Website Hacked – How to find code

  • contact.taavi

    (@contacttaavi)


    9 years, 1 month ago

    Hey everyone,

    I know this isn’t necessarily a WordPress problem, but I’m not sure where to go for help.

    I recently received an email from Google suggesting that my website had been hacked. Sure enough, I found new users listed as administrators under my wordpress admin panel. I deleted them, changed all my passwords, but in the email, Google mentioned a specific line of code.

    This line of code (javascript) shows up when I “view source” of my website as HTML, but I’m lost as to how to find it in my FTP client or wordpress to get rid of it.

    I should mention that under my current webhost, I have 4 different websites, all using WordPress, but only my root domain was affected.

    The malicious line of code includes assofleurdelotus[dot]fr/js/test[dot]php I don’t want anyone to click on that accidentally in case it is something bad.

    My website that’s affected is http://www.taavimusic.com … The code was found on my main page, on my about page and on my contact page.

    Hopefully someone can help? Thanks in advance!

    Dave

    Note: I asked GoDaddy for help and they just told me to buy their webdefender subscription for $24/month … despite the fact that I’m paying for an SSL subscription that’s supposed to come with web protection.

Viewing 3 replies - 1 through 3 (of 3 total)
  • wslade

    (@wslade)

    9 years, 1 month ago

    I am sorry your site has been hacked. Carefully follow this guide. When you’re done, you may want to implement some (if not all) of the recommended security measures.

    bishop81

    (@bishop81)

    9 years, 1 month ago

    You’ll find this text in your index.php file:

    <?php eval(base64_decode(ZXZhbCh......)); ?>

    There’s a bunch more text in that base64_decode line, by the way. I’ve removed it because somebody moderated my post to remove the whole thing. I think it’s important to actually know what to look for and remove, however.

    Delete it and upload the clean file to your server.

    Sorry for causing somebody to edit my post, the actual “hack code” doesn’t do anything if it isn’t in your file. Also, it’s designed for one simple purpose, but I haven’t figured out exactly how it’s supposed to serve that purpose. Somehow it’s trying to get traffic to some affiliate page or something. Now, I won’t post that link, but it’s listed in the OP.

    Thread Starter contact.taavi

    (@contacttaavi)

    9 years, 1 month ago

    Thanks Bishop! I’m going to remove that.
    I also did some research and found out that the code was inserted through SQL injection. I found some lines of code in my SQL database containing the string in question – my only problem is I don’t know how to delete the specific table or string, every time I edit it, it says I have to have some text (I can’t just erase it all), and if I write something else, it says I have the wrong syntax. Any idea how to get around this? (I have no experience dealing with SQL).

Viewing 3 replies - 1 through 3 (of 3 total)
  • The topic ‘Website Hacked – How to find code’ is closed to new replies.