WordPress.org

Support

Site Hacked

  • Back in December 2011 one of my WordPress blogs was hacked. Stupidly I had not made a backup of the database but it wasn’t a big site and I had a copy of all of the post content.

    When I reported this to my host (Mochahost.com) they were adament that it was not a problem with the server and that my WordPress installation must have been out of date. I was sure it was up to date but I left it at that. I re-entered all of the content manually.

    This week end (so 4 months later) the same blog was hacked again and was displaying a similar message from the hacker, complete with all the usual cliches (a skull, typoz, greetz, etc.) This time I am 100% sure it was up to date because I had set a reminder in Outlook to check every week, and there had not been a new version since January. All of the plugins were up to date as well.

    Again, my host insists it is caused by WordPress. However I find this hard to believe because I had 14 WordPress installations with various different ISPs and none of the others have ever been hacked.

    Should I be looking at ditching them or are they right to blame WordPress apparently without doing any investigation?

Viewing 14 replies - 1 through 14 (of 14 total)
  • esmi

    @esmi

    Forum Moderator

    I think so – I deleted everything in the www root and created a new database.

    esmi

    @esmi

    Forum Moderator

    In that case, it does look like it’s a host problem. Sounds like the server is insecure for one reason or another. Maybe it is time to start looking for another host.

    Hi,
    Is your site still showing as hacked now, or do you feel you’ve managed to get the situation under control?

    I deleted all of the files and uploaded a clean copy of WordPress 3.3.1. I am using the same database though. All of my content is available again but I still need to set the theme up again and get the plugins working again.

    Check out the wp-config.php file at the root installation of your wordpress, navigate to the end of the settings, check out the last line and see if there are many white lines afterward, if you did, then go and check the rest till the end, you will find some strange code being appended, and you will have around 4k lines in this file, check it out and get back to me.

    wp-config is only 3kB, 91 lines. The final line is:

    /** Sets up WordPress vars and included files. */
    require_once(ABSPATH . ‘wp-settings.php’);

    no i meant 4000 lines, check out if there is empty space (many lines)after it.

    It’s definitely only 91 lines. There is one blank line after the final line. I do appreciate your help though!

    Thanks but don’t even mention it.
    Ok, check all your word-press plugins directories for the following files:

    wp-ajax-gadget.php
    zipper-class.php

    Please tell me, if you have any of these.

    All I have is the default plugins now – did you see that I deleted everything and uploaded a fresh copy of WordPress?

    Yeah, I can
    What I am asking about is a hack that stores itself in your database and not your installation files, no wonder, re-installing for million times won’t work.
    However, if looking for these files inside your plugins folder, is a big issue, then forget it and forgive me.
    Thanks.
    Regards

    I didn’t mean to sound ungrateful! In answer, no there is no wp-ajax-gadget.php or wp-ajax-gadget.php in the plugins directory.

    No problem

    Check out all your directories for names like:

    .akismet.db
    .akistment.cache

    any files or folders starting with a period “.” in the plugins and wp-includes and wp-admin.

    Before, deciding whether it’s a service provider or WordPress issue. Remember that all the plugins we install can be from experienced or inexperienced, aren’t they a possible backdoor?. Isn’t plugins the reason, wordpress.com was never breached? Right?. So, before we jump to any conclusions, there is a new suspect: not WORDPRESS but WORDPRESS PLUGINS. So, please be patiient, because a proper diagnosis is needed prior to any action that might be costly.

Viewing 14 replies - 1 through 14 (of 14 total)
  • The topic ‘Site Hacked’ is closed to new replies.