Moderator
Jan Dembowski
(@jdembowski)
Forum Moderator and Brute Squad
I have that also. Restoring from a backup.
Found this on a server I manage, here is some detail on the code.
http://pastebin.com/v42Rv9DF
I just found it on a site too. Any idea what it is or what it does? Securi doesn’t detect anything wrong with the site, no has Google flagged it like it has so many sites infected by the most recent WP attack: http://blog.sucuri.net/2014/12/soaksoak-malware-compromises-100000-wordpress-websites.html
Nevermind. I found a vulnerable version of Revslider on the site. I thought we’d updated it on all sites, but somehow this one didn’t get updated. I think it’s clean now. Doing some checking to be sure. Also checking other sites on the same server. Fortunately I think my host has things so locked down and separated between “apps” that there’s not much chance this site was used to infect others. Going to check anyway, to be sure.
I got hacked as well.
Luckily, the hacker couldn’t edit their source files (that leads to the infection), and have read most of their code)
Check all the files that are edited on December 31, 2013 (at 4:17 PM)
All the damaged files have been editing by that time based on the following code:
‘touch(“wp-includes/xmlrpc.php”, mktime(12, 17, 11, 12, 31, 2013));’
(they hacked .htaccess files, too)
check also for files such as
wp-options.php as frommshead creates this then is meant to delete itself
frommshead.php
wpinstall-Copy.php
check and delete all error logs also
i would suggest comparing all core wordpress and deleting replace them along with theme files also.
make sure all server backups are removed also or it could revisit
Mine got these new files too:
admin-ajax.php
class-wp-index.php
jquery.php
wp-class-headers.php
ms-head.php
frommshead.php
Modified:
index.php
Same issue with a site I manage as well.
We saw that Google had marked the site as containing malicious files, and so I took a look at the ftp to find the same files and issues as mentioned in this forum.
I’ve gone in and removed every change I could find by looking at the timestamps. Every file that had an issue all had a matching timestamp, so this was the clue to finding all of the issues.
Now that I’ve removed every issue I could find, as well as using the suggestions mentioned above by Jan Dembowski, I submitted to google in Webmaster Tools, a request for them to check the site again, and release the “This site contains malicious …” warning.
The wait may be up to 24 hours for them to review it, but hopefully, we’ll be in the clear.
I’ll report back here if there are any other hoops I have to jump through.
Do any of your pages say 503 Unavailable
I believe my website was hacked as well because I got emails sying there were failed attempts to my login and I was on a “Lock Down”
from WordPress. So I was able to go onto WordPress yesterday for a few minutes and got kicked off again.
I let it be today and it still says 503 Unavailable what should I do? Does anyone know what I could do to get my website up again and figure out whats wrong.
@lovetrenna – please do not post the same question in more than one place – that’s not how these forums work – I just answered your thread here:
https://wordpress.org/support/topic/503-unavailable-cant-log-onto-my-own-site?replies=3
