Support » Fixing WordPress » WordPress Hacked

  • aletheides

    (@aletheides)


    My site freewiccaschool.com/blog/ has been hacked and is now redirecting to sattan.org. I have tried to upgrade my blog but I’m having no luck – the wordpress dashboard doesn’t detect any files I upload (upgrades or plugins), although the FTP client tells me they are in fact there: http://wordpress.org/support/topic/218941?replies=2

    I’m pretty stuck as to what I should do ?

Viewing 15 replies - 1 through 15 (of 26 total)
  • admin95

    (@admin95)

    The wicca site comes up for me. Did you fix it?

    Clayton James

    (@claytonjames)

    This site (still in beta) is kinda cool to play with. http://www.unmaskparasites.com/

    Thanks to UseShots for the link.

    It shows you have a 302 redirect to the “sattan.org” blackjack site. Good place to start I guess.

    URL: //www.freewiccaschool.com/blog

    Redirects: 301 -> //www.freewiccaschool.com/blog/
    302 -> //sattan.org/feed/search.php?q=blackjack

    [Edit]…plus, your still using 2.5. Just sayin’ …

    Bob Smith

    (@bob-smith)

    go remove the crap that’s probably in your wp-blog-header.php

    aletheides

    (@aletheides)

    Damn this is really irritating because I’ve now found out its happening across about 10 of my sites and my traffic is really tanking because of it…

    aletheides

    (@aletheides)

    Thanks to that tool you provided Clayton, very helpful.

    aletheides

    (@aletheides)

    I found the solution to these hacks. They have been totally raping my sites for the past 3 weeks and my search traffic dropped like a rock. I’ve probably lost over $1,000+ from these hacks, so in case this has happend to anyone else I have figured out a fix. I am hoping these fixes eliminates everything and they won’t come back.

    Go to PhPmyadmin and navigate to your wp_options table. Within this table go to active_plugins and scroll to the center. From here you will find it pointing to a copy of a plugin but with a weird ending file name. I found fake files ending in .bak and .old. Delete the little piece of code that looks something like this: a:9:{i:0;s:21:”fakefile.old” Deleting this piece of code will deactivate all your plugins, so go reactivate them. Sometimes I also found this “../../../../../../../../../../../../../../../../../../../../../../tmp/tmpYwbXT2/sess_779ceef92a4fdcc17bb5ee3f13348bfd” pointing to a fake plugin in the root.

    Also go to your FTP client and go to where the fake file is pointing and be sure to delete this file.

    Use the tool found at this page: http://www.akamarketing.com/blog/111-use-wordpress-check-the-source-of-your-google-cache-for-hidden-spa-links.html

    To pretend like you’re the google bot and find out if all of your spam links are still showing up or not.

    I also took the advice of this post: http://linux.byexamples.com/archives/397/wordpress-exploit-we-been-hit-by-hidden-spam-link-injection/

    and deleted anywhere in wp_options that I found wordpress_options or internal_links_cache tables. I found internal_links_cache tables in my wp_options on every site.

    Also delete the “WordPress” user from the wp_users table.

    To prevent further hacking attempts I…

    …installed the AMAZING AskApache Password Protect plugin. This will lockdown your wp-admin and wp-logins with .htaccess. I highly recommend it.
    …Placed a blank index.html file in my plugins directory as suggested by Matt Cutts. This prevents hackers from exploiting my plugins.

    whooami

    (@whooami)

    Member

    everything you mentioned as a fix is already in these forums 🙂

    in any event, hope your your sites(s) see better days.

    UseShots

    (@useshots)

    Hi,

    @aletheides: Did you locate the redirect code? I can still see that your blog redirects search engine traffic to “sattan .org”.
    http://www.unmaskparasites.com/security-report/?page=www.freewiccaschool.com/blog

    Did you check the .htaccess file in the /blog/ directory? Alternatively check for Redirect code in .php files.

    Bob Smith

    (@bob-smith)

    yeah still redirecting man.

    do everything in these links:

    http://www.getrichslowly.org/blog/20…sultsnet-hack/

    http://ocaoimh.ie/2008/06/08/did-you…te-get-hacked/

    and follow the steps in this thread too:

    http://wordpress.org/support/topic/168964?replies=45

    UseShots

    (@useshots)

    Most likely it’s somewhere in (.php) scripts since it changes the search string on every load:
    ‘search.php?q=debt consolidation in honduras’
    ‘search.php?q=brazil casino clickbank gambling religion’
    ‘search.php?q=california auto insurance’

    dprickett

    (@dprickett)

    aletheides

    (@aletheides)

    Oh I haven’t got around to fixing freewiccaschool yet that’s why it’s still redirecting. I have about 15 sites I was doing this for, and I was starting with the most important ones first.

    Thanks for the links, checking them out…

    aletheides

    (@aletheides)

    By the way Dprickett, there is more to it than replacing wp-blog-header … There is code within the database that needs to be removed, as well as fake files in your plugins folder that need to be deleted, as well as the WordPress user that needs to be deleted to make sure the hacker doesn’t have permanent authentication to your site.

    UseShots

    (@useshots)

    15 sites! wow! Could you share the datailed clean up instructions, including fake file names, wordpress username, database tables, etc?

    lamar-1111

    (@lamar-1111)

    Removed the hacker code from header file and unmaskparasites.com says i am clean, still getting the redirect loop error though…

    Is there another problem?

    Thanks for the info!
    Thanks for useshots direction here!

Viewing 15 replies - 1 through 15 (of 26 total)
  • The topic ‘WordPress Hacked’ is closed to new replies.