Is there another problem?
did you read and follow all the posts in this thread?
I deleted all the users but me and completely removed and replaced the plugins folder- if that is what you are referring to.
found a solution. Something was messed up in the htacces file. switched my permalinks back to the default, and all is well. just can’t do the permalinks like i want.
special thanks to unmaskparasites.com for helping me out!
You’re going to have to go into your database and do some removing too. Like whooami said theres a post at the top that details everything I did to fix it, its really impossible to miss (or so I thought? lol).
Looks like this hack is back again on many of my blogs that have been updated.
I’ve also done some google searching today and found the hack on many popular blogs I was trying to search for info for, so its definitely hitting many blogs all across the web.
So irritating, I think the best permanent fix for this hack would be to find whoever is doing it and shoot them in the head.
are you running 2.7 and still getting hacked?
your ver. says 2.5
That’s odd all my sites are 2.7 now. Which one are you talking about? I will check it out.
Exploiting WordPress vulnerabilities is not the only way to hack a site.
Make sure your FTP passwords have not been compromised. Change them ASAP and try not to store them unprotected. Some trojans steal passwords from FTP programs’ settings.
Not sure it’s your case, but changing passwords after a hack is always a good idea.
That’s odd all my sites are 2.7 now. Which one are you talking about? I will check it out
no that’s ok – I meant here on the forum – in the right nav
I just discovered similar problems on many of my and my client’s installs.
One thing I noticed is that the bogus users all have nothing in the user_url field in wp_users table. I’m pretty sure (but haven’t confirmed yet) that any users created through proper channels – the registration page or created by a real Admin account – always have *something* in there. Either the user’s URL or at least “http://”. I suspect that a spammer/hacker user account, being script generated, skips over that field.
The other thing to watch for is the nickname in user_meta. If it appears blank or starts with ” …”, look more closely. It’s likely got some script in there. I’ve seen a couple real user accounts which appear to have been compromised this way.
@aletheides I found a problem with your site. Please contact me @ m0rdekai.co.cc
