Google says we've been hacked, but I'm a newbie and need help (17 posts)

  1. sonaorillasdelrio
    Posted 4 years ago #

    Hi good folks,

    I really need some help. As a noob to website management, I am struggling to figure out how to address our site possibly being hacked. Yesterday I browsed to the site and received a message from google saying that the site had potentially been hacked, that the site was downloading something to computers without permission. Google's Webmaster tools says that the page that is infected is our http://www.lupenet.org home page.

    I have been following the different action steps that I've found through google's webmaster tools and the wordpress support forum FAQ for hacked blogs (located here: http://codex.wordpress.org/FAQ_My_site_was_hacked), but I am not advanced enough to be able to follow all of the steps.

    I redirected the site url to a page that says the site is down for maintenance and I've changed the passwords to the accounts that have access to updating the site via wordpress.

    The things I need help with are:

    *Changing my secret keys - I don't know how to find and then overwrite the values in my wp-config.php file. I don't even know how to find the wp-config.php file.

    *Checking my .htaccess file for hacks - HOw do I find the file? Once I find it, how do I check it for malicious code?

    *Replacing core files with ones from freshly downloaded zip - how do I replace core files?

    I have also been looking at the recommendations for Webmaster tools and they say to look for:
    Malicious scripts
    .htaccess redirects
    Hidden iframes

    How do I look for those things? The google diagnostic page for our site is located here: http://www.google.com/safebrowsing/diagnostic?site=lupenet.org

    I know that this is a lot, so as much help as yall can give me would be very appreciated!! Thanks in advance!

  2. Most of this stuff is done via FTP. If you want to manage any website, I suggest you get acquainted with FTP. That is how you access the wp-config.php file and re-upload the core file.

    You can hire people like the folks at sucuri.net to do this for you (and the are great) but they will also need your FTP info. I would suggest you get that info from your hosting provider asap.

  3. sonaorillasdelrio
    Posted 4 years ago #

    Hi Christine,

    Thanks so much for your response. Do you have any suggestions on where I can start learning about FTP?



  4. Johnb81
    Posted 4 years ago #

    Hi, some good reading to get you started with FTP:


  5. sonaorillasdelrio
    Posted 4 years ago #

    Thanks yall for the help.

    After some digging, I found some code that looks kind of like the badware examples I've been reading about online. I was wondering if yall could tell me if it is in deed malware before I attempt to delete it.

    I was looking in one of my index.php files and found a block of code that looks like this:

    [ Moderated: Mickey's right, please do NOT post malware code here again. ]

    It looks funky but doesn't include the script that google reported as being malware [ script link redacted ]

    Tanks again for yall's help!

  6. MickeyRoush
    Posted 4 years ago #

    Ported your code to Pastebin as a mod will soon delete it per codex:


  7. sonaorillasdelrio
    Posted 4 years ago #

    Thank you moderator and MickeyRoush. Sorry about that. I'll use pastebin.com next time.

    After doing some digging around and figuring out how to view and edit .php files, I found out that each .php file that I view has what looks like the same script starting with <?php /**/ eval(base64_decode(etc.

    I also logged on to our wordpress dashboard and noticed that it is not loading properly in firefox or internet explorer no matter how many times I reload it or load another page (media, posts, etc.). I don't know if this could be related but everything was working fine last time I updated the site and now both problems are happening at the same time.

    Thanks for all yall's help!

  8. cjchamberland
    Posted 4 years ago #

    You need to remove all the "/**/ eval(base64_decode(etc." code from your pages, this is malicous. Just be careful that you don't accidently remove something you shouldn't, simetimes they mix it in with your code just to make it difficult to remove.

    You also need to look for any php files in any image, css, upload, download, etc directories that would not normally have a php file in them. Check the file contents for base64 strings and thing that point to it being a php shell such as “FilesMan”, “c999sh”. If you find files like this, DELETE THEM.

