However, you probably shouldn’t go into it if it’s so dangerous. How could it have got infected?
I checked for Malware and none was found but I have been blacklisted. How do I sort that?
How do you know that is the case?
I’ve just updtaed my WordPress version and also my theme but I guess it will need more work than that. I’m off to be now – it’s after 11pm here in New Zealand but tomorrow I will look at those links and see what I have to do. Thanks for your help.
Yeah, you may have to replace a few standard WordPress files. And delete a few others.
If you have any of these files they can be safely removed as they are not standard WordPress files.
The latest hack could also create the following files:
/wp-admin/common.php
/wp-admin/upd.php
/wp-admin/js/config.php
/wp-content/2b64c2f19d868305aa8bbc2d72902cc5.php (or similar)
/wp-content/themes/[theme’s name]/temp/eab9c5e9815adc4c40a6557495eed6d3.php (or similar)
/wp-content/upd.php
Possibly also (there should be no php files in your uploads folder(s):
/wp-content/uploads/feed-file.php
/wp-content/uploads/feed-files.php
&
/wp-content/themes/[theme’s name]/wp.php
/wp-content/themes/[theme’s name]/sm3.php
/wp-content/themes/[theme’s name]/r1.php
/wp-content/themes/[theme’s name]/2.php
You’ll need to inspect your root .htaccess file.
It may have a bunch of white space then at the end of the file there could be some redirects.
The sucuri scanner is not revealing anything about your site.
http://sitecheck.sucuri.net/scanner/
These four standard WordPress files need to be inspected:
**NOTE** wp-config.php has vital information for the operation of your site, backup all pertinent information.
/wp-config.php
/wp-settings.php
/wp-includes/js/l10n.js
/wp-includes/js/jquery/jquery.js
Wow, that will take a bit of inspection and I will do it tomorrow. I really am off to bed now. I will post tomorrow night after work how I get on after I’ve looked for those files.
DO NOT give total strangers your information! Posts by dev222 have been removed. UNLESS you have hired someone, NEVER give out password/ID info. That’s just so insecure it’s not funny.
Suzanneper – If you’ve been impacted by the TimThumb hack, you need to do something hard core and you wno’t like it.
1) Backup all your files and your database offline
2) Delete ALL the WordPress files off your server except for wp-config.php, .htaccess and the folder /wp-content/uploads
3) Review wp-config.php and .htaccess for ANYTHING that looks out of the ordinary. Any redirects to external sites, etc.
4) Change ALL your passwords. FTP/SSH, email and SQL. Especially the one you used in wp-config.php
5) Get fresh copies of WordPress core, all your themes and plugins, and upload them back to your server.
6) Change your WORDPRESS password.
I didn’t give dev222 any information.
What you have told me is double dutch so it will take a bit of figuring out. Before i try to do all that, how do I make sure I have been impacted by the Tim Thumb hack?
Check your site on http://sitecheck.sucuri.net/scanner/
It says Google’s black listing you with the following info: http://safebrowsing.clients.google.com/safebrowsing/diagnostic?site=theaffordablewardrobe.com
That counter-wordpress link? IS one of the URLS used by the timthumb hackers. So yes, you’ve been hit.
(and I suspect you had not given dev222 any info, but best to be safer than sorry-er)
Thanks so much for your help. I was thinking of abandoning the blog as it is only about 4 or 5 months old and I could start a new one. That would solve the problem, wouldn’t it? I know I would lose all my followers etc. but I have probably lost them anyway with this issue. What do you think?
I have discovered this code on my site. It looks kind of out of place:
/* Son of Suckerfish – what makes it tick */
#nav, #nav ul {
padding: 0;
margin: 0;
list-style: none;
z-index: 100;
}
Can anyone tell me if that should be there? It’s the only strange thing I can see.
