Help needed with hacked WordPress site
-
Hi, I hope this is the correct place to post this. I am an experienced web developer, but I have zero experience with WordPress. I am trying to help a friend of mine who is a veterinarian. They have a website, http://www.corvalliscatcare.com which is run on WordPress. Yesterday she told me that the mobile version of their site had been hacked to show pornography. My first thought was just that they maybe hadn’t updated their site and had been auto-hacked by some bot, but then she mentioned something else: The pornography was oddly specific to them – it showed something related to people having sex with cats (the veterinarian is a cat-specific practice). Also, it was apparently only happening on the “mobile” version of the site, which comes up when you search for the site on Google on a phone.
By the time I got there to take a look, the porn had changed to something else which looked like a generic spam page. Something about UK dating, followed by a bunch of stuff in another language (looks Nordic).
She initially couldn’t get into the admin interface, which made me worry that the passwords had been changed, but then she tried on a different computer and it worked. No idea what was going on there.
When I got there it was the middle of the night. I went in because she was kind of frantic that their website was down. Even though I know nothing about WordPress, I decided to take a look in the hope that my general experience with computers might allow me to poke around and figure out how to get their site back.
What I discovered was that the main site (http://www.corvalliscatcare.com/) is still ok, but the one which you get when you search on Google on a phone has been replaced (http://www.corvalliscatcare.com/home/). So I went looking around the WordPress interface and found a page called ‘home’, which seemed to have some content that looked innocent and nothing like what was actually being shown. I tried making it private, but that didn’t seem to affect anything. I even tried moving home to trash, but still no change. Very mysterious.
Then I looked more at the /home/ page as it appears in the browser, and noticed that it seemed to talk about a theme called Amadeus. When I looked in the Themes via WordPress admin, I couldn’t find Amadeus anywhere. It wasn’t installed. So I tried installing it, and then de-installing it, but it made no difference.
Basically /home/ is somehow being redirected somewhere, though the URL in the browser address bar doesn’t change. I have no idea how to poke around inside WordPress to figure out how it was done. My friend doesn’t know what ftp is, and the same credentials used to get into WordPress didn’t seem to work via ftp.
I saw some fairly unique looking words on the /home/ page as it was being displayed, and tried installing a String Search plugin, so I could maybe find if this is in a file somewhere in their system. I chose one of the long Nordic words, and searched and sure enough it came up somewhere under a location like /home2/wp-content/… a lot of other stuff there that I can’t remember now, sorry. I was suspicious about this /home2/ location, though, because it sort of implies to me that there is some alternate place in WordPress that is being used, which would explain why nothing I did to the ‘home’ page in the main site made any difference.
I just don’t know enough about WordPress to be able to know where to look. I know this is sparse information, but I wonder if anyone could maybe give me a clue as to what happened here.
My intuition is that this might be a retaliation attempt from a former IT guy who my friend apparently let go back in January. The very specific nature of the porn is what makes me think it’s personal, but I don’t know for sure. The guy was only working on their network, apparently, not doing any WordPress development. Anyway, that’s the only clue I have.
Any ideas? I would appreciate possible directions, places to look in the WordPress interface, etc. to help my friend get back control over their site. The hose is not being helpful, they want to charge hundreds of dollars for some kind of “security” package which makes it sound like they just want to squeeze her for money. They didn’t seem to want to address the hack itself, just sell her on a generic package, so I want to try to save her some money if I can. If it turns out to be deeper and harder to clean up than is possible for a WordPress newbie like myself then fair enough, but I just thought I’d try.
Thanks,
Neil
-
Looks like that there’s a completely separate installation of WordPress located at http://www.corvalliscatcare.com/home/ it even has login page at http://corvalliscatclinic.com/home/wp-login.php
For something like that to happen, a hacker would need access to cPanel of website hosting company. Most likely your friends computer is compromised if she uses it for logging to cPanel. You’d need to use FTP and navigate to (most likely)/public_html/home/(or home2/) and delete it including the database related to that installation. You should first figure out the folder where original website is installed so you don’t delete that one. πNeedless to say backup EVERYTHING prior to doing that.
Just to add, login page for the original website is http://www.corvalliscatcare.com/cc/wp-login.php
Thanks very much! That sounds like a lead.
Also, I don’t think it’s coincidence that I just got an email to my dns-admin address (usually spam) from a company that does WordPress repair services. Maybe a bot that trawls this forum, or maybe a person who say my post? I don’t know, but does anyone know if these guys are legit?
If they are, then I might just direct my friend to them, since it’s not a lot of money ($100) and they would probably be able to do a better and more complete job than me. I am actually a Linux guy, and my friend is running all Windows, so I am really behind on that front. Last time I worked with Windows was back in the 1990’s.
Thanks again,
Neil
Just a quick update, it seems like the guys at askwptechs.com fixed the problem. I know this makes me sound like a shill, but honestly, this is what happened: I posted this thread, then I got an email from those guys, and it was so specific that I decided to respond on the offchance it was for real, and it seems that it was. They were able to fix the hack on my friend’s server, and now it’s back to normal again. Even though I am experienced with software development in general, I have zero experience with WordPress, and I don’t think I would have been able to easily figure it out (it was apparently another install of WordPress in parallel with the real one… some jiggery pokery which I don’t understand because I’ve never dug into how WordPress works under the covers). Anyway all fixed now, so I just wanted to give some closure fwiw. The askwptechs.com guys seem to be for real, if anyone was wondering.
Once again I have no connection to askwptechs.com at all, they contacted me out of the blue as a result of this thread, and I took a chance, and much to my relief it seems to have worked out.
Thanks,
Neil
The topic ‘Help needed with hacked WordPress site’ is closed to new replies.