  9. sonaorillasdelrio
    Posted 4 years ago #

    Hi cjchamberland,

    Thanks for your replay. Will the file names be "filesman" or "c999sh" or will those be words in the files?


  10. Johnb81
    Posted 4 years ago #

    They can be filenames. What you can do is download a new version of WordPress, extract it and compare the files of an original wordpress to yours.

  11. sonaorillasdelrio
    Posted 4 years ago #

    Hi yall,

    Another question, when I remove all the /**/ eval(base64_decode(etc. code, can I remove the <?php ;?> that surrounds it too? There is no other code besides the eval(base64_etc within those brackets and question marks. It seems like I can remove it, but I don't want to ruin something.

    Thanks for all the help so far!

  12. sonaorillasdelrio
    Posted 4 years ago #

    Hi again,

    I've been making progress little by little, not in actually getting our site cleaned, but better understanding what's going on. I found out that even if I clean all of the php files with the eval( code, it will just come back if I do not find the reason that it is being posted in the first place.

    I still don't know why that code is being posted to the php files, but I do know that a couple of our site pages have malicious script in them (google webmaster tools says so), and perhaps if I get rid of that script, I can stop the php files from having the eval( code added to them.

    So, can anyone tell me how do I find the code on our pages? I have browsed to the pages, opened "view source" and searched for the malicious script, but cannot find it. This is the code that webmaster tools is finding on our site: http://pastebin.com/vreett9v


  13. MickeyRoush
    Posted 4 years ago #

  14. sonaorillasdelrio
    Posted 4 years ago #

    Thanks MickeyRoush. That is the same thing google webmaster tools is telling me but I don't know where that code is actually written. How do I find that out?

  15. Mark Ratledge
    Forum Moderator
    Posted 4 years ago #

    You can't usually "view source" and find the code you're looking for; some is dynamically generated by php in your theme and/or WordPress files.

    You need to work through all the things needed to completely clean a hacked site. See FAQ: My site was hacked « WordPress Codex and How to completely clean your hacked wordpress installation and How to find a backdoor in a hacked WordPress and Hardening WordPress « WordPress Codex. Change all passwords. Scan your own PC.

    Tell your web host you got hacked; and consider changing to a more secure host:
    Recommended WordPress Web Hosting

    Consider looking for someone to fix it correctly on jobs.wordpress.net or freelancing sites such as Elance

  16. MickeyRoush
    Posted 4 years ago #

    @ sonaorillasdelrio

    From the sitecheck (note I broke the link):

    Security warning in the URL:

    If the code is not encoded (which it most likely is) you could download your whole site and grep the contents. If you're a Windows user you could use WinGrep to accomplish this.

    More than likely though, you may want to follow songdogtech's advice.

  17. tedinoz
    Posted 4 years ago #

    Maybe my experiences trying to get rid of the EXACT same hack may (or not) be helpful...

    To cut to the chase: We found today that it was not a php vulnerability (as I first thought) but rather our FTP account was being hacked.

    I've just spent two weeks on this. In the process I upgraded to the latest version of WP, deleted plugins, reviewed my htaccess and so on... I was able to get rid of the hacked code for a few days then it would come back. So, back into my php looking for a vulnerability. I hadn't ruled out an FTP problem but I had been so active that the logs were hard to understand, plus (I realise now) I didn't really know what I was looking for.

    The code came back again today. Fortunately I hadn't worked on the site for a few days so the logs were really easy to review. What I found was that our FTP account had been hacked; some how someone (it was an IP address in France) was using one of our FTP usernames and passwords.

    I had already found that the hacked code was consistently in our header.php, so I did a search on "header". I found where the FTP account was being accessed to download and then upload the header.php file, and not just in one folder/domain but in every folder that was accessible by that FTP account. Needless to say, the header.php that was uploaded included the 'base64_decode' hack.

    I won't bore you with our steps to close this backdoor, nor our steps to figure out how long it has existed, how it happened in the first place, and whether this is a case of industrial sabotage.

Topic Closed

This topic has been closed to new replies.

About this Topic