Hacked by Hmei7 (50 posts)

  1. Gabba2000
    Posted 4 years ago #

    I have just been hacked by Hmei7, and my site is inoperable at the moment. I can access the cpanel. But I am unsure what to do, to get my site back. Any suggestions?

  2. ericktedeschi
    Posted 4 years ago #

    I think you can update the users table and left the field user_pass blank of all users except your admin.
    So, update the password of your admin:

    update wp_users set user_pass = md5('new password') where ID = XXX;

    Search for backdoors/malicious code mainly in plugins and themes.

    Unfortunatelly, if the hacker used an vulnerability on some plugin or theme, the "door" may be open!

  3. missmagica
    Posted 4 years ago #

    Hi, i also was Hacked by Hmei7. I did end up resetting my passwords and was able to login to my WP account. Only thing is, its a mess in there :( I had a friends, friend set WP up for me, who he is no longer in contact with :( He has sent me the 'wordpress theme' files for my website.
    Can anyone point me in the right direction or give any suggestions of what i'll need to do, to get rid of 'Hmei7' doings?


  4. LolDig
    Posted 4 years ago #

    Hi, some of my sites have been hacked too.
    I searched whole FTP trying to find the source...nothing. But then I did this.


    1) Reset your CPanel/FTP password. It should come to e-mail u registered with your hosting provider. Give them a call if u forgot.
    2) Login to CPanel and open PHPMyAdmin
    3) Open your wordpress database (wrdp1 or whatever u named it), have a look at wp_posts table
    4) Delete all instances of <script>...., it hides in post_title column on my site.
    5) change your wp-admin pass in wp_users, user_pass field.

    I suggest changing your database password to a very strong one, and backing up your SQL database as well, so next time all u have to do is import it back.
    Lana :)

  5. LolDig
    Posted 4 years ago #

    After you've done all above, 2 things need attention.
    My admin pass still didn't change.
    So I changed user_email in wp_users table to my e-mail. And in mysite.com/wp-admin click Lost Your Password and input the e-mail.
    Another thing, after the hackers <script>... is removed from databse post_title, you will have to put ALL Page titles in Pages, Menu labels, Post titles etc. Easy way to do that is Quick Edit --> and have a look at your slug.

  6. missmagica
    Posted 4 years ago #

    Thanks so much for your fast reply! :)

    This is what i found hidden in the post_title column..

    <script>alert('hacked by Hmei7')</script><h1>hacked by Hmei7
    </h1><div style=background-color:black;>
    <h1><font color=cyan>hacked by Hmei7</font></h1>

    should i delete the whole lot?

  7. LolDig
    Posted 4 years ago #

    Hi, yes it's the same thing I had - delete the whole thing.
    But be careful - this means you are deleting a Post/Page title.

    If you see the column next to it says post_name, say for example it's hello-world. You can delete the hacker code and put "Hello World" instead in post_title. :) Or login to your wp-admin and do it from wordpress pages/posts.

  8. missmagica
    Posted 4 years ago #

    Excellent!! i see it :) Thanks so much Lana! you have made my day much easier!! I was meant to go to the beach 2day..but instead i've been trying to fix my site ;/ Thanks a mill :)

  9. missmagica
    Posted 4 years ago #

    Another question... How do i prevent this from happening in the future?

    I was told i could clone my theme?

  10. LolDig
    Posted 4 years ago #

    Haha, no problem :)
    Yes, you can backup your theme folder, just copy it from your FTP program.
    Then login to /wp-admin, go to Tools--> Export --> All content.

    I would also advise you to backup your database. Go to PHPMyAdmin (click home icon) and click Export --> SQL. So in the future, you can import it. Try to back it up after major changes or once every few weeks.

    Also, would be good to change your Database password. in CPanel --> MySQL Databases create a new user. Generate a very strong password. Click Add User To Database. Tick all privileges.
    Now you can remove the old user from database.

    Important! Download the wp-config.php file from server and change the DB_USER & DB_PASSWORD fields to new ones, or you'll get an error.

  11. missmagica
    Posted 4 years ago #

    Sorry for my ignorance :( ..i just want to make sure i'm doing your way..
    FTP program is within the host right? There is a section that has "FTP Accounts", "FTP Session Control", "Backups" etc. When i click on Backups this is what is say..

