Hacked admin. Please help (9 posts)

  1. jeangodecoster
    Posted 3 years ago #

    Hi all,
    I've taken over the administration of a wordpress web site, which was both using an old version of wordpress, and very vulnerable to attacks.

    I quickly upgraded the wordpress version, but apparently the bad had been done because the site was already subject to several backdoor attacks, and there were some devious things in the .htaccess as well.

    I installed a malware (Anti-Malware by Eli) and sure enough, it found a bunch of corrupted files (as it turned out, non-chrome users were redirected to a porn website when coming from google searches) and corrected everything.

    Now I'm back with a whole new problem, however because whenever I go on the website while I'm logged in as an admin (any page, and also from the dashboard) I get an authentication request for some luedolph.de server which has nothing to do with my host. This only happens if I'm logged in, though. So a random user would not experience this issue.

    I'm trying to locate this, but the anti-malware doesn't find anything, and I don't find anything spooky in the wp_config table in my DB (but perhaps I'm not looking in the right place). I also tried a text-based search for luedolph.de in my files, but to no avail.

    Any idea where I could start looking? I've made my best to shut down the vulnerabilities with my limited knowledge of wordpress security issues. I changed the key salt in wp_config.php, protected .htaccess, and wp_content. But other than that I'm nothing like a security wiz.

    Thanks in advance

  2. esmi
    Forum Moderator
    Posted 3 years ago #

  3. Andrew Nevins
    Forum moderator
    Posted 3 years ago #

    Anything less will probably result in the hacker walking straight back into your site again.

    Wow, what are the chances of two people typing the exact same sentence!

  4. esmi
    Forum Moderator
    Posted 3 years ago #

    Damn! Jan beat me! ;-)

  5. <off topic>

    I KNOW! I raced to do it too! Yes, I copied the verbiage. It's good stuff. :D

    </off topic>

    [Moderator note: In future please wrap your code in backticks. Your code may now be corrupted from this forum's parser]

    @jeangodecoster it is a lot to take in but you can get a handle on your situation. Just take it one step at a time and review that set of links. The material is good and when you've successfully deloused your installation you'll be good to go.

  6. jeangodecoster
    Posted 3 years ago #

    Thanks a lot for the replies, i'll look into this quickly

    And glad I could get you guys entertained unwittingly :-)

  7. esmi
    Forum Moderator
    Posted 3 years ago #

    Well, at least it shows that we do have some official policies here. :-)

    The first list of links we posted above give pretty comprehensive advice on cleaning up a hacked site. Pay special attention to the last linked article. It's by a WP ninja and should help you root out any remaining hacker files. Chances are that the install is riddled with them.

    Don't rush anything either. The more time you spend going through everything with a fine toothcomb now, the less likely that you will miss something.

  8. jeangodecoster
    Posted 3 years ago #

    Ok thank you for your input.

    I have a backup of wp-content dated back from may 14th so I guess I could just restore from there.

    However I made a diff to compare my current wp-content with that of my backup and I don't see any difference that looks like a hack of some sort. It could be one of two things: either i was already hacked on the 14th, or the hack didn't play around with my wp-content.

    It appears that all of the hacked things are in my wp-include. Perhaps just re-installing a fresh wordpress could rid me of all the attacks. Then all that's left to do is to re-change all my passwords.

Topic Closed

This topic has been closed to new replies.

About this Topic