1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

All MY WORDPRESS SITES GOT HACKED !!!!

Discussion in 'Blogging' started by hpscool, Jan 24, 2011.

  1. hpscool

    hpscool Junior Member

    Joined:
    Jul 19, 2010
    Messages:
    100
    Likes Received:
    22
    Hi,
    I am at a terrrible situation now.I am using two shared hosting providers to host about 5 WP blogs.Suddenly all of my sites in one account become non responsive and get redirected to something like gbimd.com
    I cant login to any of the blogs.So I transfer one of my sites in this hosting account to another hosting provider i use where i host 4-5 WP blogs.
    Now as soon a i uploaded the site to the new host every site already in the host gets affected and become redirected to the same domain(The domain gbimd.com seems to be non responsive).SO was my sites hacked if yes then what is the next step???

    (Pardon me for poor english)

    So i think i am all f**ked Up.PLEASE HELP ME OUT HERE:confused:
    Any suggestions are much appreciated
     
  2. MonoPuff

    MonoPuff Junior Member

    Joined:
    Apr 29, 2009
    Messages:
    184
    Likes Received:
    116
    This is most likely effecting all the sites on your shared hosts server. Contact their tech support ASAP, but hopefully they're all ready on it.


    I had a similar problem with all my blogs on a particular server. One of the users hacked it and set up phishing pages on all my (and everyone else on the servers) sites.. I found out when I got notices from google saying their bots detected malware on my site.
     
    • Thanks Thanks x 1
  3. richcamp

    richcamp Regular Member

    Joined:
    Oct 5, 2009
    Messages:
    315
    Likes Received:
    119
    Check your theme, there might be some malicious code there, try putting the default theme for a while, or a theme that you know for sure is not infected
     
    • Thanks Thanks x 2
  4. hpscool

    hpscool Junior Member

    Joined:
    Jul 19, 2010
    Messages:
    100
    Likes Received:
    22
    I acnnot even login to the admin page .Anyway to try itusing ftp access.

    I submitted a ticket to the hosting company and hope they are on to it.But
    WHat will i do now to get the sites back to work.Is there any way to get all the contents back with a fresh install.What if i import the comments,posts tables back to the frsh install?
     
  5. philionaire

    philionaire Regular Member

    Joined:
    Mar 20, 2010
    Messages:
    212
    Likes Received:
    180
    Location:
    Vanland
    You can check your theme with

    Theme Authenticity Checker plugin:

    Code:
    http://wordpress.org/extend/plugins/tac/
    And scan your theme with AntiVirus Plugin:

    Code:
    http://wordpress.org/extend/plugins/antivirus/
    These will look for any malicious code and might point you in the right direction.

    Edit: Just seen your last response. If you cant login then I am unsure. Ill leave the links for the plugins as they're free and might help you and others in the future.
     
    • Thanks Thanks x 1
  6. Erik

    Erik Regular Member

    Joined:
    Dec 14, 2008
    Messages:
    302
    Likes Received:
    411
    Occupation:
    Monitoring my affiliate accounts.
    Location:
    Planet Earth
    Home Page:
    Base64 exploit. Look at the header of any php file for some string of code that says base64 once you find it, copy it to text doc, find a base64 decoder and paste it there. Once it's decoded, it wil show you the location of the payload. Delete the payload. You will be able to log in then. Now update google base64 wordpress if your confused.. Good luck.
     
    • Thanks Thanks x 1
  7. hpscool

    hpscool Junior Member

    Joined:
    Jul 19, 2010
    Messages:
    100
    Likes Received:
    22
    That was helpfull links but i guess i cant use them with out logging in...
     
  8. madoctopus

    madoctopus Supreme Member

    Joined:
    Apr 4, 2010
    Messages:
    1,249
    Likes Received:
    3,498
    Occupation:
    Full time IM
    It sounds like a FTP client exploit. If you used FileZilla or some other FTP client and you saved your passwords, the exploit stole them and injected its code into the site files making that redirect. What you have to do is:

    1. Do a system wide virus check
    2. Install Malwarebytes Anti-Malware and do a system wide check - this should find the culprit
    3. Change all your passwords for all hosting that you ever used with a FTP client
    4. Download the files of a blog and look in the code for the injected code. It is probably obfuscated JavaScript code or encoded PHP code. If you are not familiar with HTML,PHP,JavaScript hire somebody to do that. If you don't want to do that, you can just use a clean backup if you have one. You don't have a backup? Too bad, you always should have a backup and do backups of your sites.
    5. If you found the injected code, you can take the PHP script that I posted here (you may want to read al posts in that thread) and adapt it to your needs to remove the injected code from the files. You need at least to create some plain text files in which you put the injected code pattern. As it is, the script supports 2 files for 2 different injection footprints. You can adapt easily to work with more footprints if you know PHP, or run it multiple times, once for each footprint.
    6. Even if you used my script, you may still have the sites affected but not be able to see it. The thing is, since the cracker compromised your files he could have put anything there. That is why it is good to have backups.
    7. What I recommend is that you reinstall the sites from scratch and repost all content, if you want to be 100% sure they are clean.
     
    • Thanks Thanks x 4
  9. hpscool

    hpscool Junior Member

    Joined:
    Jul 19, 2010
    Messages:
    100
    Likes Received:
    22
    Searching all php files may take ages .Is there anyway to make this searching fast.Thanks alot for the reply am waiting for answer...
     
  10. hpscool

    hpscool Junior Member

    Joined:
    Jul 19, 2010
    Messages:
    100
    Likes Received:
    22
    That was very promising reply .I will try it now and post back the results.THanks...:knuddel:
     
    • Thanks Thanks x 1
  11. Don Carlito

    Don Carlito Regular Member

    Joined:
    Aug 12, 2009
    Messages:
    214
    Likes Received:
    94
    Location:
    NJ
    change your permission to 644 in .htaccess and wp-config
     
    • Thanks Thanks x 1
  12. hpscool

    hpscool Junior Member

    Joined:
    Jul 19, 2010
    Messages:
    100
    Likes Received:
    22
    Well i informed this to my hosting company and luckily they fix the problem for now.Now sites are working fine.Thanks for the reply...
     
  13. charlieboy747

    charlieboy747 Newbie

    Joined:
    Apr 8, 2010
    Messages:
    5
    Likes Received:
    0
    I always use the login lockdown plugin, just to be safe.:cool:
     
  14. mrfent2

    mrfent2 Newbie

    Joined:
    Jan 25, 2011
    Messages:
    18
    Likes Received:
    0
    Keep us updated