perezbox
Forum Replies Created
-
Hi Tarifa
Very big question, missing a lot of information. Very hard to help here, but I’d recommend starting here: http://codex.wordpress.org/FAQ_My_site_was_hacked
Once you’ve gone through that, come back and reask the question with a breakdown of what you have and you haven’t done.
Cheers
Forum: Fixing WordPress
In reply to: Now I have a image background in the AdminHi
Not much information to work with here unfortunately. What have you done since? What other symptoms are you experiencing?
Thanks
Forum: Hacks
In reply to: Hacked, cannot enter siteHi
Really hard to provide guidance without a little more info. The first question I have is, is this your site: http://turning-point-balletschool.be/home/kalendar/ ? It seems to be, odd that the attacker would deface you with a link to your own site. But if it’s not, here are a few things I’d recommend:
1 – Try looking at the root of your site and check your .htaccess and index.php files. See if there are any anomalies there.
2 – Try replace wp-admin and wp-includes – do fresh installs – meaning do it via FTP / SFTP. Don’t drag and drop over existing directories. Rename the old ones and push new ones. Don’t forget the root files from core as well, with exception to wp-config, you’ll need that.
3 – I noticed that your wp-admin is still working: http://turning-point-balletschool.be/home/wp-login.php?redirect_to=http%3A%2F%2Fturning-point-balletschool.be%2Fhome%2Fwp-admin%2F&reauth=1
Try logging in and disabling the plugins (all of them). Also see about replace your existing theme, even if only temporary.
If you can’t get in via wp-admin, then disable wp-content via FTP by renaming the directory. These are just some basic troubleshooting tips.
Here is a little TIps and Tricks guide that might help: http://blog.sucuri.net/2012/11/website-malware-removal-ftp-tips-tricks.html
4 – Look at the root and see if you see any .html files, they could be loading when WP loads causing this page to render.
If this doesn’t help then you might want to seek professional help.
Cheers
Forum: Fixing WordPress
In reply to: WordPress install hackedHi
It’s impossible to say why you couldn’t see. It could be a variety reasons, but anything would just be speculation.
As for it being the contributing factor, without seeing the payload it is also hard to say. But it’s very likely contributing to the redirect.
If you still have the payload you could try decoding it here: http://ddecode.com/phpdecoder/
Sorry it’s not more helpful.
Thanks
Forum: Fixing WordPress
In reply to: Being HackedI’d encourage you to go through and purage all your user accounts, specifically their passwords.
Also look to add Two Factor authentication, look at the Google Authenticator plugin.
If they have a backdoor though they’ll be able to bypass those.
Forum: Fixing WordPress
In reply to: Avast reports html:script-infLike magic. That’s great news!
Thanks
Forum: Fixing WordPress
In reply to: Avast reports html:script-infHi Michel
This is curious. Although it’s hard to tell whether AVAST is flagging the desktop or the site, it’s message implies something wrong with the site. That being said, one option you have is to engage the Sucuri Labs group – labs@sucuri.net. They are always looking for interesting cases, and they’ll be able to run a number of tests, above and beyond the SiteCheck scanner, to see if something is showing that might be triggering Avast.
The thing with AVAST is that it’s concerned with end-point security, meaning it’s looking for things that are triggering on the local environment (which could or not be coming from the specific site. )
Hope this helps.
Forum: Fixing WordPress
In reply to: Website DisappearedIt might be a hack, or it just might be a conflict with a plugin or theme.. etc.. hard to say without investigating.
As for a backup, yup, you can do it yourself. You can also check with your host, they might have a 24 hour backup service.
The easiest way is to do a backup locally, grab and pull all the files down. nice and easy. You won’t be able to take advantage of most of the plugins out there, right now, being your website is down.
here are a few tips to get you going again:
1 – Try disabling /wp-plugins (you can do this by renaming)
2 – Try disabling /wp-themes (same as above)
3 – Manually replace core (yes, download it locally and replace wp-admin and wp-includes)
Now mind you, you might be suffering from the recent outbreak: http://blog.sucuri.net/2014/07/mailpoet-vulnerability-exploited-in-the-wild-breaking-thousands-of-wordpress-sites.html
If so, the process might be a bit more exhausting being that all your PHP files are likely messed up.
Thanks
Forum: Fixing WordPress
In reply to: Website DisappearedHi
A blank page doesn’t mean it’s gone, it could mean it’s just a White Screen of death. What happens when you log into the server via FTP or SSH? Are the files literally gone?
The next obvious question is, do you have backups? If you don’t have backups, do you have a development team you employed?
Tony
Forum: Plugins
In reply to: Account Has Been Hacked & Hacker Changed The Settings.Hi
If you have access to your environment, i.e. the server directly, I’d recommend you follow these steps to reset your username: http://codex.wordpress.org/Resetting_Your_Password
This won’t address your security issue, but it will temporarily get you access to your environment. You’ll then want to go about identifying what happened, and getting it cleared out.
Here are some tips to help the process: http://blog.sucuri.net/2012/07/website-malware-removal-wordpress-tips-tricks.html
Tony
Forum: Fixing WordPress
In reply to: Spam in my tagline – can't removeHI
It’s called SEP or search engine poisoning. What’s the website in question? You should be able to use Google Fetch to replicate, often a pretty good source. I’d start by looking in your plugins, then move into your theme, then your database. Or in any order you feel most comfortable.
Forum: Fixing WordPress
In reply to: Not working after being hackedHi
The issue with what you’re describing is in this statement:
it had a malicious file being used to generate and send out spam (I also delted a few other php files with he same modification date which were deemed suspicious).
I’d encourage you to read this post as it explains how SIteCheck works:
http://blog.sucuri.net/2012/10/ask-sucuri-how-does-sitecheck-work.htmlWhat your’e describing is an infection, but not something SiteCheck would detect remotely, ever. It’s a server script in your directories performing a nefarious act. It’s why we’re able to clean it up, yet it shows clean on SiteCheck.
In order for SiteCheck to see something it has to see something dirty on the browser.
I hope this provides some clarity on the subject.
Tony
Forum: Fixing WordPress
In reply to: site hacked and suspended, how to clean the php:s?There is no clean way to do this. You’re going to want to ask for help or try to do it yourself using Command Line Interface (CLI) which is probably going to be the fastest way. If you’re in NIX based system you can try using SED: http://quickleft.com/blog/command-line-tutorials-sed-awk
I won’t lie though, if you don’t know what you’re doing you’re going to likely blow something up.
If some of the files are WP core files, I’d recommend just replacing them from scratch. I’d do the same for plugins and themes if possible, doing that will likely address a very large subset of the infected PHP files.
Cheers.
Hi
Being on a list is a very open ended question and hard for anyone to answer. Is it possible? Yes. But like others have stated, most of these bots just run on auto-pilot. Deleting the site and starting over is not going to stop the attacks from coming, lists, when are created are often associated with IPs or Domain names. Unless you change both, you’ll likely still the issue, and if you do start over it’ll only be a matter of time before your site gets hit again.
If your concern is stopping it outright then you’ll want to look Website Firewalls like those provided by CloudFlare, Sucuri or Incapsula. All edge level services that will make the noise go away.
Thanks
Forum: Everything else WordPress
In reply to: I think my website has been hackedHi @craig_scott
Yes, there is a huge outbreak right now and it’s characteristics are exactly what you described. The attacker seems to be exploiting a vector and automatically injecting every PHP file. You’re going to need to reinstall all core, plugins and theme files to recover.
Thanks