WordPress install hacked

Uprootednut
(@uprootednut)

11 years, 10 months ago

My WordPress install was hacked, after a couple of days of trying to find the source and searching the internet I found out it was this http://blog.sucuri.net/2014/05/website-infections-malicious-redirect-to-porn-website-target-wordpress-and-joomla-users.html

I then check all my index.php files and they all showed normlly, however the index.php in the wp-content folder when I copied and pasted the content revealed somthing else.

It was origionally

<?php// Silence is golden.?>

When I copied and pasted the content from notepad++ to google as I wanted the check the silence is golden is normal I noticed it changed into somthing else entierly :

[ Massive amount of obfuscated hacked code deleted, you don’t have to share that part ]

Firstly no other files behaved this way when I copied and pasted them, I am far from an expert but if some one could let me know a couple of thing:

1. Why couldn’t I see that when I was looking at in via ftp using notepad++, why did I have to copy and paste it to see it.

2. Is that the likely cause of my the websites redirecting when viewing on mobile?

Thanks for your help in advance.

Viewing 4 replies - 1 through 4 (of 4 total)

Moderator Jan Dembowski
(@jdembowski)

Forum Moderator and Brute Squad

11 years, 10 months ago

It means that the hack is live on your site and it’s appending itself to files when it finds them. You edit the file, the hack sees the unhacked file and BANG! instant compromise.

The hack will do things such as on redirect some or all clients to other websites (and other bad things as well).

I’m sorry but you need to start working your way through these resources:
http://codex.wordpress.org/FAQ_My_site_was_hacked
http://wordpress.org/support/topic/268083#post-1065779
http://smackdown.blogsblogsblogs.com/2008/06/24/how-to-completely-clean-your-hacked-wordpress-installation/
http://ottopress.com/2009/hacked-wordpress-backdoors/

Additional Resources:
Hardening WordPress
http://sitecheck.sucuri.net/scanner/
http://www.unmaskparasites.com/
http://blog.sucuri.net/2012/03/wordpress-understanding-its-true-vulnerability.html

http://blog.sucuri.net/2010/07/understanding-and-cleaning-the-pharma-hack-on-wordpress.html

Until you successfully delouse your installation this will continue to happen.

perezbox
(@perezbox)

11 years, 10 months ago

Hi

It’s impossible to say why you couldn’t see. It could be a variety reasons, but anything would just be speculation.

As for it being the contributing factor, without seeing the payload it is also hard to say. But it’s very likely contributing to the redirect.

If you still have the payload you could try decoding it here: http://ddecode.com/phpdecoder/

Sorry it’s not more helpful.

Thanks

Moderator Jan Dembowski
(@jdembowski)

Forum Moderator and Brute Squad

11 years, 10 months ago

If you still have the payload you could try decoding it here: http://ddecode.com/phpdecoder/

That can be interesting (and that’s educational too) but the problem to focus on is closing the door that the attacker got in via and delousing the WordPress installation.

It’s a lot of work but it is doable.

perezbox
(@perezbox)

11 years, 10 months ago

Hi @jan

Thought it was to help, and I thought I was by responding to his question:

2. Is that the likely cause of my the websites redirecting when viewing on mobile?

Impossible to answer the question if it was the source if we don’t know what was in the obfuscation, hence my recommendation.

If he follows the various links provided above he should get a pretty could handle and clearing out the install. On that note though.. be sure to replace core install, and I don’t mean dragging and dropping or running the update via wp-admin. Log in via FTP / SFTP and physically remove, then readd the core wp-admin and wp-includes directories, followed by the root files (with exception to wp-config).

Thanks

Viewing 4 replies - 1 through 4 (of 4 total)

The topic ‘WordPress install hacked’ is closed to new replies.

WordPress install hacked

Tags

Topics

Topics with no replies

Non-support topics

Resolved topics

Unresolved topics

All topics