Help: Hijacked wordpress site?

by Big Al
19 replies
Hi Guys,

Recently one of my new blogs has taken a dive, traffic wise and I couldn't work out why I'd gone from say 50 visits per day and growing to 1 or 2.

I checked my rankings... all ok and getting better.

Then today (after about 2 weeks of scratching my head) I search in Google and... my page doesn't open.

Instead it tries to redirect to this page
sweepstakesandcontestsinfo DOT com /nl-in.php?nnn=555

which you shouldn't visit just in case it's a dangerous site
which then fails. Which is a good thing.

So my site has been hacked somehow and I was wondering if anyone knows the source of the problem or where it might be hiding in my site. I do back it up but would rather remove the offending script if possible.

Thanks.
#hijacked #site #wordpress
  • Profile picture of the author CyberAlien
    Something in your .htaccess could be redirecting anyone referred via Google to their own website. I would suggest checking the .htaccess and try disabling all plugins to see if that fixes it. If not, just shoot an email to your hosting company to see the last time any of your files were edited.
    {{ DiscussionBoard.errors[5152731].message }}
  • Profile picture of the author Vincent Abrugar
    Yes. Its inside your .htaccess also if you're using wordpress check your theme files for suspicious php and js files.

    Check your files time-stamp of so you can easily find which file was modified.
    {{ DiscussionBoard.errors[5152956].message }}
  • Profile picture of the author TheKing
    If you still unable to fix your site then I can do it for you in free ..
    let me know
    {{ DiscussionBoard.errors[5153193].message }}
  • Profile picture of the author CyberAlien
    Also, if you posted a link to your website then it may help a bit more
    {{ DiscussionBoard.errors[5153249].message }}
  • Profile picture of the author Lucian Lada
    Hey,

    It might be because you downloaded cracked themes ? Just saying..
    I've heard that on these so called Free Premium Themes there are scripts that give them access to all sorts of things.

    Good luck
    {{ DiscussionBoard.errors[5153263].message }}
  • {{ DiscussionBoard.errors[5153273].message }}
  • Profile picture of the author Big Al
    As much as I'd love to share the sites... it's 11 out of 13 with this hosting company. I think only 11. I've logged a support ticket to see what they have to say. My suspicion is that it was through my FTP account.

    I've changed my passwords (and now the rage, frustration and anger that I didn't tighten up on my security sooner has died a bit) I'm getting ready to 'start again'.

    One of those mistakes you only make once!
    {{ DiscussionBoard.errors[5154378].message }}
  • Profile picture of the author Istvan Horvath
    Besides the suggested .htaccess check - look into the root index.php file, too!

    It is a very short file and it should have only this:

    Code:
    <?php
    /**
     * Front to the WordPress application. This file doesn't do anything, but loads
     * wp-blog-header.php which does and tells WordPress to load the theme.
     *
     * @package WordPress
     */
    
    /**
     * Tells WordPress to load the WordPress theme and output it.
     *
     * @var bool
     */
    define('WP_USE_THEMES', true);
    
    /** Loads the WordPress Environment and Template */
    require('./wp-blog-header.php');
    ?>
    If there is anything else in it...
    Signature

    {{ DiscussionBoard.errors[5154405].message }}
  • Profile picture of the author trankgv
    it should be errors of .htaccess
    {{ DiscussionBoard.errors[5155112].message }}
  • Profile picture of the author bhola badshah
    do you have backup of your website, restore it or ask your web host to restore your website with old backup.
    {{ DiscussionBoard.errors[5159882].message }}
  • Profile picture of the author zardon
    Check your themes for any occurance of the word base64_encode. It always rings alarm bells when I see this. Other times, the bad code will be in a php file, like in a theme functions. Its always good practice to review every theme you download for things of this kind.
    {{ DiscussionBoard.errors[5160061].message }}
  • Profile picture of the author Big Al
    Istvan... thanks. I think I need to buy your course (no joke).

