Title: Hack affecting WordPress login Last modified: August 20, 2016 --- # Hack affecting WordPress login * [aimutch](https://wordpress.org/support/users/aimutch/) * (@aimutch) * [14 years, 8 months ago](https://wordpress.org/support/topic/hack-affecting-wordpress-login/) * For the past week, I’ve been fighting some kind of hack of a WP site. The symptoms include: * – Site appears to run normally for visitors – A file named “whois.dat” is in the root directory where WP is installed. This file consists of JS and HTML that includes a lot of links to e-commerce site for medical related products. – Any administrative page past the login page comes up blank. When trying to view-source of the blank page, there’s zero HTML or PHP code displayed. – I’ve been unable to find any evidence that any of the files in the WP site have been compromised. * To restore the site, I’ve been forced to complete remove all the files and re- install WP from scratch. Once I’ve done that, I can get to the admin page and reinstall plugins, theme, etc. But after doing that the first time, it was only a couple of days before I found the site compromised again with the same symptoms. * Any suggestions on what might be going on here and how to better lock down the site to keep this from happening again? Viewing 9 replies - 1 through 9 (of 9 total) * [esmi](https://wordpress.org/support/users/esmi/) * (@esmi) * [14 years, 8 months ago](https://wordpress.org/support/topic/hack-affecting-wordpress-login/#post-2292237) * [http://codex.wordpress.org/FAQ_My_site_was_hacked](http://codex.wordpress.org/FAQ_My_site_was_hacked) [http://wordpress.org/support/topic/268083#post-1065779](http://wordpress.org/support/topic/268083#post-1065779) [http://smackdown.blogsblogsblogs.com/2008/06/24/how-to-completely-clean-your-hacked-wordpress-installation/](http://smackdown.blogsblogsblogs.com/2008/06/24/how-to-completely-clean-your-hacked-wordpress-installation/) [http://ottopress.com/2009/hacked-wordpress-backdoors/](http://ottopress.com/2009/hacked-wordpress-backdoors/) * [http://sitecheck.sucuri.net/scanner/](http://sitecheck.sucuri.net/scanner/) * [Phil](https://wordpress.org/support/users/owendevelopment/) * (@owendevelopment) * [14 years, 8 months ago](https://wordpress.org/support/topic/hack-affecting-wordpress-login/#post-2292241) * Sounds like whoever hacked you added in a backdoor, so it’s like biting the head off a worm – the body remains and keeps going. * It may need a good look through your db for anything that shouldn’t be there and definately check your .htaccess file as this is a common way to enter your site. * [ilrosewood](https://wordpress.org/support/users/ilrosewood/) * (@ilrosewood) * [14 years, 8 months ago](https://wordpress.org/support/topic/hack-affecting-wordpress-login/#post-2292405) * I too have experienced this exact same hack on multiple sites. I did a SQL dump and went through it line by line and couldn’t find anything malicious or out of place. I’ve gone back through my theme and none of the theme files have been modified since the previous backup in May. I’ve rm -rf’d everything and started the site back from scratch. I’ve looked for modified files and the only file I can find is the whois.dat file in the root directory. No files make a reference to whois.dat nor do any of the SQL records. I previous had followed the hardening guide in the codex and I did it again when I reinstalled — so I set the file permissions for files and directories per that guide. After the hack I changed the mysql password and updated the wp-config file. I’ve also updated all passwords for users. * When the site is compromised I never see the compromised site. Everything always looks fine to me other than the /wp-admin not working as aimutch described. * aimutch — if you’ve been able to figure this one out, please let me know. I’ve been fighting this since about 8/30 and it is driving me batty. * [ilrosewood](https://wordpress.org/support/users/ilrosewood/) * (@ilrosewood) * [14 years, 8 months ago](https://wordpress.org/support/topic/hack-affecting-wordpress-login/#post-2292406) * I don’t know why diff -qr didn’t find this nor a find but… * I downloaded the latest wordpress to my local machine and then I downloaded the entire site so that I could go file by file. If it took all night, I didn’t care. * But I ran the latest wordpress