Hacked by walangkaji (9 posts)

  1. Barneyntd
    Posted 2 years ago #

    My WordPress site got hacked, almost certainly over Christmas. As far as I can tell, no files were changed, and no users were added, but the sql database had the blog name changed to:

    (4, 'blogname', 'Hacked by walangkaji - The Crows Crew', 'yes'),

    A search for 'Hacked by walangkaji' shows quite a lot of sites with this same hacked title; I can't tell how many of them are running WP. There is also a hackers message board where walangkaji boasts about his exploits.

    I have taken backups of everything and taken the site down completely, but I want to get it up again within a day or two. How do I find out how this was done and prevent repeats?


  2. Otilia
    Posted 2 years ago #

    I've also had 3 sites hacked the very same way - earlier today. The only changes I was able to see were:

    - change of site title (Settings -> General)
    - change of encoding to UTF-7, resulting in some scrambled text.

    This is, fortunately, not a big deal to fix. However, a quick search shows this threat is spreading out very very fast! In fact, a second site of mine was hacked just as I was fixing the first one.

    It is surely worth having a look and start collecting data?

    [later edit] - The intention I've had with this reply was to add more information to what the original poster mentioned and to confirm it was not a singular occurrence. I had not asked for any help or input whatsoever and have not diverted attention from the initial issue reported here.

  3. @Bristena, It is impolite to interrupt another poster's ongoing thread with a question of your own and it causes significant problems for the forum's volunteers. Please post your own topic.

  4. Barneyntd
    Posted 2 years ago #

    Well, I think I've got everything working again, now with latest versions of wordpress & theme.

    Does anyone know whether this is a WP problem or a server problem? I'm on kNet Hosting.

    @Bristena I thought your post was valuable! It's good to know I'm not the only one.

  5. @Barneyntd: more than likely a shared host problem. Might want to find a new host: Recommended WordPress Web Hosting

  6. aidanl
    Posted 2 years ago #

    Thought it was worth posting... I have posted this on another thread too but I found the problem resided in a specific theme of mine within a 'text' sidebar widget they had added. I deleted the widget they'd added and it has brought my site back up rather than just their 'Hacked by walangkaji - The Crows Crew' on a white background. Hopefully this will help others and hopefully we can find a way to prevent this happening again.

    Barneyltd - I am also on kNet hosting... That seems quite coincidental.

  7. jpryce
    Posted 2 years ago #

    Any clues?
    I;ve been through Jan's resource links, I've backed up my original database, reinstalled WP on the server and re-imported the old database to the new one and this guy is still all over my site like a rash.
    I can't even make back end changes as it asks me if i 'really want to do this and to try again' which seems new to this thread.
    Am i really going to have to rebuild? Am i missing something?

    Thanks guys


  8. Barneyntd
    Posted 2 years ago #

    @jprice: I wiped everything, installed the latest WP, plugins & theme, and imported the database from a month ago, which I was certain was clean (it's not a high traffic site). Then I changed all the admin passwords, which are in the database. The few posts this lost I imported one by one, checking all the data. I've not had any repeats so far.

    I haven't found any hacks to the files at all (though I might have missed something subtle); all the hacks were in the database. So far I have found three changes, all in wp_options:

    (4, 'blogname', 'Hacked by walangkaji - The Crows Crew', 'yes'),
    (36, 'blog_charset', 'UTF-7', 'yes'),
    (89, 'widget_text', 'a:2:{i:2;a:3:{s:5:"title";s:0:"";s:4:"text";s:178:"<script>document.documentElement.innerHTML = unescape(''%48%61%63%6b%65%64%20%62%79%20%77%61%6c%61%6e%67%6b%61
    %6a%69%20%2d%20%54%68%65%20%43%72%6f%77%73%20%43%72%65%77'');</script>";s:6:"filter";b:0;}s:12:"_multiwidget";i:1;}', 'yes'),

    I think it's the 'widget_text' which causes the blank screens and other problems: half my sidebar was missing, which is probably everything from this point down.

    Still no clue how he did it.


Topic Closed

This topic has been closed to new replies.

About this Topic


No tags yet.