1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Been hacked, need some help!

Discussion in 'Black Hat SEO' started by mrmidjam, Jul 30, 2011.

  1. mrmidjam

    mrmidjam Regular Member

    Joined:
    Sep 17, 2008
    Messages:
    438
    Likes Received:
    135
    Hi Guys,

    In the last 2 days I have recieved 'delivery status' failed email messages from one of my wordpress blogs.

    Today I recieved an email from my host saying that my site has been sending spam emails and if I don't fix it my account will be deleted.

    This was in the email my host sent me:

    Feedback-Type: abuse
    User-Agent: AOL SComp
    Version: 0.1
    Received-Date: Fri, 29 Jul 2011 18:23:40 -0400 (EDT)
    Source-IP: xx.xx.xx.xx
    Reported-Domain: xx.awardspace.com
    Redacted-Address: redacted
    Redacted-Address: redacted@

    I took the ip address and scanned the access logs, found entires with the same ip range. They were accessing the wp-cron.php file, as I have no know plugins that use it I have deleted it.

    I have changed the WP/email/FTP/database passwords and installed:

    Secure WordPress
    Firewall
    Login Lockdown

    I was also getting failed email messages from the gmail account that had a redirect setup to the email address above. Have changed the password on that account and removed the redirect.

    I worried that my other sites on the account might be comprised so, i', changing all the details from them too.

    Could really use some advice!
     
  2. davids355

    davids355 Jr. VIP Jr. VIP Premium Member

    Joined:
    Apr 25, 2011
    Messages:
    8,805
    Likes Received:
    6,372
    Home Page:
    Make sure all your sites are up to date. Also make sure all permissions are tight.

    Unlikely all sites would be effected - unless there's a real vulnerability that exists on all of them.

    Most likely cause is a php script installed somewhere.

    I would look through the file structure for anything that's looks out of place.

    If you are still having problems I'd be happy to look at it for you.
     
  3. salsabot

    salsabot Junior Member

    Joined:
    Aug 30, 2010
    Messages:
    135
    Likes Received:
    17
    Change every password and you will be fine :)
     
  4. mrmidjam

    mrmidjam Regular Member

    Joined:
    Sep 17, 2008
    Messages:
    438
    Likes Received:
    135
    Thanks guys, how do you think they were sending emails? do you think they had my email account details? how would they have got these details?
     
  5. mrmidjam

    mrmidjam Regular Member

    Joined:
    Sep 17, 2008
    Messages:
    438
    Likes Received:
    135
    Here is the last entry in the access log:
    xxxxxxx.com xx.xxx.xxx.xx - - [30/Jul/2011:09:59:55 +0100] "POST /wp-cron.php?doing_wp_cron HTTP/1.0" 403 4068 "-" "WordPress/3.2.1; http://www.xxxxxxx.com"

    Does this mean that there is some dodgey code in my index.php file as it's coming from the main site url?
     
  6. overRun

    overRun Newbie

    Joined:
    Jul 15, 2011
    Messages:
    7
    Likes Received:
    5
    Hack them back haha.

    just make sure it doesn't happen again.
     
  7. taniya

    taniya Regular Member

    Joined:
    Jul 29, 2011
    Messages:
    394
    Likes Received:
    102
    yea, its risky
     
  8. purewealthinc

    purewealthinc Regular Member

    Joined:
    May 3, 2010
    Messages:
    427
    Likes Received:
    383
    Occupation:
    Web Fishing
    Location:
    World Wide Web City
    Simple solutions:

    To avoid your wordpress blog from hackers, Do not use any wordpress themes that has been offered or shared anywhere :) Always use paid themes

    Good luck
     
  9. Drink More Tea

    Drink More Tea Regular Member

    Joined:
    Apr 15, 2011
    Messages:
    208
    Likes Received:
    166
    Unless I'm mistaken, that returned a 403, which, as far as I know, means that the request was rejected by the server.
     
  10. softwareprogram

    softwareprogram Junior Member

    Joined:
    Jun 2, 2011
    Messages:
    154
    Likes Received:
    64
    Occupation:
    Business Owner
    Location:
    Hong Kong
    Even paid themes from reputable sites get hacked :)

    I tell you why users get hacked .. because of the Plugins!!!

    I have been using wordpress since last 5 years and I know the easy black hole is in wordpress plugins .. they are easy to target as most of the plugins are developed by regular users like me and you and cracking and geting inside the loop is quite easy .. always try to upgrade all plugins you have ..




    for complete cleaning PM me :)
     
  11. purewealthinc

    purewealthinc Regular Member

    Joined:
    May 3, 2010
    Messages:
    427
    Likes Received:
    383
    Occupation:
    Web Fishing
    Location:
    World Wide Web City
    yeah.. ur right buddy! And for the plugins, do not use out dated wordpress plugin and keep on updated wordpress version.
     
    • Thanks Thanks x 1