Support » How-To and Troubleshooting » Hacked :( what now?

Hacked :( what now?

  • beetle8


    Hacked this evening by the “sniper-baghdad”

    I FTP’d a temporary index.html to show up before the hack to alert visitors that the site is being worked on.

    I only had one user_login, it was the default admin, the hack changed this to admin1. I went into phpMyAdmin and altered this to something arbitrary, to prevent further access, but what do I do now?

    I checked my statcounter and the last visitor to the site was from france and came from a search on http://lo.st/ and I was the top hit in the fairly broad seach query.

Viewing 10 replies - 1 through 10 (of 10 total)
  • esmi


    Forum Moderator


    Couple of links to get you started:

    You should really try and find out what the point of entry was too. Are you running some insecure scripts perhaps? Were you running an old version of WP or an out of date plugin perhaps? If you’ve got a good idea of what the attack vector was (whether it be via WordPress or not), you’ve got a good chance of preventing it re-occuring. This thread kinda degenerates a bit, but it’d be interesting if you’ve got anything in common with these folks: http://wordpress.org/support/topic/309103?replies=38

    Don’t forget to change *all* your passwords, admin, database, FTP etc.




    You should really try and find out what the point of entry was too. Are you running some insecure scripts perhaps?

    he sure is — wordpress 2.8.4


    ’nuff said.



    That’s not the site that was hacked thanks
    I’ve actually been trying to upgrade that one you pointed out but the upgrade automatically doesn’t work.



    But how do you know that that is one of the ones I work with?



    referring to the 2.8.4

    I had asked for help here and got no response




    OK I don’t know a lot about code,
    In reading from Donncha’s what to do, he says…
    Hidden Code

    The bad guys are using a number of ways to hide their …… When you upgrade WordPress your theme files won’t be overwritten so make sure you double check those files for any strange code that uses the eval() command, or base64_decode()……

    I’m trying to put things back together now, and have not reinstalled the plugin that has caused this error to show up on my page.

    Warning: include(/home2/champir8/public_html//wp-content/plugins/dynamic-content-gallery-plugin/dynamic-gallery.php) [function.include]: failed to open stream: No such file or directory in /home2/champir8/public_html/wp-content/themes/atahualpa/functions.php(478) : eval()’d code on line 1

    Warning: include() [function.include]: Failed opening ‘/home2/champir8/public_html//wp-content/plugins/dynamic-content-gallery-plugin/dynamic-gallery.php’ for inclusion (include_path=’.:/usr/lib/php:/usr/local/lib/php’) in /home2/champir8/public_html/wp-content/themes/atahualpa/functions.php(478) : eval()’d code on line 1

    Does the “eval()’d” at the bottom of this mean trouble?

    Re the londonderryalert site, I’d do a manual upgrade:

    With regards to the site you’re talking about in this thread (championphotollc.com ?), it looks like that was running 2.8 last week (looking at Google’s last cache), so that would seem a very likely reason for the hack.

    The eval()’d code on line 1 is going to be malicious/spam code.
    Delete the atahualpa theme folder, then download and upload a fresh copy. If you’ve previously customised it, restore it from a clean backup.



    I got the site back up and running,
    Then yesterday the same hack took over again.
    What it does is replace the index.php with it’s own vulgar file.
    So this time I was able to get the site back and functioning by uploading a fresh index.php .
    So the problem now is that I don’t have a clean back up, how can I scan my backup to find the back door?

    Moderator Mark Ratledge


    Forum Moderator

    Talk to bluehost; the hack may be coming through shared hosting.

    See How to Completely Clean a Hacked WordPress Install and How to find a backdoor in a hacked WordPress.

Viewing 10 replies - 1 through 10 (of 10 total)
  • The topic ‘Hacked :( what now?’ is closed to new replies.
Skip to toolbar