My Wordpress site has been HACKED-should I start from scratch?

[Steve36]

My clickbank page is also sending commisions to another clickbank affiliate.

Should I just clear everything and start again?

[rosetrees]

It might be the quickest way. Start by exporting the database - so you have the content. Uninstall WP - use your ftp software to ensure there is nothing left. Reinstall and import your database. See if that fixes it.

[steve39]

Yes, it might be the quickest way. Just make sure you restore a backup you made before your trouble started if possible - or if the blog is new, maybe cut and save your posts and reinstall a fresh copy.

[rosetrees]

lol Steve 39 - we must be psychic!!

[steve39]

Beat me by a few seconds

[Steve36]

Thanks for your time.

"restore a backup you made"

As far as I'm aware, I don't have a back up.

I think the only way to do it is to delete everything and start again. (I have the articles but that's it.)

Should I delete EVERYTHING using my ftp program? (just checking)

Well it took me ages to get this far...but I think I can get it back within a couple of days.


Oh..unless my host (httpme-advised by coach) can restore my site?

I have cpanel if that would help the situation in any way?

Thank you

Steve

[steve39]

I usually delete and restore something like this completely on my reseller account (delete the entire domain and reinstall) just to make sure. If you don't have a reseller account, maybe your host can do this for you. Alternatively, you might be able to get them to restore the site back to before things went bad - depending on how long ago that was and how long your host keeps their backups.

[Abledragon]

Sorry to hear that - that's a real bummer.

Certainly deleting and re-installing will fix the problem and if you have all your posts on your PC you can re-publish those. Sometimes hackers get into the database so if you don't know when it was hacked re-publishing your posts would be safer.

Remember to ask Google to re-crawl and re-index your site once you're all set up. Depending on their crawl schedule they may have crawled your hacked site and scrubbed it from their indexes. You can do that through Google Webmaster's Tools.

Also, once you're up and running again this article may help to prevent a repetition:

http://www.wealthydragon.com/blog/20...ten-left-open/

Cheers,

Martin.

[Steve36]

Quote:

Originally Posted by steve39

I usually delete and restore something like this completely on my reseller account (delete the entire domain and reinstall) just to make sure. If you don't have a reseller account, maybe your host can do this for you. Alternatively, you might be able to get them to restore the site back to before things went bad - depending on how long ago that was and how long your host keeps their backups.

Httpme are currently looking into it.

I told clickbank 36 hours ago and still haven't heard anything...I emaild httpme and got a reply withing 10 min. Their customer service rocks!

Fingers crossed! I don't know how long my site has been hacked for. And I don't know what caused it either...

Thanks for your help

Steve

[TheRichJerksNet]

Do as the above suggest and once you done get your blog secured... 100,000's of blogs are hacked each and every year because people do not take the time to secure them. Wordpress is not going to secure it for you, you must secure your own future and business...

James

[Steve36]

My host restored my site from the 23 October, all was fine and my affiliate ID was on the clcikbank order page. I went to sleep, woke up and checked. Mysite has been hacked again!!!

I added a picture last night, is it possible that someone used the picture somehow?

I changed my wordpress dashboard password but didn't have time to make any other changes to secure the site.

It seems strange that it was fine last night (restored from Oct 23) yet this morning it has been hacked again.

Can someone please enlighten me?

Thank you

Steve

[Mattkau]

send me the ftp details and i will fix it for you it doesnt have much to do with the wodpress password. i would actually change the ftp password, and restore the site, i can do this manually for you (free as i have been doing a few of these lately at work. but yeh definately, change password, correct 'hacked' files (it is usually a one liner ... something like base64_encode, change password again ... also some viruses can actually store themselves within the database, and execute that way ... so they are hard to clean ...

[ShaneRQR]

I had something similar with one of my blogs. Something was injecting "eval(lotsofgobbledygookhere)" into my .php files.

Turns out, it was an exploit known as the "gifimg" exploit.
I hired a guy on elance to clear everything up for 50 bucks.

Once you have everything back up and running, make sure you use the BackupDB plugin and WP backup to regularly backup all your relevant files.

[Steve36]

Thank you! I am in a desperate situation. PM sent.

Thanks again,

Steve

Quote:

Originally Posted by Mattkau

send me the ftp details and i will fix it for you it doesnt have much to do with the wodpress password. i would actually change the ftp password, and restore the site, i can do this manually for you (free as i have been doing a few of these lately at work. but yeh definately, change password, correct 'hacked' files (it is usually a one liner ... something like base64_encode, change password again ... also some viruses can actually store themselves within the database, and execute that way ... so they are hard to clean ...

[Steve36]

Quote:

Originally Posted by Mattkau

send me the ftp details and i will fix it for you it doesnt have much to do with the wodpress password. i would actually change the ftp password, and restore the site, i can do this manually for you (free as i have been doing a few of these lately at work. but yeh definately, change password, correct 'hacked' files (it is usually a one liner ... something like base64_encode, change password again ... also some viruses can actually store themselves within the database, and execute that way ... so they are hard to clean ...

