Support » Fixing WordPress » Have I Been Hacked?

  • I’m seeing the following 4 symptoms which concern me but I’m not sure if I should be worried:

    1. There is a hidden div appearing on all of my pages with a number of words making nonsense sentences that seem to be some sort of SEO

    2. There are Javascript evals of base 64 encoded strings in my templates (including ones I have designed myself!). I didn’t put them there.

    3. When I try and remove the eval statements from my template a page comes up that asks me for my userid and password foir the site. The page is not styled at all and has no other text. When I type my userid and password (password since changed BTW) the template is not modified.

    4. When I try an XML export of my posts I get a 0 character file.

    What I did recently:
    a) Upgraded from 2.2 (I think) to WordPress 2.8 by following the extended instructions
    b) Installed the Arclite theme
    c) Added the Google analytics plugin

    Am I screwed? What can I do?

Viewing 12 replies - 1 through 12 (of 12 total)
  • That doesn’t sound good. Do you have another way to edit the templates outside WordPress? e.g. using Cpanel or a similar control panel?

    I was hacked and there was no way I would have cleaned things up without backend admin access.

    If you were hacked in the fashion it sounds like you have, you are going to need to access your mysql dbase. Do you have phpadmin access? You will probably want to check for odd users in your user table.

    Yeah I have CPanel access as well as FTP so I can clean things up if I need to, the only issue will be getting all of the old post data out without XML export working. I have a database backup but I’m suspecting that there may also be hacked code resident there too.

    See if your CPanel gives you database access (PHPmyAdmin), you can export your data from there, as well as check recently-registered users.

    Depending on the version of CPanel, you might have to go through the “MySQL® Databases” button, then at the very bottom, choose PHPmyAdmin.

    I think what I’d try is:

    1. if you can, change your theme to the ‘default’ one provided by wordpress (it is likely your theme is infected).
    2. back up your custom theme
    3. upload fresh copies via ftp of all wordpress files.
    4. login and see if you can do the export from within using the fresh install files.
    5. Assuming you were successful, edit your them OFFline until you are satisfied the infected code has been removed.
    6. upload the newly cleaned up theme.

    are you getting an autenticate page when trying to update files in the editor by any chance?

    Every wordpress site I have now redirect me to an authenticate page, which never works, and then returns me to the editor screen. The code never gets updated??? It is happening across all the versions.

    Do you think I have been hacked?

    Yes, that sounds very suspicious.

    It has just started since yesterday.

    The funny thing is that it is now happening across all my sites.

    when I update a file here:
    and then click
    update file
    it brings me to another page with the same url …/theme-editor.php which has two input boxes and a authenticate button (source code)
    <form action=’/wp-admin/theme-editor.php’ method=’POST’><input type=’text’ name=’login’>
    <input name=’pass’ type=’password’>
    <input type=’submit’ value=’authenticate’></form>

    after clicking the authenticate it brings me back to the editor and no changes take place. I can not modify any files now?

    I would advise you:

    1. attempt to export your database
    2. delete all your wordpress installation files, backup your wp-content wp-config.php and .htaccess files.
    3. upload fresh wordpress files
    4. restore your database

    Once you have done that, see if you can login and edit normally. This will not mean you are ‘clean’ but it will mean you have started the process.

    I would advise you to change your admin password right after you have followed these steps as it sounds like this hacker has set things up so he is collecting your login and password.




    not sure this will help, but I’ve also had a problem with the Google Analytics code related to its changing of link syntaxes in my theme; it makes certain elements of my page display weird that I am still trying to sort out; possibly that is causing some of the display weirdness?

    Also, I too had a theme where there was base 64 code in the footer which displayed the owners ads. A quick google search on base 64 decoding changed it back to clear HTML and I could edit the code there. that also might help you at least figure out what that code is doing. if its making calls to something totally out there like a .cn extension or something, you know your problem.

    good luck.

    I have managed to resurrect my site and it looks like the hacks have been removed. Here is what I did (YMMV):

    1. Backed up the site files
    2. Backed up the database
    3. Created an environment for testing on my local machine using WAMP
    4. Restored my database to the local environment
    5. Unzipped a new copy of WordPress 2.8 to my local environment
    6. Modified my config files to point to the local database.
    7. Reinstalled my plugins and themes. At this point everything looked OK with no hacks in place.
    8. Deleted completely my old installation on my web host
    9. Uploaded my new installation
    10. Changed the config file over to contain the server DB connect parameters
    11. Deleted the active plugins value from the config table to remove references to the hacked plugin files
    12. Reenabled my plugins
    13. Switched the URL options to a different scheme and then back again to repopulate the page caches.

    2 Important things to note: I lost all of my uploaded files and images. I didn’t want to take the risk of having a corrupted image file hanging around. Also this would not have worked if the data in my database had been altered to contain hacked pages.

Viewing 12 replies - 1 through 12 (of 12 total)
  • The topic ‘Have I Been Hacked?’ is closed to new replies.