Recently Hacked? Quick fix here. (4 posts)

  1. icedearth213
    Posted 3 years ago #

    It seems this is a huge problem, possibly with old / outdated WP sites (automated hack?). I don't want to give the group more publicity, but their name includes the word 'Crows'.

    I am not sure of the vulnerability, but I've developed a 'routine' by fixing so many that I thought I would share.

    With what little expertise I have, it seems to be an old WordPress + character encoding vulnerability that adds encoded javascript to a custom text widget (and removes all your sidebars). Luckily this doesn't seem very destructive of a hack. Of that I'm thankful for, lol.

    Fix it:

    1) Log in to your admin panel (you should be able to).
    2) Go to Settings -> Reading and change the character encoding to UTF-8 from UTF-7.
    3) Go to Settings and change your page title back to normal
    4) Go to Appearance -> Widgets and delete their text widget

    Get your old text widgets back:

    It seems all old sidebar widgets are deleted in place of their own custom text widget. If your site has some custom text widgets with HTML that you really don't feel like redoing, do this.

    1) Go to Google and type in your site's URL.
    2) Hover the > arrow next to the search result and click on the 'cached version'.
    3) View page source and copy the HTML that goes in your custom text widget, and recreate the custom text widget with the copied HTML.

    From here you should have your website in the same condition it was before you got hacked.

    Backup and update your site:

    After this, I would backup your database (cpanel, phpmyadmin), and zip your entire site, should an update break anything in your current site/theme/plugin files.

    I'm not sure if being up-to-date will prevent you from being hacked again, but its the best prevention you can do.

    Hopefully this can help someone else!

  2. The Hack Repair Guy
    Posted 3 years ago #

    These are reasonable tips.
    Though about 90% of the sites I've seen with a similar hack have likewise included back door scripts hiding in the background.

    So while the above may be helpful, it's imperative someone review "every file" hosted within the account for malware, base64 coding, etc.

    If the back door script remains after fixing the "symptoms" you describe, then no matter of scrubbing off the scum will prevent hacker from returning and doing what they do.

  3. bikermanirl
    Posted 3 years ago #

    I had a load of my wordpress sites, including unused standard installations hacked on my dedicated server.

    The hack was exactly like that one.

    No files were altered and everything was done at the database level.

    I cant find anything wrong and am worried it will happen again.

    Does anyone have any info on what causes (either in the server config or wordpress config) this attack and how to prevent it?

  4. WPyogi
    Forum Moderator
    Posted 3 years ago #

Topic Closed

This topic has been closed to new replies.

About this Topic