Awaiting reply...

[ramone_johnny]

Before you do ANYTHING you need to diagnose the problem. When you say hacked, what exactly are the symptoms/error messages???

[mavensophie]

if you just move your database: the hacking is in the database... so it is worthless. My blogs were hacked too on hostgator, and I spent some time removing the hack.

one way to find all the places where there is a hack is in the database by searching... if the actual files were hacked, (one type of iframe hack) then I would find the files that are newer than the last update (wordpress files don't change when you change stuff on your blog) and fix them. If you pm me, I'll take a look for you through teamviewer a free software. that is what I use to help my students. I am a half techie half marketer gal...

[mavensophie]

oh, and I have two posts on my blog sophieslist [dot] com on my experiences, if you want to read

[VanessaA]

Its really very bad...but thanks for sharing this information it might happen to anyone.

[ramone_johnny]

Again, unless you correctly diagnose the problem youre only guessing -- in which case youre wasting your time.

Correctly diagnose the problem THEN fix it.

[SurviveUnemployment]

You'd better clean up your local machine. If there is a sniffer, anything you do will be pointless because ftp isn't encrypted. They'll get your password as soon as you change it.

I'm curious about the Clickbank problem. How did you find out? Was there a different affiliate ID on the order form?

[Steve36]

Thanks to everyone offering their time.

I have no idea how to isolate the problem.

I have tried clamxav (free) to check for computer (mac) viruses but found nothing (I can't afford to buy one)
I have had my host restore my site from a restore point on the 23 October. But it's infected again.

I noticed the problem when I cleared my cookies and clicked on 'buy now' on my affiliate sales page...at the bottom I saw another affiliate id. It's still there despite 3 emails to clickbank.

I have used exploit (for wordpress) which located the 'hacking code.'

I have accepted mattkau offer for help, (above post) but haven't heard anything from him since his post. I hav given him my ftp details.


Since I restored my account, the only thing I have done is added a .jpg picture to my site. (just saying incase it matters)


Heres is where I first found the problem Why is SOMEONE ELSE'S affiliate id on my clickbank page?!!!

I don't know what to do...

[ramone_johnny]

As already pointed out, infact its been covered numerous times in various threads, if you are FTP'ing to the host, then its highly likely that your local machine is infected. But again you need to be more specific as to what error messages or symptoms you are experiencing.

Exactly what do you mean by "hacking code" ???

If its an IFRAME injection you need to read this...

Have Your Websites Been iframe Hacked Also?

[Steve36]

Thanks for your time ramone,

The only obvious error is the clickbank sales page that has someon esle's affiliate name at the bottom.

I have used exploit for wordpress to scan for a virus ect.
These were the code it pointed out as possibly malicious.
These are exerts of code it found.
(I have removed a letter from each piece of code-would not let me post)


<div id="extra_fields" style="display: none"></div>1

eval

String.fromCharCode

base64_decod

visibility:hidde

uname -

shell_exe

YW55cmVzdWx0cy5uZXQ


Thank you for your help, I will read it as soon as I possibly can.

Steve

Quote:

Originally Posted by ramone_johnny

As already pointed out, infact its been covered numerous times in various threads, if you are FTP'ing to the host, then its highly likely that your local machine is infected. But again you need to be more specific as to what error messages or symptoms you are experiencing.

Exactly what do you mean by "hacking code" ???

If its an IFRAME injection you need to read this...

Have Your Websites Been iframe Hacked Also?

[steve39]

Steve, Sent you a PM

[ramone_johnny]

Without spending too much time investigating this I would firstly check your index files and over write those - thats if you are infact FTP'ing to the site. I dont think you've answered yet regarding this? Are you?

Secondly, again without knowing more about your actual problem and based on what you have provided here, Id consider the *possible* chance of your local machine being infected, BUT...

before you do anything, maybe have a read of this. The code you have provided above appears to be similiar.

WordPress › Support I think my wordpress blog has been hacked-What can I do?

As a side note - ALWAYS be sure to be running the latest copy of WP - ALWAYS!! Your site will be a sitting duck otherwise. Upgrading WP is a piece of cake.

Lastly, post your issue and ask for assistance over at the WP support forum. Youll be much more likely to get a better answer over there.

I wouldnt suggest blowing anything away until you correctly diagnose the issue. Blowing your site away could result in you losing SERP positioning and god know what else - inbound links to specific pages, bookmarks etc etc ....

Blowing the site away should only be considered as an absolute LAST option.

[Steve36]

Sorry, I am using an ftp program.
I have always used the updated version of wordpress. I am having trouble isolating the problem and am debating wheteher or not to reinstall my OS. As painful as it would be to loose all my info/favourites ect. (I don't know where the infection is) it may be my best option.

Thank you

Quote:

Originally Posted by ramone_johnny

Without spending too much time investigating this I would firstly check your index files and over write those - thats if you are infact FTP'ing to the site. I dont think you've answered yet regarding this? Are you?

