Hacked / Dashboard not working / base64_decode / AAAHHHH!!!! (7 posts)

  1. ornmnt
    Posted 4 years ago #

    Okay, so I logged into my WP admin tonight and noticed the formatting was all weird—like it wasn't reading the css file at all. I thought maybe something was just going on with WP, they were doing maintenance, or something, so I just gave it some time. Then I checked back after a while and it was still messed up. So I started searching and realized others had this problem, but for various different reasons (NB: this happens in all browsers.)

    Then I started looking at a few of the .php files on my server and noticed some crazy code at the beginning. It always begins with:

    <?php /**/ eval(base64_decode(" etc. etc.

    Here is one full example: http://pastebin.com/C87PD14F

    I am not so good with this stuff, but it seems clear that I have been hacked. I guess my question is, what should I do from here? I think I have the latest version of WP installed. Should I re-download it and manually upload the fresh new files onto my server? Dumb question, but this won't get rid of all the content I have added, will it?

    All the work I have done has been in the child theme folder. If I were to replace all the other files in my site with the default ones, could I spare these and just delete the offending code manually?

    Sorry if my questions are kind of vague, and if they have been answered in various forms already, but I'm sort of at a loss here and just want to get this sorted out.

    Oh, and finally—how do I prevent this from happening again?? I will change my password, obviously, but how did this happen??

    Many thanks for any help you can offer...

  2. ornmnt
    Posted 4 years ago #

    One more thing: I managed to make my way through the unstyled dashboard to see this:

    You have the latest version of WordPress.

    You have the latest version of WordPress. You do not need to update. However, if you want to re-install version 3.3.1, you can do so automatically or download the package and re-install manually:

    Reinstall now / Download 3.3.1

    Would it be a good idea to click "Reinstall now"? Would I lose all the data I added to WordPress?

  3. keesiemeijer
    Posted 4 years ago #

  4. ornmnt
    Posted 4 years ago #

    Thank you so much for this. I should have mentioned that I am on Dreamhost, as in that last link so it's likely the same. I'm embarrassed to admit this, but I don't even know how to do this:

    Log into your sever and run the following:

    last -i | grep youruser

    Do I need a specific program for that? I have Dreamhost and Transmit, but I'm not sure what it means by "running" something on my server...

  5. keesiemeijer
    Posted 4 years ago #

    Try the advice in the first four links to get rid of this hack.

    Do I need a specific program for that

    Yes, with mac it's the Terminal and in windows it's the DOS Command Prompt (I think). If you never used it before it's best to leave it alone. Try the first four links.

    Just to let you know, your content (posts,pages, etc..) lives in the database, replacing/deleting files will not not change the content in database.

  6. Kunda04
    Posted 3 years ago #

    Something similar has happened to me. All the links in the dashboard go to a third party viagra site. This comes and goes and sometimes it doesnt happen. It started yesterday. I identified the possible cause as my Google Analytics plugin but I cannot delete this as each time I try it goes to the viagra site so its impossible to delete this plugin. Other plugins are deleteable ONLY when the links work correctly.

  7. esmi
    Forum Moderator
    Posted 3 years ago #

    Please post your own topic. Your problem - despite any similarity in symptoms - is likely to be completely different.

Topic Closed

This topic has been closed to new replies.

About this Topic