Support » Fixing WordPress » Site hacked multiple times

  • I have a multisite installed on HostGator.

    Twice in the past month the site has been hacked. Below is the info from HostGator on the latest hack this week.

    One thing I note is the last line. It shows an install of an old version WordPress in the public_html folder that I did not create. That’s where all the hacks are.

    I read that the www folder is just a shortcut to the public_html folder. If so, how can the www folder have the current version of WordPress and the public_html folder have an OLDER version?

    Help?

    Also, in case it’s helpful, I have been removing a bunch of files added to the root directory of my site that forward to porn or meds sites. I’m also finding a number of files that have only this in them:

    Linux10+cfcd208495d565ef66e7dff9f98764da

    What are these files and should they also be deleted?

    Thanks.

    Hello,

    We have received complaints of malware on your site as referenced below, and upon inspection we found that malware had indeed been injected into your account. The vast majority of injections are done by malicious users who have found exploits in scripts previously (and legitimately) installed on the account. We have taken the below actions to prevent further malicious activities. Please make sure to update your password, and to update all the scripts/plugins on your account to the latest version.

    The following files were removed from your account:
    removed `/home/popcred/public_html/T5login.php’
    removed `/home/popcred/public_html/seo2b5.php’
    removed `/home/popcred/public_html/functoins.php’
    removed `/home/popcred/public_html/welcome.php’
    removed `/home/popcred/public_html/tracking.php’
    removed `/home/popcred/public_html/g0config.php’
    removed `/home/popcred/public_html/xmlrpcbYX.php’
    removed `/home/popcred/public_html/wp-content/plugins/forums/css/style/r.php’
    removed `/home/popcred/public_html/Dxmlrpc.php’
    removed `/home/popcred/public_html/dlogoff.php’
    removed `/home/popcred/public_html/xmlrpcGGm.php’
    removed `/home/popcred/public_html/xmlrpcoMWT.php’
    removed `/home/popcred/public_html/6Klogoff.php’
    removed `/home/popcred/public_html/hthemes.php’
    removed `/home/popcred/public_html/NRbanner.php’
    removed `/home/popcred/public_html/kmain.php’
    removed `/home/popcred/public_html/banneri5TE.php’
    removed `/home/popcred/public_html/wp-xml.php’
    removed `/home/popcred/public_html/popupP6ZV.php’
    removed `/home/popcred/public_html/4info.php’
    removed `/home/popcred/public_html/cookieVqq.php’
    removed `/home/popcred/public_html/Qklogin.php’

    The files were able to be uploaded to the account via an exploit in one of your scripts:
    /usr/local/apache/domlogs/_wildcard_.popcred.net: 78.85.18.135 – – [24/Oct/2012:14:19:33 -0500] “POST /wp-content/themes/deep-blue/megaframe/megapanel/inc/upload.php HTTP/1.1” 200 11 “-” “Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)”

    Please update the following software as newer versions contain fixes to many security and performance flaws:
    Vulnerable Applications:
    ========================================
    Wordpress :: 2.5.1 :: /home/popcred/public_html/data

Viewing 5 replies - 1 through 5 (of 5 total)
Viewing 5 replies - 1 through 5 (of 5 total)
  • The topic ‘Site hacked multiple times’ is closed to new replies.