1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Any server experts here? Site hacked - needs fixing - important!

Discussion in 'Hire a Freelancer' started by meathead1234, Jan 29, 2013.

  1. meathead1234

    meathead1234 Moderator Staff Member Moderator Premium Member

    Joined:
    Sep 24, 2008
    Messages:
    3,817
    Likes Received:
    14,000
    Hi,

    One of our Wordpress sites was hacked today and my team haven't been able to fix it. Even when deleting rogue files, they seem to keep coming back.

    The site is currently being redirected via .htaccess and whatever we do it continues. Google is flagging it as Malware which is a big issue.

    This is one of our main money sites so every minute it's down costs us money.

    I Googled the hacker and found this thread: http://forums.iis.net/t/1153544.aspx/1

    I am not technical enough to be able to fix it.

    Can anyone help? If you've dealt with similar issues before, please drop me a PM, let me know if you are available now and a rough price estimate.

    Thanks
    Thomas
     
  2. gatra

    gatra Regular Member

    Joined:
    Aug 17, 2011
    Messages:
    248
    Likes Received:
    92
    would not risk it and just reinstall the server, install wp freshly and play in a backup of your site.

    also for future:
    - keep wp update!
    - keep linux (or windows) updated!
    - hire someone who can, at least initially, secure your server.


    other than that i'm afraid i am not tech savy enough to help you directly.
     
  3. JesusBack

    JesusBack Executive VIP Premium Member

    Joined:
    Sep 15, 2010
    Messages:
    1,159
    Likes Received:
    1,285
    Occupation:
    Almost done :D
    Location:
    {calm|cool|collected}
    It's probably your theme they used to exploit your site (or plugins). If you want you can try to look for the backdoor. Personally I would empty the server like the above guy said and then copy paste any text that you need. Then go ahead and use one of the default/popular themes instead.
     
    • Thanks Thanks x 1
  4. meathead1234

    meathead1234 Moderator Staff Member Moderator Premium Member

    Joined:
    Sep 24, 2008
    Messages:
    3,817
    Likes Received:
    14,000
    We would do that but the site is large (lots of content) with a members area etc. with Wishlist member. It would probably take a week to get back up manually like that - and we would get nailed by refunds and piss off a lot of affiliates. We were thinking of finding a backup that is a few weeks old, installing on a new server and removing any plugins we no longer use. Would that work?
     
  5. gatra

    gatra Regular Member

    Joined:
    Aug 17, 2011
    Messages:
    248
    Likes Received:
    92
    I would first even try to play back a mysql backup you made JUST NOW. Be sure to change your password in wp after that. But chances are big that only your server was compromised and not your mysql database. Look through the database to see if you have any tables that should not be there, but thats worth a try.

    would sugget to set up everything new and play in a very recent mysql backup.

    also after that make DAILY backups.
     
  6. bentleygt20

    bentleygt20 Newbie

    Joined:
    Jan 6, 2013
    Messages:
    13
    Likes Received:
    1
    Location:
    UK
    Personally, I would install a fresh WP install and try and restore from an old DB and theme files. We had problems with a hacked Wordpress site before so I would also install Better WP Security and set it to monitor changed files...possibly do this straight after a fresh install rather than after loading in the other files. Also set it to drop file permissions on everything unnecessary...even the .htaccess

    This might not help but it's certainly something that I'd do.
     
  7. bigbong

    bigbong Regular Member

    Joined:
    Dec 1, 2011
    Messages:
    247
    Likes Received:
    251
    If it is really just WP that has been hacked, use root to modify .htaccess file. Then save and set chmod to write access only for root. If they are able to change your .htaccess file after this they basically have root access to your server and its time to do some serious cleanup...
     
  8. JesusBack

    JesusBack Executive VIP Premium Member

    Joined:
    Sep 15, 2010
    Messages:
    1,159
    Likes Received:
    1,285
    Occupation:
    Almost done :D
    Location:
    {calm|cool|collected}
    Getting the backup and setting up with new passes would be a pretty good idea, but it doesn't really solve the problem assuming it is indeed a software issue and not one with the server (very small chance in comparison).

    Is your theme custom made?
     
  9. HostStage

    HostStage Jr. VIP Jr. VIP Premium Member UnGagged Attendee

    Joined:
    May 20, 2010
    Messages:
    1,806
    Likes Received:
    1,745
    Occupation:
    BHW - CEO of Webhosting Company
    Location:
    BWH from France
    Home Page:
    If you are using a cPanel web hosting service, make sure than in the folders prior to public_html, you haven't any p.php or alike files.

    Those are backdoors which behaves a bit like a trojan on a computer.

    You can ask your provider to pass an antivirus such as clamAv as it would detect such corrupted files.

    Make sure you don't use any nulled theme or plugin.

    Finally, another source of problem is filezilla which in some cases isn't secured enough and the logins can be hijacked from an infected PC.

    Hope you'll sort it out as such problems are a real hassle to get rid of.
     
  10. H3ktor

    H3ktor Jr. VIP Jr. VIP

    Joined:
    Oct 20, 2009
    Messages:
    795
    Likes Received:
    978
    Gender:
    Male
    Occupation:
    Entrepreneur
    Location:
    Paris
    Recently a Jquery exploit rolled in. It was basically a frame using CURL. Pretty hard to find the bad codes. Many of my sites were affected. I fixed the problem from theme. Usually it is either theme or the plugin. Can you send me a more detail of your problem a screenshot or some error detail, I may help you :)
     
  11. meathead1234

    meathead1234 Moderator Staff Member Moderator Premium Member

    Joined:
    Sep 24, 2008
    Messages:
    3,817
    Likes Received:
    14,000
    Thanks for the help, guys. I have someone helping my team now so will update on progress!
     
  12. sukataetumba

    sukataetumba Senior Member

    Joined:
    May 25, 2010
    Messages:
    1,109
    Likes Received:
    213
    based on experience, these hacks are usually database based.

    have your team create a new blank database to test if the issue persists.
     
  13. unknownn

    unknownn BANNED BANNED

    Joined:
    Dec 7, 2008
    Messages:
    826
    Likes Received:
    605
    Its mostly plugin based.They scan what kind of plugins you use and some plugins are easy to hack
     
  14. _swes_

    _swes_ BANNED BANNED

    Joined:
    Nov 4, 2012
    Messages:
    59
    Likes Received:
    17
    If you still need help, just PM me.
     
  15. argh11

    argh11 Regular Member

    Joined:
    Jul 14, 2011
    Messages:
    307
    Likes Received:
    116
    Location:
    USA
    Thomas,
    most everyone is correct in the fact that you should isolate where the hack is.
    server hack
    database hack
    wp hack
    theme hack
    plugin hack
    curl hack

    Any of these could do what you said but the website you provided points towards software like wp, theme or plugins.
    You can isolate these mostly and figure it out but hopefully your helper is already doing that.

    Let me know if you need any help and good luck on getting your site back under your control!

    -argh11