download against the site download through beyond compare and I finally found an out of place file — /wp-includes/feed-comments. php which had a clear as day base64 decode. * So I’ve nuked that file and the whois.dat that it was serving. * The backup I had from may was of the site files only and not the wordpress files. I checked the backup from the original hack on 8-31 and the modified files were there. I compared the other site that was hit with the same hack and it had the same modifications. * It created a global called _abc_ so I searched all files for “abc” to see if anything was calling that global and I checked the db for that call as well. * Hopefully this finally gets rid of this stupid thing. Is there a clearing house that takes these hacks to break them down / trace them? * Thread Starter [aimutch](https://wordpress.org/support/users/aimutch/) * (@aimutch) * [14 years, 8 months ago](https://wordpress.org/support/topic/hack-affecting-wordpress-login/#post-2292407) * Nice find! I followed the same approach going through all the files looking for any changes. Nothing. I suspected that the hack was related to the feeds because I had stumbled across a reference to them in the DB that I think referenced whois. dat (it’s kind of a blur now but I know I was going down that route myself). I did a complete re-install with a fresh download of WP and re-installed all the WP plugins. I also changed my passwords. Things appear to have been working fine and I haven’t been getting the blank login screen. But looking at my root directory, the whois.dat file is there again. I’m not seeing the feed-comments. php file in my wp-includes directory. What was the specific code you’re seeing? I may have it elsewhere in my files. * Thread Starter [aimutch](https://wordpress.org/support/users/aimutch/) * (@aimutch) * [14 years, 8 months ago](https://wordpress.org/support/topic/hack-affecting-wordpress-login/#post-2292408) * Also, you should report this to the WP folks. It seems like something is taking advantage of some of the core code to accomplish this hack. * [ilrosewood](https://wordpress.org/support/users/ilrosewood/) * (@ilrosewood) * [14 years, 8 months ago](https://wordpress.org/support/topic/hack-affecting-wordpress-login/#post-2292411) * aimutch – download a full copy of your site to your computer. Then use a program like notepad++ that can do a recursive search of the contents of all the files that you downloaded. * Search for base64_decode — almost all backdoors are obfuscated by encoding their wares in base64. There are some times where base64_decode is called that is legit. * [http://pastebin.com/yKuaSN5x](http://pastebin.com/yKuaSN5x) is what my malicious code looked like. * If you see a line like that, remote it, re-upload, and if your site still works, great. * [http://sitecheck.sucuri.net/scanner/#](http://sitecheck.sucuri.net/scanner/#)— when I’d run that scan whilst infected it would show up there as infected. Once I removed the offending code and the whois.dat file the site showed clean. * Thread Starter [aimutch](https://wordpress.org/support/users/aimutch/) * (@aimutch) * [14 years, 8 months ago](https://wordpress.org/support/topic/hack-affecting-wordpress-login/#post-2292412) * Thanks! I’ll be reviewing my files today to see if I can find the offending code. I also appreciate the link to Sucuri. I hadn’t seen that site before and sure enough, it was reporting a couple of problems. * Thread Starter [aimutch](https://wordpress.org/support/users/aimutch/) * (@aimutch) * [14 years, 8 months ago](https://wordpress.org/support/topic/hack-affecting-wordpress-login/#post-2292413) * I discovered some code in my root index.php file. I’m sure this is connected to it. * [http://pastebin.com/a3BAMHDx](http://pastebin.com/a3BAMHDx) Viewing 9 replies - 1 through 9 (of 9 total) The topic ‘Hack affecting WordPress login’ is closed to new replies. * In: [Fixing WordPress](https://wordpress.org/support/forum/how-to-and-troubleshooting/) * 9 replies * 4 participants * Last reply from: [aimutch](https://wordpress.org/support/users/aimutch/) * Last activity: [14 years, 8 months ago](https://wordpress.org/support/topic/hack-affecting-wordpress-login/#post-2292413) * Status: not resolved ## Topics ### Topics with no replies ### Non-support topics ### Resolved topics ### Unresolved topics ### All topics