    Backups allow you to download (to your computer) a zipped copy of either you entire site (your home directory, databases, email forwarders configuration, email filters configuration) or one of the previously mentioned parts of your site. These are not automatically scheduled backups. Automatically scheduled backups need to be enabled by the server owner / administrator.

    Full Backup
    Full backups can only be used for moving your account to another server or keeping a local copy of your account.

    Is the the backup i am meant to be doing?

    Thanks again :)

  12. missmagica
    Posted 4 years ago #

    This is also what i found about the wp-config.php & DB_USER & DB_PASSWORD..it says i can not download it but create a new one?

  13. dbdrags
    Posted 4 years ago #

    I swear this was so gay :(

    they hacked into our forum to access our website which we don't even use.
    I went in the backend, index.php deleted what they put in there, as they took over our whole website.

    I have fixed it all. just matter of backing up I guess.

    I then went to cpanel and reinstalled fantastico wordpress coz i thought stuff it might as well see what happens if I try and my website came back up. then had major issues with my login and did what Loldig suggested.

    it worked and you saved the day for me. appreciate it heaps.

    i deleted the forum..unsure if there is anywhere else I need to go to prevent these things happening again.

    let me know what else i need to do other than backup of website.


  14. LolDig
    Posted 4 years ago #

    Regarding the wp-config.php, they are simply saying that in the beginning it was named wp-config-sample.php but depending on manual or auto wordpress installation at the start, it is renamed to wp-config.php. You can download one from your server via FTP/ Cpanel file manager and replace DB_USER & DB_PASSWORD (if you created a new user of course, see my prev post).

    Backups - yes, if you have a CPanel simply click Backups icon in Files tab. Full Backup would be best option if you have WordPress. I chose 'Home Directory' - local server backup. It will generate a .rar archive in your home (/) directory.

    After that, either go back to Cpanel --> Backups --> Full Backup. You'll see Backups Available for Download. Download the file. Or is the site's too big, connect to your server via FTP program (like Filezilla). You will see .rar archive called backup-[date]-tar.gz. Download a copy to your PC.

    Warning: if you have a shared hosting, you cannot restore a full backup. You have to ring up your hosting company and ask to do that. If you do own a server, you can restore backup from your WHM panel (link).

    Hope this helped. :)

  15. quantaweb
    Posted 4 years ago #

    I had a site hacked by this guy, too. After a bit of poking around I found that he had replaced the header.php file (that's where all the code for his ugly flashing black "you've been hacked" stuff was.

    I uploaded a copy of the original header.php for the theme via FTP, and voila! - the site was back up.

  16. quantaweb
    Posted 4 years ago #

    Meant to mention - I also (after changing all passwords) installed the BulletProof Security plugin, which I think should protect against this type of thing in the future.

  17. socreative
    Posted 4 years ago #

    My blog has just been hacked by Hmei7 too. It doesnt create "alert" popups instead it redirects the page somehow and displays white snowflakes on a black background. I checked the database and couldnt find anything wrong. htaccess file seems to be intact also.

    Anyone has the same problem?

  18. quantaweb
    Posted 4 years ago #


    Yes, check your header.php file. That is where he put his code on my site. It wasn't in the database, and I didn't have any popups or anything either.

    To fix this, just FTP into your site, open up the header.php file (in your theme folder) and if it doesn't look right, replace it with the correct header.php file.

    (It was very obvious when looking at my header.php file's code that it had been changed. Hmei7's email address was at the top of it! And all his flashing, obnoxious code was right under that.)

  19. socreative
    Posted 4 years ago #

    Yeah i found it right after i posted here, was looking for recently modified files. How the hell did someone get access to the template's header.php?

  20. borelandn
    Posted 4 years ago #

    Does anyone know how they managed to replace the template header.php file? mines just been hacked exactly the same way - I just replaced it with a proper version, upgraded to latest wordpress and installed bulletprooof plugin - fingers crossed!!!

