[resolved] I was hacked (42 posts)

  1. Bob Smith
    Posted 8 years ago #

    yeah tijja i tried who you suggested and it seems to work on some blogs or but does not work on other for some reason ...?

    just to make sure just copy over everything but the wp admin, content and includes folders right?

  2. patrickdappollonio
    Posted 8 years ago #

    EverMaster in what file(s) I can find this code?

    Any help would be appreciated, and If you can contact me, send me a message from the contact form located here: http://www.larvainternet.com/contacto.htm and then I send you an e-mail with another ways.

    But for me, doing all the steps taht I say a few post up, the hack was resolved, but everyday a few users say me that WordPress 2.5.1 is unsecure and they're hacked using that version.

    And the WordPress Support Staff? I send them an e-mail but I don't have answers from they. :S

    Ah! And thanks piratazzurro for making the video :D Really nice!

  3. piratazzurro
    Posted 8 years ago #

    hola Patrick!! gracias ;) pero creo que hay otros hackeos :(

    I discovered the hack that Patrik describe, in 3 blogs that I have. But only one blog drammatically decreased its visitors!! I fixed it in every blog but the problem persists...

    I think that "bad-plugin-image" is just one possibility.. there's another hack we have to find. Maybe TJJA is right: copy over the files in main wp folder?

  4. jdroth
    Posted 8 years ago #

    Thanks to this thread and some other blog entries, I was able to track down and fix (at least partly) the problem. You can find my method here:


    The bad plugin image is part of the problem, but the WP database has seen tweaking, too, including the user and usermeta tables. Also, wp-blog-header.php has extra code pasted at the front.

  5. piratazzurro
    Posted 8 years ago #

    I hope it works fine now... unfortunatly I can't check it.

    I never had this problem. My friends told me...

  6. piratazzurro
    Posted 8 years ago #

    It's so strage: I had 3 blogs hacked in the same way.

    Why one blog lost visitors... and the others none?
    I'm "happy" for this.. but it's strange.

    Maybe we don't know all the truth yet? :(

  7. Donncha O Caoimh
    Posted 8 years ago #

    FYI - I've blogged about this and the various ways the current problems are created here: http://ocaoimh.ie/2008/06/08/did-your-wordpress-site-get-hacked/

  8. ljmacphee
    Posted 8 years ago #

    If you are on a Linux or Mac you can open a command window

    Go to the top directory of the copy of your website

    grep -Rn fwrite *

    and hit enter. It should give you a list of files and the line number where the problem is.

  9. ljmacphee
    Posted 8 years ago #

    Sorry fwrite is too common

    grep -Rn [bad-word]

  10. mrfrazzlebottom
    Posted 8 years ago #

    I have four WP sites running v2.3, v2.3.1, v2.3.3 and v2.5. All but the v2.5 have had access as explained in this hack; but none of them have been compromised as far as I can tell.

    But strangely, all my databases' tables WP_OPTIONS do not have ACTIVE_PLUGINS as some have mentioned. All they have are:


    Am I not understanding something perhaps?

    Also, someone mentioned 'rss_f541b3abd05e7962fcab37737f40fad8' as a place to look for a hack indication. Well, what is it used for beside, I assume, a place for useless information that is better off placed into a README file of some kind? It is utter waste in the database. And since it is filled with such utter nonsense it is ripe for hacking!

  11. Jingan Eugen
    Posted 8 years ago #

    Check this: http://www.bloggerguide.net/blog-platform/wordpress/wordpress-exploit-giving-backlinks-redirects-and-headaches-but-no-visitors/

    There is written what to do in case of this kind of attack.
    Searching for more and will post when will find something.

  12. Sebbi
    Posted 7 years ago #

    I know this thread is old like in really old, but my 2.7. install of WordPress got hacked in a simliar way (active_plugins option referencing a encrypted php-file in my plugin-folder). I then checked if other blogs on my server got hacked and well, they all had the same problem.

Topic Closed

This topic has been closed to new replies.

About this Topic