Title: Hack Warning Last modified: August 19, 2016 --- # Hack Warning * [smoothyazz](https://wordpress.org/support/users/smoothyazz/) * (@smoothyazz) * [16 years, 7 months ago](https://wordpress.org/support/topic/hack-warning/) * We’ve been getting a LOT of reports of people who’ve suddenly noticed their sites have some weird stuff in the URLs. Notably “eval” and “base64_decode”. * [http://wordpress.org/support/topic/307652](http://wordpress.org/support/topic/307652) [http://wordpress.org/support/topic/297639](http://wordpress.org/support/topic/297639) [http://wordpress.org/support/topic/307518](http://wordpress.org/support/topic/307518) * So far, all of these reports (that I can find) have been on people running older versions of WordPress. * The hack attack also works on the newest version. The reason for theses attacks are infected themes (with a link to casino sites). I am not a programmer. But be aware these malicious codes work with a html-virus which is a trojan. They can spy out your passwords and occupy your wordpress-blog and your website. They can even infect further websites as I was informed by my provider by downloading a virus. I downloaded the infected themes here: * [http://www.wordpressthemebase.com](http://www.wordpressthemebase.com) * Infected are Header and Footer of these themes. I was warned by the Antivir-software AVIRA. After I deleted these themes, they hacked my site. So await everything evil. They are very active! Viewing 9 replies - 1 through 9 (of 9 total) * [Rev. Voodoo](https://wordpress.org/support/users/rvoodoo/) * (@rvoodoo) * [16 years, 7 months ago](https://wordpress.org/support/topic/hack-warning/#post-1229202) * Yeah, there are a lot of posts on here about that, including a thread I started yesterday. * [http://wordpress.org/support/topic/316011?replies=9](http://wordpress.org/support/topic/316011?replies=9) * Mine didn’t come from a dirty theme, as I make all my own themes. But yeah, every single php file I had, on all my sites got infected….I’m still waiting to see what permanent damage was done after the cleanup * It’s truly nasty * [Mobster](https://wordpress.org/support/users/mobster/) * (@mobster) * [16 years, 7 months ago](https://wordpress.org/support/topic/hack-warning/#post-1229207) * Why can’t eval scripts be blocked all together on a server? Wouldn’t that solve this problem? * Sure it would force a few javascript plugins to rethink. * Thread Starter [smoothyazz](https://wordpress.org/support/users/smoothyazz/) * (@smoothyazz) * [16 years, 7 months ago](https://wordpress.org/support/topic/hack-warning/#post-1229222) * Looks like the problem is more serious, as I estimated. My website is closed by the provider. He’ll try to restore the files from a backup and fix the exploited files. Looks like the exploit is downloading a virus to the client PCs and infected some other websites. Anyway take good care before downloading themes from outside wordpress.org. * [whooami](https://wordpress.org/support/users/whooami/) * (@whooami) * [16 years, 7 months ago](https://wordpress.org/support/topic/hack-warning/#post-1229225) * > … every single php file I had, on all my sites got infected. * and THATS a sure sign of malware on a machine that you are using. * [Rev. Voodoo](https://wordpress.org/support/users/rvoodoo/) * (@rvoodoo) * [16 years, 7 months ago](https://wordpress.org/support/topic/hack-warning/#post-1229347) * Actually, I’m pretty sure it’s not the machine I’m using. I use a laptop that’s freshly formatted and very secure….and I rechecked it last night multiple ways…. it’s clean. The only other computer I use is at work, and that’s very secure, also clean. * One thing to check out….I believe I may have tracked the issue down on the simplemachines. org forum, if you are using an install of that software. Anything other than the latest version (1.x or 2.x) of the simplemachines forum was vulnerable to a hack that came in with a certain user. If you use simplemachines, and have a user called krisbarteo, then most likely you got hacked. You can check it out over there, but it results in the same base64_decode problem. Basically a lot of the people over on that forum noticed spammy links hidden on their forum ( I never got that), but on further investigation, all their php files on their server for any site had the base64 business on it. * So I can’t even tell where my hack came in at. I noticed it first on my wordpress, but it very well may have come in through my forum. * [pembo210](https://wordpress.org/support/users/pembo210/) * (@pembo210) * [16 years, 6 months ago](https://wordpress.org/support/topic/hack-warning/#post-1229457) * My site has been hacked three times in the last 2 weeks. I have all the security plugins and have changed multiple settings including chmods, auth keys, .htaccess, and admin user names. I have all the newest versions and multiple forms of protection on my local machine. Go Figure… * [Rev. Voodoo](https://wordpress.org/support/users/rvoodoo/) * (@rvoodoo) * [16 years, 6 months ago](https://wordpress.org/support/topic/hack-warning/#post-1229458) * you’ve gone through every folder on your host? It’s a pain… * I think I’ve finally got everything clean. I had a test.php file hidden 3 levels deep in my shop in a different directory. * I just found 2 more whatever.php files in a 2008 uploads folder of a different WP install * Those allowed people to change my main WP install….the only way I found them was by noting the timestamp of an altered file, then checking my server logs for that exact time to see what happened. * [melissaaggie](https://wordpress.org/support/users/melissaaggie/) * (@melissaaggie) * [15 years, 10 months ago](https://wordpress.org/support/topic/hack-warning/#post-1229506) * What can I do if I suspect that I’ve been hacked? I’m desperately trying to find someone who can help me and who specializes in WordPress Blog viruses. I’ve scanned my blog with all of the online tools and they say that I’m clean, yet I’ve had three people tell me that they couldn’t go to my blog because of a trojan virus warning and all of a sudden, mysterious links and plugins show up on my blog. Please help! * [esmi](https://wordpress.org/support/users/esmi/) * (@esmi) * [15 years, 10 months ago](https://wordpress.org/support/topic/hack-warning/#post-1229507) * What to do if you think you’ve been hacked: [http://codex.wordpress.org/FAQ_My_site_was_hacked](http://codex.wordpress.org/FAQ_My_site_was_hacked) [http://wordpress.org/support/topic/268083#post-1065779](http://wordpress.org/support/topic/268083#post-1065779) [http://smackdown.blogsblogsblogs.com/2008/06/24/how-to-completely-clean-your-hacked-wordpress-installation/](http://smackdown.blogsblogsblogs.com/2008/06/24/how-to-completely-clean-your-hacked-wordpress-installation/) [http://ottodestruct.com/blog/2009/hacked-wordpress-backdoors/](http://ottodestruct.com/blog/2009/hacked-wordpress-backdoors/) Viewing 9 replies - 1 through 9 (of 9 total) The topic ‘Hack Warning’ is closed to new replies. * In: [Fixing WordPress](https://wordpress.org/support/forum/how-to-and-troubleshooting/) * 9 replies * 7 participants * Last reply from: [esmi](https://wordpress.org/support/users/esmi/) * Last activity: [15 years, 10 months ago](https://wordpress.org/support/topic/hack-warning/#post-1229507) * Status: not resolved ## Topics ### Topics with no replies ### Non-support topics ### Resolved topics ### Unresolved topics ### All topics