Title: Index.php hacked
Last modified: August 22, 2016

---

# Index.php hacked

 *  [azda](https://wordpress.org/support/users/azda/)
 * (@azda)
 * [11 years, 2 months ago](https://wordpress.org/support/topic/indexphp-hacked-3/)
 * Im assisting a friend resolve an issue . Basically when you search for his blog
   on google, the url appears as a url for a porn site.
 * The url on google appears as follows
 * <site name>/**?l217-gloryhole-mensroom-sex-video**
 * However when you do click on it, it does not take you to a porn site but to the
   correct page.
 * Since no redirection happens, I suspect this is just a malicuous attempt to get
   the site banned by google.
 * This issue only occurs when searches are done on on google, not other search 
   engines.
 * None of the other pages on the blog have hacking issues.
 * Any thoughts on how to resolve this.

Viewing 10 replies - 1 through 10 (of 10 total)

 *  [WPyogi](https://wordpress.org/support/users/wpyogi/)
 * (@wpyogi)
 * [11 years, 2 months ago](https://wordpress.org/support/topic/indexphp-hacked-3/#post-5819585)
 * Sounds like a hacked site – see these:
 * [http://codex.wordpress.org/FAQ_My_site_was_hacked](http://codex.wordpress.org/FAQ_My_site_was_hacked)
   
