WordPress.org

Support

Support » How-To and Troubleshooting » [Resolved] Hacked Site

[Resolved] Hacked Site

  • My site’s been hacked.
    At first I found that the Index.php was replaced, so I recopied the original and the site became operational again.
    However, I could not access
    wp-admin
    The following error message comes up:
    {“error”:[“No key”,”No appid”,”No secret”]}
    I used filezilla to look at the site and found a hacked file under “themes” with the following code:
    > devilzShell <[php]> author: b374k greets: devilzc0der(s) and all of
    > you who love peace and freedom
    > Jayalah Indonesiaku
    > $shell_name = “devilzShell”; $shell_fake_name = “Server Logging
    > System”; $shell_title = ” :: “.$shell_name.” ::”;
    > $shell_version = “v1”; $shell_password = “pro”; $shell_fav_port =
    > “12345”; $shell_color = “#374374”;
    > $shell_code = “
    This was followed by a very long string of numbers and letters.
    I deleted this file, but still can’t access wp-admin.
    Any ideas as to how I can re-access my wp-admin?

Viewing 8 replies - 1 through 8 (of 8 total)
  • If you reinstall wordpress via FTP, overwriting the current files (but NOT overwriting the wp-content folder), you’ll probably be able to access your site. However – whoever hacked your site has probably left a backdoor in somewhere, and those are tricky to find and remove. If its a possibility at all, I’d hire someone to do it (unless you’re technically inclined, have a penchant for learning, and a fair amount of free time).

    Hi Peter,
    Thanks for your quick advice!
    I don’t remember which WordPress version is running. Will it matter if I overwrite it with a more advance version?
    Thanks
    Shakhar

    It should be fine, as long as you’re overwriting with a version that’s relatively close (like, within 2 versions). You can check though, by looking at yoursite.com/readme.html.

    If you do want to match your old version (although, again – it’s probably not a problem to upgrade this way), you can download older versions of wordpress here:

    http://wordpress.org/download/release-archive/

    O.K., I’ve overwritten everything except the content directory, but still no joy.
    Can’t access the site and I still get the message:
    {“error”:[“No key”,”No appid”,”No secret”]}

    In the meantime I also found the obvious hacking signs below in my awstats082011.txt file.
    Any ideas?

    # Worm ID – Hits – Bandwidth – Last visit
    # The 5 first Hits must be first (order not required for others)
    BEGIN_WORMS 0
    END_WORMS

    # Search engine referers ID – Pages – Hits
    BEGIN_SEREFERRALS 2
    google 29 34
    search 2 2
    END_SEREFERRALS

    # External page referers – Pages – Hits
    # The 25 first Pages must be first (order not required for others)
    BEGIN_PAGEREFS 28
    [removed spam links]
    END_PAGEREFS

    Here’s the .htaccess file.
    Can you see anything there?

    # BEGIN WordPress
    <IfModule mod_rewrite.c>
    RewriteEngine On
    RewriteBase /
    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteRule . /index.php [L]
    </IfModule>

    # END WordPress

    I don’t remember which WordPress version is running.

    The current version that you are using will be coded in your version.php file. It’s located in the wp-includes folder. It should be near the top of the php file. Should look something like this:

    * @global string $wp_version
     */
    $wp_version = '3.2.1';

    Thanks all. Solved!
    Overwrote with latest version.
    Found all contaminated files by their time-stamp. Deleted!
    Password was extremely weak – changed it.
    All’s well that ends well.
    Thanks again
    Shakhar

    espelled – When you’re posting logs, PLEASE remember to strip out links. Especially when they’re to spam sites 😉 You tripped the spam filter with those.

Viewing 8 replies - 1 through 8 (of 8 total)
  • The topic ‘[Resolved] Hacked Site’ is closed to new replies.