Support » Fixing WordPress » I've been hijacked

  • Second time over the past year it has happened. It’s to use email for spam, deleted the email account and it went into loop mode and then my account was suspended for cpu usage. here are the files that caused the issue.

    Dear Bill,

    It has come to our attention that your account contains malicious content:

    4337 me 99.4 /home/me/public_html/rhmpanoorg/wp-includes/cek.php

    906 me 99.1 /home/me/public_html/rhmpanoorg/wp-includes/checker.php

    23316 me 99.1 /home/me/public_html/rhmpanoorg/wp-includes/cek.php

    The first number is the process number then it shows your user name and then the second number is the % of how much of the CPU your are using. The last is the 3 processes and the files that are using that much resources.

Viewing 6 replies - 1 through 6 (of 6 total)
  • I don’t believe either of those files would be native to the wordpress package.

    they are not, I posted this so anyone who cared to could check their folder for the same files.

    I see. Thank you!

    You should find out how those files got there. If you don’t close the security hole, you site will get reinfected again and again

    I would like to know, any suggestions on how I would do that?

    You might start by reviewing your access logs. Sometimes examining time stamps on corrupted files can give you an indicator as to the time frame you need to focus on. It sounds as if you already removed or altered the corrupted files, so that might no longer be as easy.

    Examine the workstations you use to log into your ftp account and your wordpress dashboard. Make sure they are malware and virus free. Credential stealing trojans are not unheard of. Either way, you might consider it time for some password changes.

    Examine your file and directory permissions for inappropriate settings. If you are on a shared server, do a little research into your hosting providers history in these matters, and consult their FAQ and support sections for proper permissions in a shared environment.

    Exploits can also take up residence in your database. If you suffered from a hack in the past, just removing corrupted files and upgrading platforms may not be enough.

    Examine your themes and plugins. Make sure they are up to date, are from trusted sources, and don’t utilize any obfuscation methods in their coding (at least none that you would not expect). Research any items that might be suspect for past known vulnerabilities, updates and security issues.

Viewing 6 replies - 1 through 6 (of 6 total)
  • The topic ‘I've been hijacked’ is closed to new replies.