   [http://wordpress.org/support/topic/268083#post-1065779](http://wordpress.org/support/topic/268083#post-1065779)
   [http://smackdown.blogsblogsblogs.com/2008/06/24/how-to-completely-clean-your-hacked-wordpress-installation/](http://smackdown.blogsblogsblogs.com/2008/06/24/how-to-completely-clean-your-hacked-wordpress-installation/)
   [http://ottopress.com/2009/hacked-wordpress-backdoors/](http://ottopress.com/2009/hacked-wordpress-backdoors/)
 * Additional Resources:
    [http://sitecheck.sucuri.net/scanner/](http://sitecheck.sucuri.net/scanner/)
   [http://www.unmaskparasites.com/](http://www.unmaskparasites.com/) [http://blog.sucuri.net/2012/03/wordpress-understanding-its-true-vulnerability.html](http://blog.sucuri.net/2012/03/wordpress-understanding-its-true-vulnerability.html)
 * [http://codex.wordpress.org/Hardening_WordPress](http://codex.wordpress.org/Hardening_WordPress)
 *  [wslade](https://wordpress.org/support/users/wslade/)
 * (@wslade)
 * [11 years, 2 months ago](https://wordpress.org/support/topic/indexphp-hacked-3/#post-5819591)
 * You can prove if this is a hack. Copy the actual URL from Google, not the title
   and paste it here: [http://tools.seobook.com/server-header-checker/](http://tools.seobook.com/server-header-checker/)
   Then push Check Headers.
 * If the checker returns a 200 OK then that link is really on your friends site.
   You will see an image of the site as additional proof the link exists.
 *  Thread Starter [azda](https://wordpress.org/support/users/azda/)
 * (@azda)
 * [11 years, 2 months ago](https://wordpress.org/support/topic/indexphp-hacked-3/#post-5819608)
 * [@wslade](https://wordpress.org/support/users/wslade/)
    It returned a 200 OK
 * However I have checked the file structure and the file does not exist in the 
   file structure.
 * I had already read through the links posted by WPyogi and tried the ideas there.
 * Does anyone have any thoughts how to find the infected file ?
 *  [wslade](https://wordpress.org/support/users/wslade/)
 * (@wslade)
 * [11 years, 2 months ago](https://wordpress.org/support/topic/indexphp-hacked-3/#post-5819683)
 * You said that you read through and tried the links. Did you do anything?
 * Have you replaced all the the files in the WordPress core, except wp-contents
   and wp-config.php? Have you replaced the theme and all the plugins? Have you 
   checked the database to determine if it is free of malware?
 * Also, I’m curious as to why you used index.php hacked as the title for this post.
   Did you find malware in the index?
 *  Thread Starter [azda](https://wordpress.org/support/users/azda/)
 * (@azda)
 * [11 years, 2 months ago](https://wordpress.org/support/topic/indexphp-hacked-3/#post-5819694)
 * @ wslade
    Thanks for your ideas, I will start by looking at how I can replace
   wordpress core except those two.
 * I appreciate any other ideas.
    Assume I know nothing about wordpress.
 * Is there any potential for corruption of the database?
 *  [wslade](https://wordpress.org/support/users/wslade/)
 * (@wslade)
 * [11 years, 2 months ago](https://wordpress.org/support/topic/indexphp-hacked-3/#post-5819698)
 * Yes, there is the possibility that the database is involved, There are articles
   in WPyogi’s post about the cleaning a database. I suggest you repair the files
   first before going to the database.
 * The hack likely added files that were not previously there and modified files
   there were there. The bad files can be anywhere in the WordPress core, theme 
   or plugins. I would start with downloading everything in the public_html directory
   to your PC for safekeeping.
 * Then delete everything but the files I mentioned earlier and replace them with
   new ones. It sounds like a lot but the whole process doesn’t take long. Following
   the steps in one of the posts above and using FTP is the only skill needed.
 * You didn’t answer my question about why you chose to title the post index.php
   hack?
 *  Thread Starter [azda](https://wordpress.org/support/users/azda/)
 * (@azda)
 * [11 years, 2 months ago](https://wordpress.org/support/topic/indexphp-hacked-3/#post-5819915)
 * Hi Wslade
 * I chose the title because only the main page (index page) manifests this porn
   url when searched on google.
    When you do a google search for the other pages,
   the url of those pages is not affected Also, this problem is only specific to
   google. The other search engines do not manifest the porn url
 * I am working through this slowly as I have a fulltime job and part time student.
   Here is what we have done so far
 * 1. changed admin password
    2. Deleted all plugins and re-installed 3. Changed
   theme 4. Deleted wp-includes folder and replaced with latest folder from wordpress
   4.1.1 5. Deleted wp-admin folder and replaced 6. Replaced the files in the root
   folder with the ones from the latest wordpress install. (did not replace wp-config)
 * I have a question on step 6 above. There are some files that existent in our 
   current folder but do not exist in the wordpress install. There are
    a. .htaccess
   b. wp-register.php c. wp-pass.php d. wp-config.php.dnb.wss
 * Items a,b,c,d above do not have an equivalent in the latest wordpress istall.
   I am not sure if I should delete them.
 * Does anyone know why these would exist in our wordpress install but not in wordpress
   4.1.1?
 * I looked at wordpress backups from one year ago and all these files exist. Yet
   the hack only appeared 2 months ago.
 *  [wslade](https://wordpress.org/support/users/wslade/)
 * (@wslade)
 * [11 years, 2 months ago](https://wordpress.org/support/topic/indexphp-hacked-3/#post-5819917)
 * Download the four files to a folder on your PC marked malware. Then delete them
   from your server. .htaccess, wp-register.php, wp-pass.php are all probably OK.
   The wp-config.php.dnb.wss is probably malware.
 * Your WordPress should regenerate a new .htaccass. If it doesn’t get recreated
   or if your site has issues, look at the file for malware.
 *  Thread Starter [azda](https://wordpress.org/support/users/azda/)
 * (@azda)
 * [11 years, 1 month ago](https://wordpress.org/support/topic/indexphp-hacked-3/#post-5819936)
 * This has proven a really tough nut to crack. I deleted all those files above 
   including .htaccess which I replaced with an older version from a year ago.
 * I have gone through the various issues proposed in the sites above including 
   trying to use site scanners like sucuri.
 * The only possibility now is the database or the wp-contents folder.
    Any thoughts
   on what else I can do?
 *  [wslade](https://wordpress.org/support/users/wslade/)
 * (@wslade)
 * [11 years, 1 month ago](https://wordpress.org/support/topic/indexphp-hacked-3/#post-5819937)
 * Only server side scanners will find the hard to find files and backdoors. If 
   you are not using the paid version of sucuri, you are not using a server side
   scanner.
 * I suggest you use Wordfence. Before you run a scan go to Wordfence > Options 
   > Scans to include > select ALL the boxes in this section – these setting are
   important and then scan.
 * If that doesn’t find anything then load WP Antivirus Site Protection (by SiteGuarding.
   com) and or Anti-Malware from GOTMLS.NET. The free versions both will do fine
   for you. One will nag for a donation and the other about upgrading to pro but
   both will still work. There is nothing to loose from loading both of these scanners.
 * Some of these will give you a little help with checking the database. All three
   will check wp-contents.
 * There is also the possibility you missed a file like those you removed. It can
   happen to anyone. I delete and reload new again if I still have issues. It’s 
   a lot faster to delete and reload than to look through all the files for one 
   or two bad ones.
 * Good luck.

Viewing 10 replies - 1 through 10 (of 10 total)

The topic ‘Index.php hacked’ is closed to new replies.

 * 10 replies
 * 3 participants
 * Last reply from: [wslade](https://wordpress.org/support/users/wslade/)
 * Last activity: [11 years, 1 month ago](https://wordpress.org/support/topic/indexphp-hacked-3/#post-5819937)
 * Status: not resolved

## Topics

### Topics with no replies

### Non-support topics

### Resolved topics

### Unresolved topics

### All topics