    The files my host identified as affected are (x 11):

    /home/username/www.mydomain.com/wp-activate.php
    /home/username/www.mydomain.com/wp-links-opml.php
    /home/username/www.mydomain.com/wp-pass.php
    /home/username/www.mydomain.com/wp-blog-header.php
    /home/username/www.mydomain.com/wp-rss.php
    /home/username/www.mydomain.com/wp-cron.php
    /home/username/www.mydomain.com/wp-comments-post.php
    /home/username/www.mydomain.com/xmlrpc.php
    /home/username/www.mydomain.com/wp-commentsrss2.php
    /home/username/www.mydomain.com/wp-load.php
    /home/username/www.mydomain.com/wp-config-sample.php
    /home/username/www.mydomain.com/wp-trackback.php
    /home/username/www.mydomain.com/wp-settings.php
    /home/username/www.mydomain.com/wp-rss2.php
    /home/username/www.mydomain.com/index.php
    /home/username/www.mydomain.com/wp-feed.php
    /home/username/www.mydomain.com/wp-rdf.php
    /home/username/www.mydomain.com/wp-app.php
    /home/username/www.mydomain.com/wp-register.php
    /home/username/www.mydomain.com/wp-login.php
    /home/username/www.mydomain.com/wp-signup.php
    /home/username/www.mydomain.com/wp-atom.php
    /home/username/www.mydomain.com/wp-mail.php
    /home/username/www.mydomain.com/wp-config.php
    Being non-technical I'm worried about trying to remove or update files but not getting rid of ALL the offending code. It's also the problem I have with restoring old sites because (I'm guessing) you have to make sure the ones your restore are ok. Which means I need to identify exactly when the incidence took place which I believe it was early November from looking at my site stats. My hosting company only offers to restore back-ups from the past 5 days which doesn't help much.

    [There's a lot of which, if and but going on here ]

    I've already started to tear down the very small sites and start again. Incidentally I might use this as an opportunity to try out a different hosting company who's perhaps more accustomed to dealing with these types of problems.
    {{ DiscussionBoard.errors[5160647].message }}
  • Profile picture of the author Juvv2096
    Your hosting company usually wouldnt help too much with this sort of issue.

    Did you check your .htaccess file? Errors coming up with pages can be caused by redirections in htaccess files. Trust me I just fixed one of my sites up yesterday with an issue much like yours.
    Signature
    Web 2.0 Explosion - Hand Made Web 2.0's
    Ranks Drop After Blog Network Crash? Get Them Back!
    {{ DiscussionBoard.errors[5161221].message }}
  • Profile picture of the author Big Al
    So far I've removed the offending code from these files:

    /home/username/www.mydomain.com/wp-activate.php
    /home/username/www.mydomain.com/wp-links-opml.php
    /home/username/www.mydomain.com/wp-pass.php
    /home/username/www.mydomain.com/wp-blog-header.php
    /home/username/www.mydomain.com/wp-rss.php
    /home/username/www.mydomain.com/wp-cron.php
    /home/username/www.mydomain.com/wp-comments-post.php
    /home/username/www.mydomain.com/xmlrpc.php
    /home/username/www.mydomain.com/wp-commentsrss2.php
    /home/username/www.mydomain.com/wp-load.php
    /home/username/www.mydomain.com/wp-config-sample.php
    /home/username/www.mydomain.com/wp-trackback.php
    /home/username/www.mydomain.com/wp-settings.php
    /home/username/www.mydomain.com/wp-rss2.php
    /home/username/www.mydomain.com/index.php
    /home/username/www.mydomain.com/wp-feed.php
    /home/username/www.mydomain.com/wp-rdf.php
    /home/username/www.mydomain.com/wp-app.php
    /home/username/www.mydomain.com/wp-register.php
    /home/username/www.mydomain.com/wp-login.php
    /home/username/www.mydomain.com/wp-signup.php
    /home/username/www.mydomain.com/wp-atom.php
    /home/username/www.mydomain.com/wp-mail.php
    /home/username/www.mydomain.com/wp-config.php
    But I've no idea where to find the .htaccess files

    I've been Googling my butt off and don't know if I'm looking for a file titled .htaccess or (er..) what?

