Support » Fixing WordPress » Google says we've been hacked, but I'm a newbie and need help

  • Hi good folks,

    I really need some help. As a noob to website management, I am struggling to figure out how to address our site possibly being hacked. Yesterday I browsed to the site and received a message from google saying that the site had potentially been hacked, that the site was downloading something to computers without permission. Google’s Webmaster tools says that the page that is infected is our http://www.lupenet.org home page.

    I have been following the different action steps that I’ve found through google’s webmaster tools and the wordpress support forum FAQ for hacked blogs (located here: http://codex.wordpress.org/FAQ_My_site_was_hacked), but I am not advanced enough to be able to follow all of the steps.

    I redirected the site url to a page that says the site is down for maintenance and I’ve changed the passwords to the accounts that have access to updating the site via wordpress.

    The things I need help with are:

    *Changing my secret keys – I don’t know how to find and then overwrite the values in my wp-config.php file. I don’t even know how to find the wp-config.php file.

    *Checking my .htaccess file for hacks – HOw do I find the file? Once I find it, how do I check it for malicious code?

    *Replacing core files with ones from freshly downloaded zip – how do I replace core files?

    I have also been looking at the recommendations for Webmaster tools and they say to look for:
    Malicious scripts
    .htaccess redirects
    Hidden iframes

    How do I look for those things? The google diagnostic page for our site is located here: http://www.google.com/safebrowsing/diagnostic?site=lupenet.org

    I know that this is a lot, so as much help as yall can give me would be very appreciated!! Thanks in advance!

Viewing 15 replies - 1 through 15 (of 16 total)
  • Christine Rondeau

    (@crondeau)

    Volunteer Forum Moderator

    Most of this stuff is done via FTP. If you want to manage any website, I suggest you get acquainted with FTP. That is how you access the wp-config.php file and re-upload the core file.

    You can hire people like the folks at sucuri.net to do this for you (and the are great) but they will also need your FTP info. I would suggest you get that info from your hosting provider asap.

    Hi Christine,

    Thanks so much for your response. Do you have any suggestions on where I can start learning about FTP?

    Thanks!

    -jm

    Hi, some good reading to get you started with FTP:

    http://codex.wordpress.org/FTP_Clients
    http://codex.wordpress.org/Using_FileZilla

    Thanks yall for the help.

    After some digging, I found some code that looks kind of like the badware examples I’ve been reading about online. I was wondering if yall could tell me if it is in deed malware before I attempt to delete it.

    I was looking in one of my index.php files and found a block of code that looks like this:

    [ Moderated: Mickey’s right, please do NOT post malware code here again. ]

    It looks funky but doesn’t include the script that google reported as being malware [ script link redacted ]

    Tanks again for yall’s help!

    Ported your code to Pastebin as a mod will soon delete it per codex:
    http://codex.wordpress.org/Forum_Welcome#Posting_Code

    http://pastebin.com/yqt6UMtp

    Thank you moderator and MickeyRoush. Sorry about that. I’ll use pastebin.com next time.

    After doing some digging around and figuring out how to view and edit .php files, I found out that each .php file that I view has what looks like the same script starting with <?php /**/ eval(base64_decode(etc.

    I also logged on to our wordpress dashboard and noticed that it is not loading properly in firefox or internet explorer no matter how many times I reload it or load another page (media, posts, etc.). I don’t know if this could be related but everything was working fine last time I updated the site and now both problems are happening at the same time.

    Thanks for all yall’s help!

    You need to remove all the “/**/ eval(base64_decode(etc.” code from your pages, this is malicous. Just be careful that you don’t accidently remove something you shouldn’t, simetimes they mix it in with your code just to make it difficult to remove.

    You also need to look for any php files in any image, css, upload, download, etc directories that would not normally have a php file in them. Check the file contents for base64 strings and thing that point to it being a php shell such as “FilesMan”, “c999sh”. If you find files like this, DELETE THEM.

    Hi cjchamberland,

    Thanks for your replay. Will the file names be “filesman” or “c999sh” or will those be words in the files?

    Thanks!

    They can be filenames. What you can do is download a new version of WordPress, extract it and compare the files of an original wordpress to yours.

    Hi yall,

    Another question, when I remove all the /**/ eval(base64_decode(etc. code, can I remove the <?php ;?> that surrounds it too? There is no other code besides the eval(base64_etc within those brackets and question marks. It seems like I can remove it, but I don’t want to ruin something.

    Thanks for all the help so far!

    Hi again,

    I’ve been making progress little by little, not in actually getting our site cleaned, but better understanding what’s going on. I found out that even if I clean all of the php files with the eval( code, it will just come back if I do not find the reason that it is being posted in the first place.

    I still don’t know why that code is being posted to the php files, but I do know that a couple of our site pages have malicious script in them (google webmaster tools says so), and perhaps if I get rid of that script, I can stop the php files from having the eval( code added to them.

    So, can anyone tell me how do I find the code on our pages? I have browsed to the pages, opened “view source” and searched for the malicious script, but cannot find it. This is the code that webmaster tools is finding on our site: http://pastebin.com/vreett9v

    Thanks!

    Thanks MickeyRoush. That is the same thing google webmaster tools is telling me but I don’t know where that code is actually written. How do I find that out?

    Moderator Mark Ratledge

    (@songdogtech)

    Forum Moderator

    You can’t usually “view source” and find the code you’re looking for; some is dynamically generated by php in your theme and/or WordPress files.

    You need to work through all the things needed to completely clean a hacked site. See FAQ: My site was hacked « WordPress Codex and How to completely clean your hacked wordpress installation and How to find a backdoor in a hacked WordPress and Hardening WordPress « WordPress Codex. Change all passwords. Scan your own PC.

    Tell your web host you got hacked; and consider changing to a more secure host:
    Recommended WordPress Web Hosting

    Consider looking for someone to fix it correctly on jobs.wordpress.net or freelancing sites such as Elance

    @ sonaorillasdelrio

    From the sitecheck (note I broke the link):

    Security warning in the URL:
    hxxp://lupenet.org/wp-content/uploads/2012/07/index-temp.html/404-avascript.js

    If the code is not encoded (which it most likely is) you could download your whole site and grep the contents. If you’re a Windows user you could use WinGrep to accomplish this.

    More than likely though, you may want to follow songdogtech’s advice.

Viewing 15 replies - 1 through 15 (of 16 total)
  • The topic ‘Google says we've been hacked, but I'm a newbie and need help’ is closed to new replies.