13 {{ upvoteCount | shortNum }}
13 {{ upvoteCount | shortNum }}

URGENT HELP please... Client's website hacked and I've got No Clue - (now fixed - thx all)

by Paul Barrs
11 replies
Hi Folks,

I'm hoping someone out there in Warrior World can help me with this one....

One of my Client's websites has been hacked by some by Turkey*****Pirates - which puts their crap on the main page and I can't figure out how to delete it. (I've added the ***** because I don't want this post coming up on their radar).

It's a Wordpress site for which they added their own username and the page stuff, while also locking out my client's administrator access (and no, he WASN'T using "admin" as his login.)

I can still log in with my own personal access but cannot see the new page OR post that now appears to show up - in looking at the source code I can see that it's a HTML page, not a Wordpress page.

I've logged in via FTP and cannot see that page / file anywhere on the server.

The URL is : Australian Academy of Tai Chi

And don't worry, no viruses etc show up.

All suggestions of help are greatly appreciated.

Paul Barrs

Update - Now fixed; thank you all !
#client #clue #hacked #urgent #website
  • Profile picture of the author alistair
    Wouldn't it just be index.html. Probably not as it would probably be too easy but I'm not too clued up on that kind of stuff.

    Hope you get it sorted.
    {{ DiscussionBoard.errors[5653984].message }}
  • Profile picture of the author WillR
    Paul,

    That sucks. I'm not sure how to get rid of that since I've never had it happen before. Once you do fix it though I can recommend to you a couple of Wordpress plugins you should install at the very least:

    WordPress › Limit Login Attempts « WordPress Plugins

    and

    WordPress › Bad Behavior « WordPress Plugins

    If/when you do figure things out be sure to post it here so others (including me) know what to do if it should ever happen or anyone else ever asks the same question.

    Damn cyber pirates. Man the world would be a nice place without a-holes.
    Signature

    .


    .

    {{ DiscussionBoard.errors[5654008].message }}
  • Profile picture of the author the_icon
    Re read, my bad.

    Re the FTP there would have to be something there for the hackers to be displaying that page, no?

    I understand you say you have been through it.
    {{ DiscussionBoard.errors[5654017].message }}
  • Profile picture of the author rosetrees
    Usually these hackers just replace the index.php file(s). I say file(s) because if you use ftp software to connect to the site you will often find more than one, at different levels of the site.

    Is Wordpress up to date? If not, you might get lucky and be able to cure the problem by updating Wordpress from within Fantastico.

    If Wordpress is already up to date, this is what I do. Make a fresh install of Wordpress on a sub-domain of one of my own sites. Ftp the index.php file(s) to my computer. Use your ftp software to connect to the damaged site and replace the index.php file(s) with the new ones.

    That usually cures the problem.

    Good luck.
    {{ DiscussionBoard.errors[5654028].message }}
    • Profile picture of the author Paul Barrs
      Originally Posted by alistair View Post

      Wouldn't it just be index.html. Probably not as it would probably be too easy but I'm not too clued up on that kind of stuff.
      This was my first thought - no, no such file.

      Originally Posted by WillR View Post

      Thanks Will, already have this one; will look at the other.

      Originally Posted by rosetrees View Post

      Usually these hackers just replace the index.php file(s). I say file(s) because if you use ftp software to connect to the site you will often find more than one, at different levels of the site.

      UP to date, yes, didn't think of the index.php - will check.

      Thx

      Update - all fixed, yes, it was the index.php... didn't see it because i was looking for 'extra' files.

      Carol... xx
      Signature
      **********
      It's Simple... I don't "sell" IM anymore, but still do lots of YouTube Videos
      **********
      {{ DiscussionBoard.errors[5654049].message }}
      • Profile picture of the author Paul Barrs
        Originally Posted by Paul Barrs View Post

        Update - all fixed, yes, it was the index.php... didn't see it because i was looking for 'extra' files.
        And I'm now in the process of changing ALL passwords for the site, Wordpress, Cpanel, Email etc....
        Signature
        **********
        It's Simple... I don't "sell" IM anymore, but still do lots of YouTube Videos
        **********
        {{ DiscussionBoard.errors[5654078].message }}
  • Profile picture of the author the_icon
    Maybe try this?

    stopthehacker.com | nl.ai p,a,c,k,e,d Malware
    {{ DiscussionBoard.errors[5654038].message }}
  • Profile picture of the author barbling
    That truly does suck.

    1.) You can post for help over at Google:

    http://www.google.com/support/forum/...8e37c08e&hl=en

    2.) Use Cpanel and see if an index.html or home.html or default.html or index.htm has been put in the root directory. That will show up first before Wordpress index.php .

    Delete the file if found and see if that fixes the problem.

    3.) Contact your host provider     and ask what the bleep happened and what can be done!

    Good luck!
    Signature
    {{ DiscussionBoard.errors[5654053].message }}
  • Profile picture of the author the_icon
    How did you fix it bud, just in case it happens to anyone else?
    {{ DiscussionBoard.errors[5654061].message }}
  • Profile picture of the author sax.sunny
    That's not enough Paul, the way I see it.

    I am an IT Graduate and back in my younger days, I have played a lot with Gray and White Hat stuff.

    Here is my advise - Get a knowledgeable programmer fix your code.

    It might usually be with the WP Theme. I can still see some error on the bottom of your homepage.

    The attack that your site had is usually called - Defacing a Page. It's very easy for an attacker to attack it again and deface your client's site again, if you don't fix your code.

    I hope that helps. Wish you all the best.
    {{ DiscussionBoard.errors[5654978].message }}
    • Profile picture of the author Paul Barrs
      Originally Posted by sax.sunny View Post

      That's not enough Paul, the way I see it.

      I am an IT Graduate and back in my younger days, I have played a lot with Gray and White Hat stuff.

      Here is my advise - Get a knowledgeable programmer fix your code.

      It might usually be with the WP Theme. I can still see some error on the bottom of your homepage.

      The attack that your site had is usually called - Defacing a Page. It's very easy for an attacker to attack it again and deface your client's site again, if you don't fix your code.

      I hope that helps. Wish you all the best.
      Thank you Sax,

      I'll get straight on it.

      Paul
      Signature
      **********
      It's Simple... I don't "sell" IM anymore, but still do lots of YouTube Videos
      **********
      {{ DiscussionBoard.errors[5657389].message }}

Trending Topics