    Big thanks to everyone so far!

    Essentially I think it's this that I'm up against:

    This attack uses the .htaccess file to redirect users to a site serving malware (or spam). In some cases, the index.php is also modified to do the redirection as well.
    And this was a useful tool: Sucuri SiteCheck - Free Website Malware Scans so thanks Chase for recommending it.

    For the record there was nothing hacked or ripped on these sites... all 100% legit templates, pluggins etc.
    {{ DiscussionBoard.errors[5173718].message }}
  • Profile picture of the author jdkesler
    you are looking for a file titled .htacess. It is in your file management system of wherever your files are on the hosting services.

    in WordPress it's in the WordPress folder

    The code should look something like this:

    SetEnv PHP_VERSION 5
    # BEGIN WordPress
    <IfModule mod_rewrite.c>
    RewriteEngine On
    RewriteBase /
    RewriteRule ^index\.php$ - [L]
    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteRule . /index.php [L]
    </IfModule>
    # END WordPress

    My guess is that your file index.php has been reset to point to the malware sites target.
    Signature

    Do you know who got rich during the gold rush? GoldMiner Marketing Jesse Kesler

    {{ DiscussionBoard.errors[5173762].message }}
  • Profile picture of the author WiFi
    Unfortunately this has happened to me. Here are 7 steps I recommend you take:
    1. Change your FTP password to a Stronger one. Those of you using an FTP program to upload files to your server make sure the password is strong. Mine was apparently so weak It was like I gave a personal invite to the hackers. If you don’t even know what FTP is then you’ll be fine!

    2. Change your Hosting account passwords to a stronger one. (In my case GoDaddy). I cant even remember my customer numbers or passwords and being such a big company I doubt the hackers got to me this way.

    3. Change your Google accounts to a stronger one. This includes your analytics accounts, adwords, gmail etc..

    4. Back up your sites content & database. I personally am not sure on how to do this. I thought there was a plugin for this. If anyway can answer this question please do so in the comments below.

    5. Upgrade WordPress to the latest version. Version 3.0 due around May so upgrade then.

    6. Remove your unused Plugins. No point keeping them there if your not using them.

    7. Update your used Plugins to the latest versions. It’ll usually tell you in the ‘Plugins’ section that a new version is available. Update it. Make sure its reputable. Don’t download crappy plugins with poor feedback.
    Signature
    WiFi
    {{ DiscussionBoard.errors[5174199].message }}
    • Profile picture of the author bt
      If I were you I would backup my WP database and then delete your public_html folder, then create a new public_html folder and re install WordPress and then Import your backed up WP database.

      This way you are starting from scratch. The hackers have found a backdoor into your files, so your better off to start from scratch.
      {{ DiscussionBoard.errors[5174348].message }}
  • Profile picture of the author Chris Thompson
    Don't listen to any of the SPECIFIC recommendations about how it's "probably" your .htaccess, etc.

    It could be ANYTHING.

    The first thing to do is check your FTP logs for activity around the time that the hack took place. That might lead you to learn what file was changed. That is assuming it was an FTP-executed hack, which is very common.

    If FTP logs don't reveal it, you need to manually go through your FTP connection to check the date of when files were modified in every single directory.

    If files were modified that you did not modify, that's a big clue.
    {{ DiscussionBoard.errors[5174477].message }}
  • Profile picture of the author Chris Thompson
    Here is a post talking about how to find how you were hacked:
    http://blog.outsourcefactor.com/here...mission-thief/

    Different hack, but same approach to find the problem.
    {{ DiscussionBoard.errors[5174485].message }}

Trending Topics