19 {{ upvoteCount | shortNum }}
19 {{ upvoteCount | shortNum }}

Is this a "hack?" on my site??!!! (please help :)

by mllnsgrl
16 replies
Hey Warriors..

I was working on one of my wordpress sites today, changed the theme, checked the footer, added some adsense, etc. Nothing out of the ordinary.

Everything was working fine, looking great..

Then..

I click on my site, and also wp-admin and get a parse syntax error message for WP-Config.php line 76.

I compare that file with another wp-config.php on a different site and the only difference is ... there's a weird <i-frame> tacked at the bottom (which when opened in browser goes to google home page)

the iframe starts with:

1ytr4(dot)com/index.php?tp=fe9676f8675d022e" width="1" height="1" frameborder="0"></iframe> (I took out the http to post here)

so I take the iframe out and upload a new copy - then notice.. ALL THE FILES HAVE BEEN CHANGED with this iframe added at the bottom.

Is this a popular Hack?? Is there an easy fix for this? Or, do I have to manually go in and edit each one..

Liz
#hack #site
  • Profile picture of the author Brian Alaway
    You've probably been hacked.
    Check your site here: Sucuri - Monitor & Scanner dashboard
    Also scan your computer with a good anti-virus/anti-malware scanner:
    Malwarebytes' Anti-Malware: Malwarebytes and/or SUPERAntiSpyware.com | Remove Malware | Remove Spyware - AntiMalware, AntiSpyware, AntiAdware!
    Change your passwords, including ftp.
    Instead of ftp use sftp/ssh
    Use ssl to login to your sites - even if you're on Host Gator shared hosting, they offer a free shared SSL.
    And here's a good plugin WordPress › BulletProof Security « WordPress Plugins
    As for cleanup, you could replace your WordPress files (Updating WordPress « WordPress Codex), clean up manually or there are paid solutions (e.g. Sucuri).
    And of course make sure you're backing up your site regularly: WordPress › Search for backup « WordPress Plugins
    Signature
    How to Configure Secure FTP
    {{ DiscussionBoard.errors[3589138].message }}
  • Profile picture of the author BlondieWrites
    You've been hacked. Once you get it fixed, always be sure to be running the latest Wordpress release. I believe there is a security plugin that you can use that should help prevent this type of thing from happening.



    Cindy
    Signature
    Content Niches

    Content Niches - Niche Content, PLR Content, One Owner Content, PLR Articles, PLR Ebooks, Ebook Content, Printables, and More.
    {{ DiscussionBoard.errors[3589166].message }}
    • Profile picture of the author spudnick
      This is most definetly a sign you have been hacked. The hacker is using an invisible iframe to redirect visitors to your site to a drive-by-download site.

      What this essentially means is that your site is directing unsuspecting victims to a malicious site that is attempting to exploit one or more vulnerabilities in their operating system or applications. If successful, the attacker will now 'own' the unsuspecting victims machine and can start using it as part of a bot-net or to steal their banking passwords e.t.c.

      You need to take this site down ASAP, especially before Google gets a hold of it and gives you a massive slap for serving up malicious content.

      There is actually quite a lot to know about hardening a stock install of Wordpress.

      Timing has it that I just realed a WSO called 'Wordpress Lockdown' which provides a step-by-step tutorial on how to secure your wordpress install from common attack vectors.

      You can find out more about this guide by following the first link in my sig.

      cheers,

      Spudnick
      Signature
      Wordpress Lockdown - FULL PLR RIGHTS!
      Apple Ipad Killer...> 8 x 700 Word PLR Articles
      Dog Training PLR - Biggest Dog Niche PLR WSO Ever! Starting at only $12!
      Ultimate PANIC AWAY Anxiety Promotion
      {{ DiscussionBoard.errors[3589212].message }}
  • Profile picture of the author Rich Struck
    You said that you changed the theme... Sometimes stuff like this finds its way into free themes, you might want to check the original files and see if it is there.
    Signature

    {{ DiscussionBoard.errors[3589244].message }}
    • Profile picture of the author Prodigal
      Originally Posted by Rich Struck View Post

      You said that you changed the theme... Sometimes stuff like this finds its way into free themes, you might want to check the original files and see if it is there.
      I second that :rolleyes:

      Now, you need to ask yourself the following to get an answer:

      1: Was the theme came from a trusted source? (or its just another free/nulled W.P theme)

      2: Is the computer infected? (run an antivirus scan along with malware, trojan finder scans)

      3: Are you running any firewall (firewall makes sure that no data is coming in/going out of your system without your permission)

      4: from how long you have been using the same password? (if its long enough, change it asap)

      Hope this helps
      Signature
      Affordable Website Design - $149 for custom website design. Contact Us Here
      {{ DiscussionBoard.errors[3590201].message }}
      • Profile picture of the author mllnsgrl
        Originally Posted by Prodigal View Post

        I second that :rolleyes:

        Now, you need to ask yourself the following to get an answer:

        1: Was the theme came from a trusted source? (or its just another free/nulled W.P theme)

        2: Is the computer infected? (run an antivirus scan along with malware, trojan finder scans)

        3: Are you running any firewall (firewall makes sure that no data is coming in/going out of your system without your permission)

        4: from how long you have been using the same password? (if its long enough, change it asap)

        Hope this helps
        Thanks for your questions Prodigal..

