1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Both of my websites were hacked

Discussion in 'Blogging' started by Elenka21, Oct 30, 2015.

  1. Elenka21

    Elenka21 Newbie

    Joined:
    Aug 18, 2015
    Messages:
    23
    Likes Received:
    1
    Location:
    London
    This morning when I tried to enter to my website I got an error like : Parse error : syntax error, unexpected end of file, expecting'(' in /home/my name/public_html/wp-includes/formatting.php on line 3908

    I got this error on both of my websites . One day before I got wordfence alert that a
    user with username "backup" who has administrator access signed in to your WordPress site.
    User IP: 92.62.129.97
    User hostname: 92.62.129.97
    User location: Republic of Lithuania
    I changed my password , deleted him , and blocked his ip . But it did not work as you see ..

    I was talking with Hostgator support and they cant say how they did it and gave me an advice to keep it updated , and that it was probably from one of my plugin . But the problem is that on my second website had just one plugin , and it was WORDFENCE .
    Also I kept it updated all the time ! So I just want to know , is it possible to find how they did it ? If I make backup , how could I be sure that he won't do it again ?

    Manu thanks for any help .
     
    Last edited: Oct 30, 2015
  2. SEO INC

    SEO INC Regular Member

    Joined:
    Oct 24, 2015
    Messages:
    307
    Likes Received:
    70
    Location:
    Search Metrico
    Is there any chance that you didn't change the password for the backup user and someone just walked in knowing the default password for it? It's just a theory, I don't really know for sure but that's what I can think of.
     
    • Thanks Thanks x 2
  3. arpitagarwal82

    arpitagarwal82 Power Member

    Joined:
    Feb 20, 2008
    Messages:
    727
    Likes Received:
    469
    Location:
    Localhost
    First of all take a backup now and keep it on your computer.

    Than you can delete everything from your wordpress install directory except wp-content and config.php.
    Upload all the deleted files from fresh wordpress download.

    This would hopefully get your site online.

    Than go through all the folders in wp-content and delete anything that you feel is suspicious.

    Also block the ip after 2 or 3 unsuccessful login (I guess wordfence has that feature).

    Update this thread if you have any issues and I will try to help you.
     
    • Thanks Thanks x 1
  4. Elenka21

    Elenka21 Newbie

    Joined:
    Aug 18, 2015
    Messages:
    23
    Likes Received:
    1
    Location:
    London
    I paid 15$ to hostgator to get my site online with my old back up . They told me that most of my files were changed , so I'm not sure that with my knowledge I will find those changed files . I found a lot of people who were hacked by this person , with the same ip and admin name , all of them have wordfence , so could it be any problem with this plugin ? And how he got admin access when my admin url was changed . Also I got this notification only on 1 of my website( this website was like 2 days old) On the second website I found that I have 2 admins by manual check .I just want to understand what I did wrong , to avoid this problem again .
    Could be a problem with a theme that I have downloaded from BHW?

    Thanks
     
  5. arpitagarwal82

    arpitagarwal82 Power Member

    Joined:
    Feb 20, 2008
    Messages:
    727
    Likes Received:
    469
    Location:
    Localhost
    If you are using a cracked theme, then this can be an issue.
     
  6. archixet

    archixet Jr. VIP Jr. VIP

    Joined:
    Aug 23, 2013
    Messages:
    2,344
    Likes Received:
    422
    Gender:
    Male
    Occupation:
    Im a webcam model and a part-time bottle washer!!!
    Better if you hire any security researcher from fl, upwork or from bhw marketplace!
     
  7. Elenka21

    Elenka21 Newbie

    Joined:
    Aug 18, 2015
    Messages:
    23
    Likes Received:
    1
    Location:
    London
    do I have to delete old theme and re-upload a new one . Or I can buy a key and update it ?
     
  8. Elenka21

    Elenka21 Newbie

    Joined:
    Aug 18, 2015
    Messages:
    23
    Likes Received:
    1
    Location:
    London
    Could you suggest me someone from BHW ? Thanks
     
  9. Penumbra

    Penumbra Power Member

    Joined:
    Apr 23, 2014
    Messages:
    738
    Likes Received:
    225
    Location:
    Antarctica
    Maybe your theme have vulnerability.
     
