Group Admins

WordPress Troubleshooting and Support

Public Group active 1 year, 5 months ago ago

WordPress support from our community

Help for a hacked site

Tagged: 

Viewing 10 posts - 1 through 10 (of 10 total)
  • Author
    Posts
  • July 25, 2011 at 6:57 pm #1218
    Ed Altman
    Participant

    Hi all –

    My site has been (and is still being) hacked. I am getting ads showing on the site in posts and links (so far) for drugs for impotence. (I won’t repeat here – I don’t want this post to be rejected.

    I’m trying to understand exactly how these posts get in there and, more importantly, how to eradicate the problem. Possibly useful information below:

    – I immediately changed the password on my admin account to no avail.
    – I do not allow subscribers – I set up all the user accounts.
    – I want to change the password on my database but I can’t remember what it was (yes, that’s embarrassing to write, but it’s the truth).
    – No sign of unusual users in my list of 60 of them (so it’s easy to check).

    Is it possible these attacks occurred starting with a subscriber who had a less than stellar browser (e.g. IE6)?

    Is there really any way to clean this up without reinstalling a new, clean copy of my installation? I’m afraid that bringing anything along will bring the problem along as well.

    Any help would be great!

    Thanks in advance,
    ed

    July 25, 2011 at 6:59 pm #1983
    Steve
    Keymaster

    Ed– have you contacted your host? They may be able to help.

    July 25, 2011 at 7:42 pm #1984
    Ed Altman
    Participant

    Hi Steve –

    I have not contacted them yet. Are you talking about contacting them about 1) my (embarrassingly) missing database password, 2) questions about the hacking, or 3) something completely different ??

    Thanks,
    ed

    July 25, 2011 at 8:31 pm #1985
    Dr Ron Suarez
    Participant

    This worked for me in 2009 – How To Completely Clean Your Hacked WordPress Installation | Smackdown! http://bit.ly/qG5wsf

    July 26, 2011 at 4:03 am #1986
    Ed Altman
    Participant

    Dr. Ron – Thanks for this link. It’s a good post. This sounds like it’s going to be done this weekend – not during the week.

    A couple of comments and questions if you have any answers.

    To make sure I understand… this article suggests the hacking is coming from within the WordPress source files (php, etc.) that I’d need to clean them all out and reinstall. (I have shell access to delete and will use my ISP to reinstall a fresh instance.)

    So I can restore the database because at this point, even though the the database may have crap left (although I have searched it) there’s no executable code in the database?

    FYI – My hack is visible, as opposed to this writeup and many others where the hack is manifested invisibly (to hurt the SEO ratings).

    Are there any other gotchas that I need to worry about, especially with respect to plugins, or if I reinstall the same plugins I should have the same settings?

    Thanks,
    ed

    July 26, 2011 at 4:58 am #1987
    Joly MacFie
    Participant

    There is a plugin called ‘exploit scanner’ which will pick up anything suspicious in your core files, but not if it’s in your sql.

    After hearing Steve mention it I have installed WordPress Firewall and I do periodically see it blocking what appear to be sql-injection attacks.

    This is why it’s a good idea to run an auto back up plugin like ‘DBC Backup’

    j

    July 26, 2011 at 11:07 am #1988
    Ed Altman
    Participant

    Thanks Joly

    I found Exploit Scanner yesterday and installed it but it gave me a lot of results that I didn’t have time to go through at work. After the refresh, I will install and run it – and then I’ll get a baseline for future runs.

    I have just installed WordPress Firewall – although it feels like closing the barn door after the horse is gone? 🙂

    How does this sort of attack vector happen? Is it through older browsers used by our users? We are a very small group – but for a subset of the group, technologically deficient, in some cases, users probably are still running IE6. I did get a note saying someone’s email had been hacked – so I wonder if there’s any connection.

    Thanks for your help.
    ed

    July 26, 2011 at 12:02 pm #1989
    Dr Ron Suarez
    Participant

    One of the reasons we see upgrades to WordPress is because hackers discover vulnerabilities in the code and patches get created to fix the vulnerability. If you don’t upgrade your WordPress installation fast enough then you become a victim.

    July 27, 2011 at 2:54 pm #1990
    D.K. Smith
    Participant

    I can either fix this or lead you down the correct path. Drop me a note @wpsecurity with your URL, etc.

    August 2, 2011 at 12:28 am #1991
    James P
    Participant

    I found the steps in here: http://www.pearsonified.com/2010/04/wordpress-pharma-hack.php to be effective. It’s a little less work than the previously linked solution.

    Also, please note google will have to re-crawl your site after you’ve removed the exploit for the ads to go away in the search results.

  • Author
    Posts
Viewing 10 posts - 1 through 10 (of 10 total)
  • You must be logged in to reply to this topic.