WordPress Hacked Help: wp-xmlrpc.pho/wp-blog-header.php

techmuse
(@techmuse)

14 years, 10 months ago

Hey, Everyone!

Need some help to say the least…

My WP site has been hacked and keeps inserting hidden links after the body tag in the wp-blog-header.php. Google is threatening to take the site out of their index due to breaking their Webmaster rules.

Here is what the host provides for me to look at, but they are not offering any help with what I should do about it.

public_html/wp-content/cache.php: HG-MYSQL.rst.void.ru.MySQL.shell.Fragment.AA.UNOFFICIAL FOUND
/home/bizem09/public_html/wp-xmlrpc.php: HG-MYSQL.rst.void.ru.MySQL.shell.Fragment.AA.UNOFFICIAL FOUND

There is no cache.php in the wp-content folder and there is no wp-xmlrpc.php /anywhere/ on the server let alone where they claim past backups point to as noted above.

I keep modifying the wp-blog-header.php and the junk links keep coming back. My passwords have been changed on a regular basis, my permissions are correct (644) and I am at a loss as to where to look or what to do to remedy this.

Has anyone run into this — can you point me in the right direction? The gods at Google are giving me time to resolve this and the site in question has #1 rankings that I would really like to avoid not loosing.

TIA for any support or advise you can offer!

Viewing 8 replies - 1 through 8 (of 8 total)

unitcircle
(@unitcircle)

14 years, 10 months ago

I’m having EXACTLY the same problem. The first time, someone had been able to create bogus user accounts. I deleted the accounts and changed my admin password, but since then someone has inserted hundreds of invisible links in my header.php and footer.php

iridiax
(@iridiax)

14 years, 10 months ago

Have you checked your database?

http://diggingintowordpress.com/2009/06/spam-link-injection-hacked/

Thread Starter techmuse
(@techmuse)

14 years, 10 months ago

Thanks for the link — I’ve bookmarked that one!

Turns out it was a PHP shell named wp-xmlrpc.php that had to be deleted and the shell script added back to the account. That’s how the host explained it. They also confirmed it had nothing to do with the database.

Let’s see how long it takes Google to get the site back in the index after having to grovel….

talgalili
(@talgalili)

14 years, 6 months ago

techmuse, I believe you just saved me !

I have been having this damn hole in my server for I don’t know for how long, without being able to find it.

I just found this “wp-xmlrpc.php” in my home directory and removed it.

Thank you very very much !

Tal

llworldtour
(@llworldtour)

14 years, 6 months ago

I am having the exact same problem. I have hidden spam links (viagra, etc) inserted into my header.php. I delete them and then they return. I also deleted all these fake users from my servers list and changed my name/password. Now what? Help!
Techmuse–how do you insert this new wp-xmlrpc.php file/script into the acct??

talgalili
(@talgalili)

14 years, 5 months ago

llworldtour
You don’t insert it, you need to find the file and delete it. Some hacker injected it into your host…

controlzed
(@controlzed)

14 years, 5 months ago

I’m having the same issue, but can’t see a file called wp-xmlrpc on my site anywhere, or any files that look out of place. I did a search, made sure hidden files were turned on, all that stuff.

I tried to wipe WP and do a fresh install on a new database, but even on the configuration screen before installing wordpress there were some dodgy links in the header!

this is driving me nuts, it took me ages to figure out this is waht was causing my site to crash, if anyone can help i would be REALLY happy!

talgalili
(@talgalili)

14 years, 5 months ago

The problem with reinstalling wordpress in the usual way is that it will not erase newly formed files.

Consider trying backing up all the files.
Then erasing ALL of them from the server.

Then uploading a fresh installation. (with the correct wp-config)

And see if that resolves it.

Please let us know how it went.

Tal