Blog Hacked — How Do I Locate All Malicious Code?
-
I apologize in advance for the length of this post.
My hosting company verified today that the version of WordPress
(2.5.1) I was using on my http://myonlinehealtharticles.com blog had
been hacked. This was also confirmed when the hacker’s hosting company
took down the content the hacker had stolen from me, which had been
displaying on http://hothhealtharticles.net. (Every change I made to
my blog showed up simultaneously on http://hothhealtharticles.net.)While waiting for action from the hacker’s hosting company, I
uninstalled WP 2.5.1 and did a manual reinstall of WP 2.6, using a
database back-up from 7/14. Since from what I could tell the hack
occurred on 7/25, I thought I might be safe using a nearly two-week-
old back-up. But even after the reinstall, my content still appeared
on the hacker’s site. Thankfully, this was cured when the host finally
booted him off their server this afternoon. But I don’t know if I’m
out of the woods yet because of some 404 URLs I found today in
Webmaster tools.Over the weekend I found 4 strange 404 messages on http://myonlinehealtharticles.com
and requested that Google remove them. My hosting company said these
were evidence of the hack. Other than those 4, there were no 404
errors at that time on any of my other blogs. (I have GoDaddy deluxe
hosting, which allows me to have multiple Web sites/blogs under the
same account. http://myonlinehealtharticles.com is in the root of that
account.)Today I found the following 404 URLs on another one of my blogs:
http://vintageholidaycrafts.com/2008/01/page/2/
http://vintageholidaycrafts.com/2008/06/page/2/
http://vintageholidaycrafts.com/category/
http://vintageholidaycrafts.com/category/4th-of-july-vintage-postcards/
http://vintageholidaycrafts.com/catego…day/page/4th-of-july-vintage…
http://vintageholidaycrafts.com/catego…t/page/4th-of-july-free-colo…
http://vintageholidaycrafts.com/catego…christmas-ornament-free-ship…
http://vintageholidaycrafts.com/catego…christmas-ornament-free-ship…
http://vintageholidaycrafts.com/catego…christmas-ornament-free-ship…
http://vintageholidaycrafts.com/category/valentines-day/page/
http://vintageholidaycrafts.com/catego…n/page/4th-of-july-free-colo…
http://vintageholidaycrafts.com/catego…ian/page/4th-of-july-vintage…
http://vintageholidaycrafts.com/catego…ntage-santa-claus-kids-chris…
http://vintageholidaycrafts.com/tag/parenting/Here’s the really strange part: The first two URLs look like they
should go to http://vintageholidaycrafts.com (one of my blogs), but
they go to http://myonlinehealtharticles.com instead. On those two
pages, it looks like the URL is being forwarded, which is not
something I set up. This is the same thing I experienced with the
hacker’s Web site; everything forwarded to his domain.I can obviously remove these in Webmaster tools but my concern is that
there’s still a breach. Does anyone know how to find and remove the
code that allows these pages to be created?And here’s a separate but related issue:
My boyfriend’s blogs were hacked and numerous pages were created with
someone else’s AdSense code on them. You can see examples at
http://onlinechessstrategy.com/2008/03/01/chess-puzzles-1-4/sitemap.xml
and http://onlinechessstrategy.com/2008/03…to-online-chess-puzzles-1-4/….
Those pages and the ads they contain were created by the hacker. There
were many more pages created but these two should give you the idea.
All of his hacked pages end in sitemap.xml.My boyfriend was able to find the URLs listed in his database but he
wasn’t sure what to do with them. Is it advisable to just remove them?
And of course, he has the same issue that I do about how to keep this
from happening in the future.Any advice would be much appreciated.
- The topic ‘Blog Hacked — How Do I Locate All Malicious Code?’ is closed to new replies.