Support » Fixing WordPress » Website hacked

  • abwatson

    (@abwatson)


    Hi there well my website has been hacked and it always seem to be in the same place. But I can’t seem to figure out where this hack code is in my wordpress files. It seem to always be just after my image link. example below

    <img src="http://abwatson.com/wp-content/uploads/2011/02/5146515283_cce1a94b75_b.jpeg" <a href="http://basicpills.com/">buy prescription drugs online without prescription</a>  alt=”" title=”5146515283_cce1a94b75_b” width=”533″ height=”800″ class=”aligncenter size-full wp-image-680″ /><br />
    <img src="http://abwatson.com/wp-content/uploads/2011/02/Picture-1-556x370.png" alt="" title="Picture 1" width="556" height="370" class="aligncenter size-large wp-image-681" /><br />

    This hack has come up time and time again. I have updated wordpress, but still it came back. I reintalled wordpress from scrach, reinstalled plugins and reinstalled my database. Yet this hack still comes back. You can check out my website and see where it has been effects at abwatson.com came anyone help me out? Thanks

Viewing 15 replies - 1 through 15 (of 54 total)
  • abwatson

    (@abwatson)

    I have just gone through my old theme files and there has been no changes to these files? So I’m complete lost where I should start looking.

    Does anyone know where the image placement function file is located?

    Roy

    (@gangleri)

    Start with this and make sure to follow all the links in that FAQ too:
    http://codex.wordpress.org/FAQ_My_site_was_hacked

    When you’ve got a clean site again, read this:
    http://codex.wordpress.org/Hardening_WordPress

    Make sure you don’t use any plugins with security issues or a flawed theme.

    Also be aware that your own website can only be as safe as the least secure site on your shared server, the problem could be your host too.

    Those are added directly to the database, so you have to go post by post and remove them. Very annoying.

    Are you hosting on dreamhost?

    thanks,

    esmi

    (@esmi)

    Forum Moderator

    This kind of hack is a bit different and these instructions won’t help much 🙂

    What we saw is that the shared server itself was compromised, allowing the attackers to inject links directly in the DB.

    i have the same problem, have cleaned the all links from pages, it was more than 200 link
    do you have any solution for this?

    They must have hacked a lot of shared servers…

    If you search “wordpress basicpills.com” in google you get a large list of compromised wordpress blogs.

    computereducationworld.com, copyrightfreecontent.com and ibotapps.com for example…

    Seems to me that the website basicpills.com has some serious answering to do for this BS. How dare they and who do they think they are? Anyone have any thought on how to retaliate?

    They somehow completely replaced all the hrefs, including links and anchor text, in my posts with links back to their own site.

    They have clearly done this to a lot of other sites.

    My blog is experiencing a similar hack with basicpills.com links all over. I have manually deleted the links from the first 2 pages but this is not the solution. Can anyone help? Much appreciated!

    Blog link: http://www.spinorbinmusic.com

    Seems not aproblem of template… since we had more than 25 blogs haked with this damdn site!
    We have different version of wp on those site so I don’t think is a wp problem but a plugin problem..
    For some we have backups but for others not :(((
    Anyone has has some sql to execute to clean this damn dirty?

    pubblivori: We have some SQL code to clean it out, basically it infects all posts in the database.

    This is what we noticed on the infected sites that we analyzed:

    1-The DB user/pass was stolen (somehow). Generally bad permissions of the wp-config.php.
    2-All were on shared servers.
    3-A new admin user name was created.

    So, the first step is to change the DB user/pass, check for malicious users and fix permissions.

    Then worry about cleaning up the spam, otherwise they will just add those again.

    thanks,

    I have just changed the passwords. How do i clean up the spam? Thanks much

    I did a quick post explaining it… We are seeing A LOT of infected sites:

    http://blog.sucuri.net/2011/03/link-injection-basicpills-com-and-blackhat-seo-spam.html

    Still trying to track how they got access to the database. Can anyone affected tell us:

    -Where they are hosting
    -WP version
    -List of used plugins

    ?

    I’m currently using wordpress 3.1 but the blog was infected when before the upgrade (i.e. 3.0)

    Plugins used:
    1. Advanced Excerpt
    2. Advanced Permalinks
    3. Akismet
    4. IFRAME Embed For YouTube
    5. Image Widget
    6. ShareThis
    7. WP to Twitter

    Hope it helps! Let me know if you need more information. Thanks!

    Further info:

    Looks like changing the password doesn’t help at all. The latest blog entries got infected as well.

Viewing 15 replies - 1 through 15 (of 54 total)
  • The topic ‘Website hacked’ is closed to new replies.