Support » Fixing WordPress » WordPress Hacked

  • Resolved shadiadi


    I just spent the last few days troubleshooting a clients WordPress installation, his host Network Solutions said he had been hacked.

    So I followed there advice removed all the php files from my clients server reinstalled WordPress then today another message my server has been suspended again.

    I checked and yes more malware files had been created all through out WordPress.

    I just finished solving it the initial virus files were in the awstats folder which is a Network Solutions tracking program folder. All php file all strange names. If you come across this issue start in the awstats or other folders in the public_html outside of wordpress and look for folders that have recently been updated. If you see any php files open them and check them if they have any eval( codes in them they will probably be the cause of your problem. The main file will be the oldest of the updated files and the largest and the easiest to read.

    It creates obfuscated base64 coded files in WordPress that you are probably being toldis where you have been hacked.

    The initial file has a base64_decode function at the top.

    Hope this helps someone.

Viewing 3 replies - 1 through 3 (of 3 total)
  • I just finished solving it…..

    Sorry, but unless you closed the back doors and found the original vulnerability, you didn’t solve it. And, Network Solutions is well known as an insecure host, and they may not be able to provide logs to determine the security hole.

    You need to carefully follow FAQ – My Site Was Hacked.

    Then take a look at the recommended security measures in Hardening WordPress and Brute Force Attacks

    Change all passwords. Scan your own PC. Tell your web host you got hacked; and consider changing to a more secure host: Recommended WordPress Web Hosting

    The initial file appeared on the server in May 2015 but it said the folder was last updated earlier in June 2015 and all the other files in the folder are files from 2013 so it was not added via ftp or an normal means.

    It seems to attack mailing scripts.

    I know Network Solutions are super insecure they use Unix, I have been trying to tell my client this since day 1.

    I uploaded a clone of the site to one of my domains on a Linux server with CP Hulk have not had an issue yet.

    I just wanted to let other people know that it may not be they have been directly hacked, but if they have an insecure set up they should check the other server folders first.

    I just spent the last 5 days being told WordPress or CMS had been hacked. Remove it and start again.

    This is not the case they were hacked, the initial files were installed outside of WordPress in server stats folders and worked their way into it.

Viewing 3 replies - 1 through 3 (of 3 total)
  • The topic ‘WordPress Hacked’ is closed to new replies.