Support » Fixing WordPress » Several of my blogs have been hacked

  • Just about all my blogs have been hacked. Can anyone help me so this doesn’t happen again? I have the virus code in a .txt if anyone one is interested. Any help is appreciated…

Viewing 11 replies - 1 through 11 (of 11 total)
  • this one of many WordPress sites that I found with the beginning code of <?php @error_reporting(0); if (!isset($eva1fYlbakBcVSir)) {$eva1fYlbakBcVSir = and of course it continues. I fixed the majority of them and installed BulletProof Security. Anyone experienced this and can offer any help?

    the same thing happened to me. Here’s what happened and what I did to (hopefully) resolve:

    my site was hanging, it would show the header and then hourglass for a while, then after a long while (45 seconds or so) show the rest of the site. I eventually found that many of my theme’s php pages (header.php, footer.php, index.php) had weird text blocks appended to them, beginning with

    [Code moderated as per the Forum Rules. Please use the pastebin]

    and being hundreds of lines long. I started deleting that text and found the problem did not go away. I ftp’ed into my site and found that it was everywhere, not just in my wordpress directory but out in folders all over my site: in every theme folder (I had about 8), and in random php files from old versions of my site. I tried deleting the lines manually but realized there were way too many to do in a reasonable amount of time. Googling found different accounts of this same thing, and some had their .htaccess files hacked as well but mine was normal.

    Luckily my host has a 30 day backup/restore and I restored back to a previous version that was problem free, and therefore didnt have to go in and manually clean up my site. This was of both the static pages in my site and also the databases.

    FTP logs showed repeated failed ftp access attempts during the night before I found my site slow, so it appears they ftp’ed in. Since they were in directories that were not part of worddpress, I am guessing it was not a wordpress attack but an ftp password attack. I don’t know that for sure though.

    Before I found the malicious text it was very hard to figure out what was going on because everything was hanging, even my backup site in a different directory. That made me think it was a server, software, or networking issue with my host and I wasted a lot of time trying to prove that out.

    At the time of the hack, my wordpress was fully up to date but I did have some out of date plugins. I won’t list them since I dont think they were the culprits. My passwords were slightly complex, but words only with no numbers or symbols. After restoring I changed all of my passwords (the sitehost admin panel, wordpress, ftp) to crazy long complicated ones. I have been ok since then and if something else happens I will update.

    one more thing, I am still not sure what exactly that code was up to, I googled around but never found a definitive answer. It wasn’t installing malware when I was clicking around my site. I am curious about what it was doing.

    Just this week the weird code thing happened to my theme template files and rendered 4 of my sites unable to display. I went on my server and narrowed it down to tdo mini forms, had to rename it to get my sites back. IThen I simply reinstalled all 4 themes and any customizations from backup

    tdo mini forms is, or was untill recently, a faily popular plugin, and was recently dropped from the wp repoitory because the author could no longer support it. (I was devistated, love that plug) I’ve since found a recent article where the author of tdo mini forms says that the plugin is now exploitable if made publicly availabale on your site, and doesn’t reccomend using it. I was stunned, it couldn’t have been more than 6 months ago that I was on the tdo mini forms forum, had no idea it was no longer updated. Anyway, since many people were using the plugin I thought I’d mention this.

    was the code in directories other than the mini forms? Or outside of your wordpress directory?

    @ toastmasterflash. You mentioned that it seems as though they may have ftp’d in. Are you by chance with DreamHost?

    no. Site 5.

    @ toastmasterflash. Cool. DreamHost announced it was recently compromised this way.

    oops, the code sample was removed, so here it is in pastebin:

    I had the rough code in all themes that were using tdo mini forms, 4 wp sites. However, I did have one site wp site with the issue as well, but tdo wasn’t installed. Did the ussual plugin deactivate-reactivate, and when I renamed another old plugin called “PHP Widget” I got the site back. When I reactivated it again, no site. So I’m pretty sure it was ths culprit. not sure what the realationship is, if any. The rouge code was identical in both cases.

Viewing 11 replies - 1 through 11 (of 11 total)
  • The topic ‘Several of my blogs have been hacked’ is closed to new replies.