  21. esmi
    Forum Moderator
    Posted 4 years ago #

  22. jane_1
    Posted 4 years ago #

    can anyone please help me, ive also been hacked, for three days now, ive been reading and trying everything i can to fix my blog myself, my host hasnt responded to my plea of help,

    i ended up deleting the blog off, then re installed it and imported a back up i had, only problem is some things are missing, i am now the only user, (i had lots if users/members)
    also my links pages and catogories are missing, i can cope with that but really want to restore my users,

    ive downloaded some programs and extracted 2 different back ups i have, it did uncompress them but i cant see a file with my users in the folder, can anyone help? id really appriciate it
    thanks jane

  23. esmi
    Forum Moderator
    Posted 4 years ago #

    @jane_1: It is impolite to interrupt another poster's thread with a question of your own. Please post your own topic.

  24. jane_1
    Posted 4 years ago #

    really? im sorry, thought i was on topic, i was hacked by Hmei7 too,which has resulted in my problem, ill try posting a new help request then, regards jane

  25. mattoman
    Posted 4 years ago #


    This guy hacked the shit out of my website. Luckily it had only just gone live so I was able to restore quite easily by moving it all to a new database... I discovered the reason he was able to hack me was because the passwords in use were extremely easy to crack.

    Lesson Learned: Make sure you set extremely difficult MySQL database passwords and the same goes for WordPress.

    I actually would thank Hmei7 as he alerted me to some pretty weak security in my website.

    All the best.

  26. simulateguy
    Posted 4 years ago #

    I had my WOrdpress site up for less than 1 week when this low-life hacked it. This time, instead of injecting a script into the database, he modified the theme.

    As I was new to wordpress, I had just accepted the default theme of twentyeleven. he replaced the header.php file with a simple 'hacked by Hmei7' message. As soon as I deactivated that theme, problem went away.

    I've changed the passwords using cPanel and all seems okay. (they were 'medium' now they are 'strong') But I've started backing up everything and am grep'ing through stuff looking for any other hack/backdoor/code that doesn't belong.

    Some kids should have been disciplined more by their parents.

  27. kmessinger
    Forum Moderator
    Posted 4 years ago #

    Follow the suggestions here to help secure the site.

  28. lotashow
    Posted 4 years ago #

    Hi all,
    first of all thanks for all the hints solving this problem.
    My highjack notice showed up only on my Home page, not on any of the blog pages. this let me to search for the "home" page for WP.
    I found in: WP-content
    the "home.php" file, which I opened in my C-panel with the Code editor and found the culprit. I deleted the file, and my usual homepage showed up again.
    this allowed me again to log into the WP Dashboard.
    Hope I could be of help.

  29. easterjv
    Posted 4 years ago #

    Hey everyone

    Thank you for all your informative posts.

    I've been able to restore my clients site from a host that had their server attacked yesterday.

    Only the "header.php" file had been touched (I hope!!), as what seems to be the case for most other people; which suggests that this isn't malicious intent, but just enough to show off to the world what they can do.

    I've taken all your good advice and ...
    - changed hosting to a more secure server
    - updated the admin and all user account passwords under wp_users
    - looked for other files in all folders that have had Modified Dates the same time as the heder.php mod file date
    - taken a full backup of the site using Robert Plank's "Backup Creator" and kept that for safe future keeping
    - and in a state of paranoia I updated all WP files, just to be sure
    - and taking this one step further, changing passwords to all my other blogs and online access that use my email account in case they can work out the UN + PW combo for that hacked site and take my life to WordPress Hell...

    And I'm taking steps to install plugins for extra secutiry on my WP site like:
    - Bullet Proof Security
    - WordPress Firewall ( http://www.seoegghead.com/software/downloads/wordpress-firewall.seo )

    Now this has got me thinking ... WHY aren't there some of these basic plugins included in a standard installation of WordPress to ensure that sites aren't hacked ?

    Now we can't do too much for the hosting accounts that have vulnerabilities, but if we can make the system itself more secure, wouldn't that save a bunch of time and complaints ?

    Thanks for being such a great support community :)

  30. George Bikas
    Posted 3 years ago #

    I got one of my sites yesterday hacked. The problem was not on database but on some files. I tryied to restore database one month back but the problem was stull exists . So i done a resore from files 3 days back and everythink was ok.

    i also found http://hmei7.blogspot.gr/

Topic Closed

This topic has been closed to new replies.

About this Topic