Support » Fixing WordPress » Hacked again wp-content

  • Resolved becs


    URGH. I have been hacked again. I upgraded to the new wordpress only a couple of days ago. A friend was searching for something on my site and on came across and the page was a black page with I think skulls or something on it with words to effect of “hacked by…” and it had all pharmacy links on it.

    I found what I thought was a fake index page in my wp-content folder – it was index.html and as far as i know, the only index that should be in there is index.php. So I deleted it.

    Now no pages are coming up on my blog. Dashboard is still there but no content is displaying.

    I have not messed with the file associations of the wordpress files and have left them at whatever the wordpress default is. I did notice that wp-content was set at 777 – is this the problem?

    If this is the problem, how are they managing to change it to 777? Also can anyone advise how I can get my content back please?

    I really have no idea where to start, I try to keep up to date with all the security fixes but I am beginning to think after a year of successful blogging that it is not worth the effort. Throw a little sunshine my way please ๐Ÿ™

Viewing 15 replies - 1 through 15 (of 15 total)
  • the risks assocated with having any directory chmod 777 have been discussed here before — its a dead horse, in fact.

    It was even discussed, somewhat, in a thread you participated in some time ago.

    And just like all the other threads that you’ve participated in that share a similar topic, without server logs, there’s little anyone can suggest beyond the standard:

    1. keep your software current, whether its gallery, wordpress, wordpress plugins, or anything else.

    2. DONT use insecure file or directory permissions.

    3. Make sure your host isnt using insecure software — is current on Apache, PHP, etc..

    4. so on and so forth.

    might also want to look over this:

    and I highly recommend using mod_security, if you have it available.

    Thread Starter becs


    I know the risk of 777 and I never put it to 777, but somebody did. I am concerned as to how they are getting in.

    My concern at the moment though is getting my blog back. I have tried to upload the wordpress software back again but there are just no pages. The content is still there, but nothing is home.

    I go into the dashboard and presentation and there are no themes listed, even though there are themes there and I get the following error

    Warning: array_keys(): The first argument should be an array in /home/********/public_html/wp-includes/theme.php on line 298

    Spoono Host’s client websites (several different domains) were hacked for 3 consecutive days and used for Bank of America/Skype phishing last week. Actually, their client websites were hacked several times in the past 11 days or so. The phishing splee started in January 3. When I gave a kind notification to Spoono Host, they answered “We have it under control. Thanks.” Then another website was hacked and used for BOA phishing. Apparently, the hacker had total control on website’s control panel. How did they do it? I don’t know. I’m just a reporter at —-.NET. It’s just that I suppose some web hosting companies’ control panels have some vulnerability issues. I would avoid small web hosting companies. I don’t know how big is yours, COMPILA-UK or whatever. If I remember correctly, Spoono Host’s control panel is H-Sphere. I don’t mean to imply in any way that this control panel should be avoided.

    you want help, Ill help, in fact, Ill fix it, but I do charge. Im not soliciting, just suggesting.

    Thread Starter becs


    Thanks for the information Macsoft3, I shall get onto my host in the morning to double check (they are currently closed).

    Whooami, thankyou for the offer, as much as I am desperate to get my blog fixed and I am sure you would be able to help, but I am absolutely flat broke at the moment and would have no means to pay for support.

    BTW aswell as my theme page throwing up vomit, my plugins page is empty aswell. Its like the bowling ball effect. One by one everything is falling apart ๐Ÿ™

    Thread Starter becs


    OKay I found an old post relating to theme problems and have found something interesting.

    If I change the wp-content file permissions back to 777 then I have no problems and everything is back to normal.

    But this is a worry, if 777 is so risky, why am I forced to use it for that folder to keep my blog going? I don’t want to end up with being hacked again, but if 777 is so important how can I stop this from happening again?

    I am sorry but I am really confused, on the one hand things are dangerous and on the other hand something is vital.

    Ahh, one more thing… I have to admit that our website was hacked several times last year. We tracked their entry to phpFormGenerator. But I suppose every software has vulnerability issues to some extent.

    Thread Starter becs


    Hi Macsoft, I cannot find phpformgenerator in my control, its probably there but evading me.
    Even if I could find it I do not have the technical know how to analyse web logs. There nearest I get to logs is checking my webstats. lol

    But this is a worry, if 777 is so risky, why am I forced to use it for that folder to keep my blog going? I don’t want to end up with being hacked again, but if 777 is so important how can I stop this from happening again?

    youre not. and you are assuming because you are having trouble, that that is the case. thats mistake number 1.

    if you are going to do this yourself, you are going to need to slow down, and take deep breaths, and read. I provided a link to a doc in the codex that state emphatically what the NECESSARY permissions for WP are. Thats not to say that certain plugins do not requite looser perms, just that WP, itself, does not.

    Secondly, I dont think macsoft was suggesting that that particular webapp was your culprit; I believe he was making a point about how other applications beyond WP also present their own security issues.

    On the surface, you are not taking care of something, or your host is not. I would suggest that since is the third go-around for you, that you be very deliberate in what you do, and the decisions that you make regarding your site.

    Then again, some people never do drink the water.

    Thread Starter becs


    HI whooami,

    Thanks for your help. I do feel like at the moment I am forced to use 777 because if I try the others then my blog fails to display any content but a blank page. I am not worried about any plugins, I can disable any I like, but when it breaks to a point of not even being able to load my page because the all themes break then I feel there is an issue – but I do not know how to fix that issue.

    I cannot find a CHMOD that is acceptable to wordpress to displaying my themes other than 777. I don’t even know if this is a wordpress issue or a problem with my host. I have of course emailed my host support for help on 777 and I await their reply tomorrow.

    I have checked some older threads and they suggest to use 755 for wp-content, but the result is that the themes break.

    I didn’t think macsoft was suggesting that program was a problem, I just thought I would check it anyway. No harm in just looking ๐Ÿ™‚

    Thread Starter becs


    I have my site back. I deleted the rogue index.html, I have managed finally to chmod the wp-content folder back to 755 and the files to 644.

    I don’t know what was going on. Its obviously an issue with my provider somewhere but I cannot speak with them until they open in the morning.

    I earlier checked out the “hardening wordpress” link you gave and there is a plugin for wp-admin apache password but both the download links are dead. Do you know of a similar (and reliable) program that I could use to password protect my wordpress?

    Thanks for your help, oh and BTW I did drink that water, it just tasted a little funny at the time as I didn’t understand what I was drinking, I was not being deliberately ignorant :-))

    I have managed finally to chmod the wp-content folder back to 755 and the files to 644.

    excellent! youre on the road to recovery ๐Ÿ™‚

    Thread Starter becs


    Do I take the blue pill or the red pill to go with my drink?

    >I dont think macsoft was suggesting that that particular webapp

    You are absolutely right, whooami. I already mentioned that every software…

    As somebody already suggested, you should use secure file transfer protocol like SFTP and TLS. It is very important that you have a secure password to the control panel with special characters + lower case + upper case letters + Greek letters if possible.

    I don’t meant to scare you, but an exploiter always goes back to the same website to host phishing websites and affiliate pages. For example, an exploiter hacked the website of (Spoono Host’s client) in two consecutive days.

Viewing 15 replies - 1 through 15 (of 15 total)
  • The topic ‘Hacked again wp-content’ is closed to new replies.