Support » Fixing WordPress » Site hacked, need help!

  • I noticed traffic dry up on my website and my site no longer ranking for any of the things it used to be #1 for on google. I logged into Google webmaster tools and noticed that “what googlebot sees” was all spam words like Viagra and Livitra. I looked at the google cached versions of my page and noticed a hidden div at the bottom of the cached page.

    It appears my website was hacked similar to what this article describes
    http://linux.byexamples.com/archives/397/wordpress-exploit-we-been-hit-by-hidden-spam-link-injection/

    But I can’t understand anything on that page, half is in broken english and the other half is in geek! What do I need to do to fix this?? And how do these guys even get files onto my web server?? Someone please help!

Viewing 9 replies - 1 through 9 (of 9 total)
  • Moderator Jan Dembowski

    (@jdembowski)

    Forum Moderator and Brute Squad

    There really should be a form letter response for this topic…

    Read this

    Did your WordPress site get hacked?

    And then read it again.

    Read this too

    http://codex.wordpress.org/Hardening_WordPress

    Upgrade to the latest version if you have not already. You need to see if there are any users added to WordPress that you don’t know about/don’t belong there.

    You need to go through your files and find where the spammy links are being added. If it’s in wp-config.php or some other file, you’ll need to make sure that is cleaned up before you can consider yourself good file wise. Look everywhere and use fresh copies of your WordPress installation, plugins, and themes.

    Look at your posts and comments and see if there are any spammy links there. You can export your whole blog to WXR and then examine the whole thing in your favorite text editor.

    Once you have cleaned up your hacked blog, harden it so this does not happen again.

    Good luck.

    There really should be a form letter response for this topic…

    Agreed.

    Hi, thanks for the response. I had already read that first page and reread it. Also had already upgraded to the latest version but that didn’t really help. I don’t have any suspicious users in my user list. either.

    I did find where the spammy stuff is, in following the advice from your first link I noticed in my database there were two entires in the active plugins that I did not add, they looked like the following:
    ;i:1;s:37:”podpress/players/xspf_player_slim.old”;i:2;s:14:”wp-flv.php.bak”;i:3;s:29:”

    I found those files in my plugins directory and renamed the podpress folder and that made the spam links not output anymore on my site.

    I don’t have any problems with comment spam at the moment. I’m not really sure how to proceed in cleaning up the files on my site since I’m not 100% sure what all the files do. Can I just delete things from my plugins directory that I didn’t put there myself?? I tried opening the qp-flv.php.bak file and just deleting the contents of what was inside and that took down my site, also renaming that file takes down my site so apparently somewhere that file is being called and needs to be there…

    Moderator Jan Dembowski

    (@jdembowski)

    Forum Moderator and Brute Squad

    You are on 2.7? Try this. Make a list of all your active plugins. If it’s not active then don’t worry about it for now.

    Make a backup of all your files and then delete everything except wp-content/ and wp-config.php.

    Go into you wp-content/ and delete the plugins directory (no kidding, make a backup of your files first).

    Upload a fresh copy of WordPress 2.7 and overwrite anything that comes up.

    Log into your admin and go into the plugins page. It will complain about all your missing plugins and will mark them as de-activated. Just reload the page and that will go away.

    Now from the Plugins -> Add New download each of your active plugins and re-activate them one at a time. Downloading them this way will get fresh good copies.

    This will not fix anything in your database, in your themes, or any goofy PHP files uploaded in wp-content outside of the plugins directory. But if you are lucky this will eliminate the spammy links.

    Check the HTML your blog generates and your RSS feeds for spammy links.

    Hi,
    Well the hackers hit me again so that didn’t help. Not sure what else I can do, I’m running the latest version of wordpress, my server passwords are all new, random, and complex… My only plan now is to download a fresh install of WP and run a script to tell me which files on my server are different than the fresh install to see if there’s any other files that are compromised.

    Other than that I’m out of ideas.

    My only plan now is to download a fresh install of WP and run a script to tell me which files on my server are different than the fresh install to see if there’s any other files that are compromised

    and thats the wrong plan. why are you spending time ‘picking’ through files that can be deleteed straight away and uploaded fresh? shitcan the core wordpress files.

    youre running 2.7? awesome. now look long hard at your plugins.

    ive seen 20-30 hits directed at my own site today, all going after vulnerable plugins. none of which i use.

    I already deleted all the files and replaced them with fresh 2.7 files and still got hacked again. Which is why my only recourse is to wait like a sitting duck for my site to get hacked again and pick through the files to see what it is that is vulnerable that they are exploiting. I dont even use any plugins on my site, that’s the crazy thing. I delete every file in the plugin folder, then a few weeks later I’ve got askimet and super cache and weird .bak files in my plugin folder again (with the spammy links on the site).

    wapdesign, do you have your server logs available? if you dont and still might like a hand getting to the bottom of this..

    email me — whoo AT mydomain, where mydomain == village-idiot.org

    Warp, I know this is an open door, but you never mentioned that you changed your WP username and password, but I’m sure you did. Same for FTP, control panel, database, etc.?

Viewing 9 replies - 1 through 9 (of 9 total)
  • The topic ‘Site hacked, need help!’ is closed to new replies.