Moderator
Jan Dembowski
(@jdembowski)
Forum Moderator and Brute Squad
Nice site and you can still see it via
http://hawkeanddove.com/index.php
Your login page is http://hawkeanddove.com/wp-login.php see if that still works.
Edit: Scratch that, you are not seeing the dashboard correctly. Skip to the hacked part of my responce.
You’ve a lot of reading ahead of you. Start with seeing if you can get your install working.
Backup the all of your files (if you had a good backup you would be able to rename your WordPress directory and just restore the whole works…)
http://codex.wordpress.org/WordPress_Backups
http://codex.wordpress.org/Backing_Up_Your_Database
http://codex.wordpress.org/Restoring_Your_Database_From_Backup
Change your passwords, someone put a file or files on your installation. That could have happened via a password compromise or WordPress/plugin hack since you’re site is not maintained and out of date.
Once you have your files and database backed up and safe, look in your directory for index.html. Delete any index.html files and you should be good for now.
If it comes back then read all of this:
http://codex.wordpress.org/FAQ_My_site_was_hacked
This is a good explanation of cleaning your database.
http://smackdown.blogsblogsblogs.com/2008/06/24/how-to-completely-clean-your-hacked-wordpress-installation/
Once you’re good, read up on upgrading your version of WordPress. You are running version 2.1 and that’s not a safe thing to do. You’ll leave yourself vulnerable to more hacking.
http://codex.wordpress.org/Upgrading_WordPress_Extended
Good luck.
Moderator
Jan Dembowski
(@jdembowski)
Forum Moderator and Brute Squad
Was wondering where that thread went.
Moderating a cutting and pasting of goofy hacked output is probably a good idea…
It looks like they have just added an index.html into the site so you can still see that wordpress is installed here http://hawkeanddove.com/index.php
Log into your control panel and delete index.html. Look for any other suspicious files too — if the can add an index.html they could have added anything else too.
Wow. I’m overwhelmed by the help, advice and support in this community.
I’ve backed up the database using phpmyadmin (at least I think I did… I got an “.sql” file to download, though I had requested a .zip). I then backed up the site files. Then I went in and changed passwords for all admin users and deleted a suspicious user named “Google.” As far as I’m aware, despite all of their webcrawling, Google has not yet made it a practice to go around and register as a user on blogs. =-)
I’m still getting the goofy hacked output when I try to log in, so I can NOT access my dashboard, nor can my other users with admin accounts. So the hacker obviously modified some code somewhere.
Please advise on my next step. Is it:
A) Upgrade of WP Install via my host’s back-end?
B) CLEAN install of WP (assuming my database backup is complete)?
C) Searching the database for odd code?
Thanks.
Oh, and if Option C is the next step, any ideas from the super-coders on here on where to find the code that is interfering with log-in?
Peace.
There’s a file I don’t recognize in my directory called “codice.php” and a .tgz companion. Is that supposed to be there? Am I safe deleting it?
In fact, here’s a list of all the odd files in my directory:
1. Directory named simply, “r”
2. Aforementioned “codice.php” and “codice.tgz”
3. “m.php”
4. “php.ini”
And that appears to be it for the main directory.
I’m not liable to infect my computer by viewing .php files locally, am I?