Secondly, again without knowing more about your actual problem and based on what you have provided here, Id consider the *possible* chance of your local machine being infected, BUT...

before you do anything, maybe have a read of this. The code you have provided above appears to be similiar.

WordPress › Support I think my wordpress blog has been hacked-What can I do?

As a side note - ALWAYS be sure to be running the latest copy of WP - ALWAYS!! Your site will be a sitting duck otherwise. Upgrading WP is a piece of cake.

Lastly, post your issue and ask for assistance over at the WP support forum. Youll be much more likely to get a better answer over there.

I wouldnt suggest blowing anything away until you correctly diagnose the issue. Blowing your site away could result in you losing SERP positioning and god know what else - inbound links to specific pages, bookmarks etc etc ....

Blowing the site away should only be considered as an absolute LAST option.

[ramone_johnny]

Quote:

Originally Posted by Steve36

Sorry, I am using an ftp program.

Well my guess is, especially if your site is hacked immediately after restoring it -- is that your local machine is infected.

I had this issue myself - and it turned out to be a nightmare!

[n7 Studios]

I'll start with the obvious question:
What version of Wordpress are you using? (i.e. the version number - not 'the latest version')

There will be one, or a combination of the following, causing your issues:
- an insecure script (either Wordpress or a third party script or plugin),
- a file / directory permission security issue on your web hosting,

This exploited script / file permission / whatever that's sat on your web host is allowing somebody to exploit your web site, and write / amend files on there (i.e. parts of your Wordpress web site) over and over again. They don't need your FTP / cPanel passwords etc (although it's good security practice to change these); an insecure script will allow a hacker the potential to exploit your web site through issuing a specific URL command, or running a script on their own web server.

This issue isn't because of your Mac:
- you've virus scanned your Mac, and nothing's been found.
- your host has restored the site to a previous backup, yet the problem still occurs (you mention having this done, going to bed and the next day finding the problem on your web site again - no mention of you uploading via FTP meantime).

To fix this problem, you'll need to:
- take a backup of your database and Wordpress assets (images etc you've uploaded in posts, pages and so on),
- ensure your Wordpress version is up to date - I appreciate you say you use the updated version, but what version is that?
- ensure any other scripts are up to date
- ensure the folders on your web site have the correct permissions (commonly known as CHMOD).

If you don't know how to do the above, get somebody to do it over at the Warriors for Hire forum.

And c'mon guys - a thread with 27 replies, and nobody's thought of the above, or asked about the OP's Wordpress version. I think we can do a bit better than that...!

[ramone_johnny]

Quote:

Originally Posted by n7 Studios

I'll start with the obvious question:
What version of Wordpress are you using? (i.e. the version number - not 'the latest version')

There will be one, or a combination of the following, causing your issues:
- an insecure script (either Wordpress or a third party script or plugin),
- a file / directory permission security issue on your web hosting,

This exploited script / file permission / whatever that's sat on your web host is allowing somebody to exploit your web site, and write / amend files on there (i.e. parts of your Wordpress web site) over and over again. They don't need your FTP / cPanel passwords etc (although it's good security practice to change these); an insecure script will allow a hacker the potential to exploit your web site through issuing a specific URL command, or running a script on their own web server.

This issue isn't because of your Mac:
- you've virus scanned your Mac, and nothing's been found.
- your host has restored the site to a previous backup, yet the problem still occurs (you mention having this done, going to bed and the next day finding the problem on your web site again - no mention of you uploading via FTP meantime).

To fix this problem, you'll need to:
- take a backup of your database and Wordpress assets (images etc you've uploaded in posts, pages and so on),
- ensure your Wordpress version is up to date - I appreciate you say you use the updated version, but what version is that?
- ensure any other scripts are up to date
- ensure the folders on your web site have the correct permissions (commonly known as CHMOD).

If you don't know how to do the above, get somebody to do it over at the Warriors for Hire forum.

And c'mon guys - a thread with 27 replies, and nobody's thought of the above, or asked about the OP's Wordpress version. I think we can do a bit better than that...!

Theres a reason why I never went into such detail and thats because the OP probably has NO IDEA what half of your post means.

".....you've virus scanned your Mac, and nothing's been found."

So?

Dude I spent a good three days on this attempting to rectify the issue which NO AV scanner, spyware or malware app could detect. Everything came back clean. Infact the only way I could overcome the issue and prevent further infection was to blow my machine away and reinstall the OS.

Every site listed within my FTP application resulted in all my index files being infected. IFRAME injection attacks - which stemmed from an Adobe vulnerability.

It had nothing to do with usernames or passwords, it was an infection on my local workstation. I could've changed passwords all day long - day in day out.

Im not here to argue with you - you've raised valid points, but when you question the assistance given and the way in which it was provided - thats lousy.

Anyway, Im outta here. GL.

[n7 Studios]

Apologies for this post - I have since spoken with John and we've put our differences aside.

Sorry for going off topic.