        The theme that I used today was a free wp theme that I found while browsing via my site's dashboard. I can't remember the name of it now.

        I'll check the firewall, like you said. I'm changing my wp passwords tomorrow.

        But the GREAT news is - I just restored both my sites (2 were hacked with the same problem) via Go Daddy. You can pick the restore date which is cool.. We'll see how it goes tomorrow with all the data being there.

        Will follow up on posts tomorrow.


        Liz
        Signature



        {{ DiscussionBoard.errors[3590332].message }}
        • Profile picture of the author LindseyRainwater
          Sorry to hear you were hacked, but thank you for posting about it!

          My husband has been slowly building up a few Wordpress blogs in his spare time (what little he has) but everything is a learning process. If something like this had happened to him I would have assumed he just loaded it wrong.

          I don't think I would have thought of hacking as a probable cause! So thank you for sharing, and I hope everything turns out ok with your site.
          Signature
          Limited Time: Grab the "Pay Your Way" option, and get a complete website with content created - without having to pay the full amount up-front! Pay what you can today, and make payments from there! Click HERE for more info!
          {{ DiscussionBoard.errors[3590495].message }}
        • Profile picture of the author paulie888
          Originally Posted by mllnsgrl View Post

          Thanks for your questions Prodigal..

          The theme that I used today was a free wp theme that I found while browsing via my site's dashboard. I can't remember the name of it now.

          I'll check the firewall, like you said. I'm changing my wp passwords tomorrow.

          But the GREAT news is - I just restored both my sites (2 were hacked with the same problem) via Go Daddy. You can pick the restore date which is cool.. We'll see how it goes tomorrow with all the data being there.

          Will follow up on posts tomorrow.


          Liz
          This is one of the risks you take with free themes that may contain some malicious code. (It only happens very rarely, but I've read reports about this happening before.)

          You should probably use a different theme this time around just to be safe, until you can figure out what exactly happened to your site.

          Paul
          Signature
          >>> Features Jason Fladlien, John S. Rhodes, Justin Brooke, Sean I. Mitchell, Reed Floren and Brad Gosse! <<<
          {{ DiscussionBoard.errors[3590567].message }}
        • Profile picture of the author Prodigal
          Originally Posted by mllnsgrl View Post

          Thanks for your questions Prodigal..

          The theme that I used today was a free wp theme that I found while browsing via my site's dashboard. I can't remember the name of it now.

          I'll check the firewall, like you said. I'm changing my wp passwords tomorrow.

          But the GREAT news is - I just restored both my sites (2 were hacked with the same problem) via Go Daddy. You can pick the restore date which is cool.. We'll see how it goes tomorrow with all the data being there.

          Will follow up on posts tomorrow.


          Liz
          * I see, as i was expecting it seems like another free wordpress theme injected with malicious code...

          * that would be great if you change your passwords asap

          * Yup, that sounds good! Godaddy always comes up with useful stuff like this every now and then
          Signature
          Affordable Website Design - $149 for custom website design. Contact Us Here
          {{ DiscussionBoard.errors[3590739].message }}
  • Profile picture of the author xtrapunch
    One of the many dangers of downloading themes from untrusted websites. Always use themes released by reliable sources.
    Signature
    >> Web Design, Wordpress & SEO - XtraPunch.com <<
    Web Design & SEO Agency | Serving World Wide from New Delhi, India

    {{ DiscussionBoard.errors[3589997].message }}
  • Profile picture of the author Carol_A
    Sorry this happened to you.

    I had a scare yesterday......all of my email was showing up as spam....I am referring to previous good, safesenders........listed as spam.

    Turns out my IP address was listed on spamhaus.org but not for anything bad. My IP was cleared immediately and everything is fine.

    The weird thing, is that four email addresses I had created on my hosting account were GONE, poof......

    Am getting the plugin for good measure.

    Thanks for the info.

    Signature
    Carol Amato
    {{ DiscussionBoard.errors[3590044].message }}
  • Profile picture of the author yukiyenster
    sorry to hear about your site being hacked, this is the reason why I stay FAR away from free themes. It's just not worth the risk.

    If you want the best cheapest themes around, check out elegantthemes.com. I'm a member there and they've got excellent stuff for a very low price. $19.90 for a year's access to all their themes if I'm not mistaken.
    Signature

    {{ DiscussionBoard.errors[3590663].message }}
  • Profile picture of the author DrFresh
    ahhhh man. I wouldn't really know how to handle this one right off the bat.. but one time someone hacked one of my WP installs and when you went to the home page all it said was... "hacked >>>>>> ghost of iraq"... lol

    He just edited one of the main basic WP files so i replaced it n it was good to go

    Good luck!
    {{ DiscussionBoard.errors[3590699].message }}
  • Profile picture of the author goodmast3r
    i have the similar thing today on several servers. Are hackers on action today??

    Most important thing is upgrade your Wordpress.
    Signature
    cheap custom wordpress only $399 for now
    http://odihost.com/convert-html-to-wordpress/, start from $399
    {{ DiscussionBoard.errors[3591584].message }}

Trending Topics