Support » Fixing WordPress » Site hacked… help!

  • So my site was hacked, at hawkeanddove.com.

    For fun, someone put up an Italian postage or banking site.

    I’m trying to log in, and even after I’ve changed my admin name and password via the php database, whenever I try to log in I never see the dashboard, only the following, on a white background:

    moderated

    The address bar never changes either, but still shows “http://www.hawkeanddove.com/wp-login.”
    I’ve tried upgrading to the latest version of WP via my hosting control panel, but it still doesn’t make a difference. What can I do to get back in to my blog and delete the offending site? Any help? Anything I can do via phpmyadmin?

Viewing 8 replies - 1 through 8 (of 8 total)
  • Moderator Jan Dembowski

    (@jdembowski)

    Forum Moderator and Brute Squad

    Nice site and you can still see it via

    http://hawkeanddove.com/index.php

    Your login page is http://hawkeanddove.com/wp-login.php see if that still works.

    Edit: Scratch that, you are not seeing the dashboard correctly. Skip to the hacked part of my responce.

    You’ve a lot of reading ahead of you. Start with seeing if you can get your install working.

    Backup the all of your files (if you had a good backup you would be able to rename your WordPress directory and just restore the whole works…)

    http://codex.wordpress.org/WordPress_Backups

    http://codex.wordpress.org/Backing_Up_Your_Database
    http://codex.wordpress.org/Restoring_Your_Database_From_Backup

    Change your passwords, someone put a file or files on your installation. That could have happened via a password compromise or WordPress/plugin hack since you’re site is not maintained and out of date.

    Once you have your files and database backed up and safe, look in your directory for index.html. Delete any index.html files and you should be good for now.

    If it comes back then read all of this:

    http://codex.wordpress.org/FAQ_My_site_was_hacked

    This is a good explanation of cleaning your database.

    http://smackdown.blogsblogsblogs.com/2008/06/24/how-to-completely-clean-your-hacked-wordpress-installation/

    Once you’re good, read up on upgrading your version of WordPress. You are running version 2.1 and that’s not a safe thing to do. You’ll leave yourself vulnerable to more hacking.

    http://codex.wordpress.org/Upgrading_WordPress_Extended

    Good luck.

    Moderated above blockquote based on http://wordpress.org/support/topic/337562

    Moderator Jan Dembowski

    (@jdembowski)

    Forum Moderator and Brute Squad

    Was wondering where that thread went.

    Moderating a cutting and pasting of goofy hacked output is probably a good idea…

    It looks like they have just added an index.html into the site so you can still see that wordpress is installed here http://hawkeanddove.com/index.php

    Log into your control panel and delete index.html. Look for any other suspicious files too — if the can add an index.html they could have added anything else too.

    Thread Starter mjfaulkner

    (@mjfaulkner)

    Wow. I’m overwhelmed by the help, advice and support in this community.

    I’ve backed up the database using phpmyadmin (at least I think I did… I got an “.sql” file to download, though I had requested a .zip). I then backed up the site files. Then I went in and changed passwords for all admin users and deleted a suspicious user named “Google.” As far as I’m aware, despite all of their webcrawling, Google has not yet made it a practice to go around and register as a user on blogs. =-)

    I’m still getting the goofy hacked output when I try to log in, so I can NOT access my dashboard, nor can my other users with admin accounts. So the hacker obviously modified some code somewhere.

    Please advise on my next step. Is it:
    A) Upgrade of WP Install via my host’s back-end?
    B) CLEAN install of WP (assuming my database backup is complete)?
    C) Searching the database for odd code?

    Thanks.

    Thread Starter mjfaulkner

    (@mjfaulkner)

    Oh, and if Option C is the next step, any ideas from the super-coders on here on where to find the code that is interfering with log-in?

    Peace.

    Thread Starter mjfaulkner

    (@mjfaulkner)

    There’s a file I don’t recognize in my directory called “codice.php” and a .tgz companion. Is that supposed to be there? Am I safe deleting it?

    Thread Starter mjfaulkner

    (@mjfaulkner)

    In fact, here’s a list of all the odd files in my directory:

    1. Directory named simply, “r”
    2. Aforementioned “codice.php” and “codice.tgz”
    3. “m.php”
    4. “php.ini”

    And that appears to be it for the main directory.

    I’m not liable to infect my computer by viewing .php files locally, am I?

Viewing 8 replies - 1 through 8 (of 8 total)
  • The topic ‘Site hacked… help!’ is closed to new replies.