WordPress.org

Support

Support » How-To and Troubleshooting » Clean 2.8.4 Hacked :(

Clean 2.8.4 Hacked :(

  • I had 2 instances of 2.8.3 running on seperate databases, and both were hacked before I got the chance to upgrade. I upgraded, deleted all WordPress, plugin, and theme files, downloaded fresh zips of all, uploaded those, checked my permalinks structure (nothing out of the ordinary there), searched both databases for the “eval” and “base_” crud that supposedly causes it (nothing came up except for the blog post about it by lorelle @ http://lorelle.wordpress.com/2009/09/04/old-wordpress-versions-under-attack/. Should that be in my databases??), and even had my hosting company look through my .htaccess file to ensure that anything that was there was supposed to be. Still getting the icky redirects and spyware warnings.

    Well, one of the installs of WP was just for design purposes and had virtually no content in it, so I went ahead and deleted all of it’s files AND it’s database. Started with a fresh clean database and a fresh clean 2.8.4 install of WordPress. Redownloaded and installed fresh versions of the plugins I use (FatFreeCart, Cleaner Gallery, and Lightbox 2), as well as the theme (Fixed Blix). The only files from the old install that I reuploaded were a handful of theme template files, which I meticulously went through with my own eyes beforehand (footer.php was NOT one of them).

    This fresh, clean install of 2.8.4 is STILL REDIRECTING randomly!!!!

    I’ve put in a help desk ticket with my host to make sure that my entire account didn’t get affected somehow, but I’m expecting them to tell me to ask here anyway, since it originated wwith 3rd party software. Help?

    ETA: Also wanted to mention that I’ve tested the new install by repeatedly hitting “reload” and clicking around on it via a Mac iBook using Opera, so I highly doubt it’s my machine that’s infected. I’ve checked my browser cache, and it’s clear. I’m no expert, though, so I guess it’s possible?

Viewing 15 replies - 1 through 15 (of 24 total)
  • Ugh, I don’t know why I even waste time posting here.

    Moderator Mark Ratledge

    @songdogtech

    Forum Moderator

    What did your web host say? Are you on shared hosting? Are you still getting redirects will all of your plugins disabled?

    Moderator Jan Dembowski

    @jdembowski

    Brute Squad and Volunteer Moderator

    Looks like you’ve done it right already. Can you share the URL? Other people confirming the behavior would at least confirm if it’s your blog or Mac.

    If your files, database, and .htaccess are all good then it’s possible the web server itself was compromised. If that’s the case, your hosting company would need to fix it.

    Moderator Mark Ratledge

    @songdogtech

    Forum Moderator

    She’s not going to get redirects from her local machine.

    Tell your host and find out what they’re doing for shared hosting clients. Sounds like their problem.

    WordPress hacked FAQ

    How to clean your hacked wordpress install.

    Dodgy iframes still in the database?

    Thanks guys! I’m glad I got desperate enough to come check back here!

    URL: http://www.goashleygo.com

    My host said that they looked through everything and my account “seems to be functioning normally.” I’m on shared hosting, I guess? I doubt that my $5/mo account is dedicated.

    Just did a search of my DB for “iframe” and got nothing.

    Today it seems to be happening when I hit the log in link in my footer, as well as randomly when I update an existing post or publish a new one.

    Tried the Exploit Scanner plugin, but most of what it brought up was either marked “could be legitimate” (so how do I know what’s not kosher?) or was in the Exploit Scanner itself (which is to be expected).

    I’ve checked all of my index.php files in WordPress. They all look as they should. I’ve looked through the source of my site home page and the add new post page. Nothing out of the ordinary there, but both have so many js things going on that there could very well be something there that I just don’t know enough to see.

    Is my last resort to use something like Winmerge and compare known clean files to ALL of the WordPress files on my server? Because that would really suck.

    🙁

    ETA: just disabled/reactivated my few pluigns one by one, clicking around my site a bit in between each. It’s hard to tell if that did anything though, since the redirection seems to happen at random anyway.

    Did you use the same name and password as before? Did you create a new .htaccess file?

    What’s the URL so we all can at least see what shows up on this site?

    Hope we can help.

    Nope, changed all the passwords (used auto generated ones) and even changed the DB name and user name. Everything was created fresh and a clean 2.8.4 was installed.

    URL in my above post 😉

    Do you get the same problem if you use a different PC/Mac to access the site?

    Yep, happens on my PC desktop as well. I guess I should mention that we have found the koobface worm and some other random trojan on that thing, even though we use AVG and I don’t click on the warning windows (I just do the 3 finger salute to close out the browser). My husband takes care of that sort of thing. I’m a virus magnet, hence having bought myself the ibook.

    For a while I thought it was just that computer doing it, but am still being redirected here on my ibook using Opera as well, so assuming it’s still something to do with my installation of WordPress >.<;;

    Hmmm. I’ve got a funny feeling that Koobface screws with the DNS.

    I’d try it from a different network (ie one that hasn’t got viruses and spyware on it!!).

    so, take my laptop to someone else’s house and use their internet? How do we fix ours?

    Try a different PC/Mac, on a different (hopefully clean) network. You ideally want to narrow it down to your two computers if possible.

    can my husband try from his PC laptop here at our house on our wireless? Our Wii and xbox 360 also use our wireless…can this crap hurt those too?!

    ETA: and so it should be safe to allow others to visit my site then?

    You can try it… but whether it’ll prove anything if you get still get redirected is a different matter. Might still be your website after all, but just trying to help eliminate possibilities for you – divide and conquer! I’m sure others will chime in if they’ve got any other genius ideas. There’s plenty of people reading this forum that are way more qualified to talk about this type of thing than me.

    I would suggest you make it a priority to clean up your known bad PC though. Having data stealing software on a PC is never a good. I’m sometimes amazed at how blase some people seem to be about that sort of thing (funnily enough, that usually only lasts until their bank account is suddenly empty and there’s a load of items they don’t remember buying on their credit card!)

    G’night!

Viewing 15 replies - 1 through 15 (of 24 total)
  • The topic ‘Clean 2.8.4 Hacked :(’ is closed to new replies.
Skip to toolbar