SQL Injection Hack – Found the file but it kills my website if I delete it

  • peaseypls

    (@peaseypls)


    8 years, 1 month ago

    My site has been subject to an SQL content injection attack, and I’ve managed to find the file causing the problems on the site. The wp-blog-header.php file is including content from ‘ms-postgres.php’ found in /wp-includes/. Removing the content from the file fixes the the content injection on the pages, but removing the file itself gives me the white screen of death. I’ve put an empty file called ‘ms-postgres.php’ back on my site and it is working ok again. Is this ok or does it mean there are other malicious files on my site which need to be sorted?

    Thanks.

Viewing 2 replies - 1 through 2 (of 2 total)
  • MartinCDS

    (@martincds)

    8 years, 1 month ago

    It wont help just putting a blank file there- you need to find the vulnerability and prevent it from happening again. I suggest installing Wordfence and running a scan – it will check your website against the WordPress repository and tell you which files have been hacked.

    Also install something that will stop Bruteforce attacks – there are a few plugins that do that – I use Jetpack’s security module – its great.

    You can normally see which files have been added or edited by checking the date they have been modified. If you have the log files for that date you search in the log files where it says ‘POST’ and that will tell you where attempts have been made from the outside. That should give an idea of what file they used to inject that code in the first place. Check those files that are mentioned in Google for the correct solutions and ways to fix and prevent them in the future – if they have done it to you chances are you are one of many.

    Before you do anything though be sure to back your site up – if you can determine when the hack happened and install a previous version even better.

    Once you have cleaned the site make sure to change your database user and password as well as your normal WordPress login details. Good luck!

    Thread Starter peaseypls

    (@peaseypls)

    8 years, 1 month ago

    Hi Martin,

    Thanks for the detailed response. It was Wordfence which found that wp-blog-header.php had been edited and it was from the contents of that that I managed to find the culprit file.

    I will follow the rest of your steps.

    Thanks.

Viewing 2 replies - 1 through 2 (of 2 total)
  • The topic ‘SQL Injection Hack – Found the file but it kills my website if I delete it’ is closed to new replies.