, I visited your blog about the bash script you made.
I’ve changed the needle value to the base64 code found on all of my infected php files.
Can you please tell me how do I execute this script?
I’m a newbie in bash.
Where do I input these commands: cd; wget; sh ?
My blog too is hosted on godaddy. Not only wordpress, my SMF & vB Forums too are infected with same base64 code in 1st line. It decodes to some javascript. Bloody hell, someone please help. My company’s reputation is on risk. Most of my client’s websites are hosted on the same server.
NOw I just have to get the WordPress Classic_Theme back since I deleted it, but it is not in the Themes listed to Install.
just grab the new wordpress zip and get it from there
our site is at godaddy as well, but a quick check showed other files and directories were untouched. a look at the logs during the days around the time the site got hacked show posts from china and korea. google analytics also shows a visit from germany. this is unusual as our site is just starting, so the logs are pretty easy to go through since we’re not publicly known yet, especially internationally.
it seems that this particular hack adds the base64 crap at the top of all your php pages. this (i’m guessing) is a coded script to add an encoded script at the end of your page. (this can be viewed by looking at your page source in a browser.)
another way to check things is to make all plug-ins inactive. when this is done you will probably see the hacked script removed from your pages when checked with your browser.
sorry not to be more helpful, but this is my first time hunting for hackers! 🙂
ps. it is my theory that all wp blogs with weak passwords hosted at godaddy are probably victims of this hack.
fyi all in one seo is the only plugin which i share with both of the above lists, if that is informative in anyway.
@samboll that is exactly what I did, and then uploaded it.
Thanks!!
@jjm0109: I replied to the comment too but anyways you need SSH access for using the script.
And I don’t believe this had anything to do with passwords being weak. My password was a random string of digits, mixed case characters and symbols (something like: 34faewSWASA_B).
On my site, _every_ PHP file in existence regardless of its location (inside or outside WP directory) was infected. It seems pretty certain now that GoDaddy’s severs were breached. Too bad they won’t ever accept that.
I’ll second the godaddy issue…
My problem that I documented here:
http://www.rvoodoo.com/2010/02/the-dreaded-base64-wordpress-hack-and-other-hacks-too/
Came back after cleaning. I know quite well that my files were all spotless, my DBs were all spotless, I had accounted for every file on my server, and my passwords were all good. I’d been hacked twice before and learned good and well how to take care of my personal security issues.
I had removed all non-WP software, as other packages I wasn’t as familiar with, and I didn’t feel they were addressing security well enough.
So I had everything clean and taken care of…..but then again all my php files were altered. Of course godaddy was no help with the issues.
The virus is on my site as well, allenews.com since yesterday, I cleaned all php files from the code but the virus code keeps appearing in the bottom of the site? Does anyone has suggestion of how i can clean the virus? Maybe i missed one of the php files and this is why the code is still there? Please Helpppp…
have you read all the links on here?
if you were thorough, you would be clean!
allenews:
do what i suggest and deactivate all your plugins. still get the virus code? then you missed a php file.
virus code gone when plug ins deactivated?
upload new versions of the plug-ins.
as part of that reading suggested, if you’ve been hacked…
ALL plugins need to be deleted and reinstalled
ALL theme files also
ALL WP core files also (a reinstall will take care of this except for wp-config.php which can be cleaneed by hand)
…..see a pattern? It’s all very clear in the linked reading….if you skip any of it, it will come back.
Have you looked for php files that don’t belong? That’s often a culprit…. if you clean the code from every single php file, but leave the php file injecting the code, itll happen over and over!
dvwordpress – did what you said, now its all clean, hope it wont come back again. In case it does i guess ill have to do whatever RVoodoo
sais, that wont be fun:) Thank You!!
Is ” _transient_random_seed ” a normal option in the wp_options table in a WP db? The value is a long string of numbers, unlike the other option values in the table.
After checking that no extra users were added, I’m reviewing rest of my db files after the ninoplas hit