  10. umarchf

    umarchf BANNED BANNED

    Joined:
    Jun 22, 2013
    Messages:
    67
    Likes Received:
    4
    you can fix this error by just opening formatting.php file and check syntax , it will not take more than 5 minute if you are familiar with php language.
     
  11. Elenka21

    Elenka21 Newbie

    Joined:
    Aug 18, 2015
    Messages:
    23
    Likes Received:
    1
    Location:
    London
    Actually I think that too .The Themes on both website were different , but both of them were downloaded from here .
     
  12. TurkishDelight

    TurkishDelight Regular Member

    Joined:
    Sep 16, 2015
    Messages:
    219
    Likes Received:
    122
    so are you using a cracked theme?
     
  13. Elenka21

    Elenka21 Newbie

    Joined:
    Aug 18, 2015
    Messages:
    23
    Likes Received:
    1
    Location:
    London
    NO , unfortunately I'm not familiar with php , also hostgator support told me that many of the files were changed , not just one .
     
  14. Ellie4294

    Ellie4294 Regular Member

    Joined:
    Apr 14, 2015
    Messages:
    469
    Likes Received:
    71
    Occupation:
    Freelancer
    Location:
    Online
    Better try to get an WP expert to do that for you. You can find in Freelancer section.
     
    • Thanks Thanks x 1
  15. arpitagarwal82

    arpitagarwal82 Power Member

    Joined:
    Feb 20, 2008
    Messages:
    727
    Likes Received:
    469
    Location:
    Localhost
    Deleting the theme may not solve the issue as the exploit code or malware may have infected other directories of your site.
    You have to look into the wordpress install and check each folder manually.

    Plugins like https://sucuri.net/ can help you a bit.
     
    • Thanks Thanks x 1
  16. fatboy

    fatboy Elite Member

    Joined:
    Aug 13, 2008
    Messages:
    1,618
    Likes Received:
    3,229
    Occupation:
    Retired
    Location:
    Old Peoples Home
    If you are using Wordfence then it should alert you if any files have changed - if you have set it up right anyway!

    All you have to do is look at the file that was broken and see if there is anything in the file that shouldn't be - normally iframes, base64 encoded junk or javascript injected. Saying that, if they had access to your install they could implant stuff where ever they wanted to.

    If you still have the files from the hacked site give me a shout and I can take a look, I have handled a few before for others.

    Failing that - ensure that you update everything all the time, don't use nulled themes or plugins and watch out for plugins that never get updated.
     
    • Thanks Thanks x 1
  17. ookami007

    ookami007 Regular Member

    Joined:
    May 4, 2012
    Messages:
    400
    Likes Received:
    169
    Occupation:
    Hypnotist/Magician/SEO/Game Developer
    Location:
    Down the Rabbit Hole
    I've had the WORSE luck with hostgator. Several of my sites... different (legit) themes, different plugins, etc. and somehow they all got hacked. I'm convinced someone hacked their servers and then got in that way... all they do is get ftp access and now they have complete dominion over any Wordpress site simply by uploading a modified core file.
     
    • Thanks Thanks x 1
  18. nnahlee

    nnahlee BANNED BANNED

    Joined:
    Jan 28, 2013
    Messages:
    902
    Likes Received:
    219
    better to ask a wp specialist gl
     
  19. lovingnatureguy

    lovingnatureguy Newbie

    Joined:
    Jul 25, 2014
    Messages:
    45
    Likes Received:
    4
    You website got hacked just bcause of SQL Error.Hacker Used Sql Injection System To Hack Your Site.
     
  20. utterlyadrift25

    utterlyadrift25 Junior Member

    Joined:
    May 13, 2010
    Messages:
    133
    Likes Received:
    106
    Occupation:
    Strategy Director by day. Internet Shark by night.
    Location:
    London, UK
    I'm no security expert but there are fundamentally only three ways that a site tends to get hacked through:

    1) Bruteforce (something like wordfence should prevent this if you have the lockout after 3 attempts)
    2) SQL Injection
    3) Exploiting old plugins / themes

    There is also a possibility that if someone manages to hack the server itself (since you're using shared hosting) then they could also hack your site on there too. And finally, if your pc or browser is compromised then people could be stealing log in information through there.