1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Help I've Been Hacked!!!

Discussion in 'White Hat SEO' started by jbsales, Feb 15, 2011.

  1. jbsales

    jbsales Registered Member

    Joined:
    Feb 20, 2010
    Messages:
    85
    Likes Received:
    6
    Location:
    Edmonton AB
    So I went to do some modifications to one of my wordpress blog, and for some reason my login would not work. Thinking i must have forgot the login, i went to look in the MySQL database for the right log in name, and my wasn't there but some other on was. Than I want to look at my site....... Some Stupid mother fooker hacked it and put some video on it!!! he even left his calling card! [FONT=@Kozuka Mincho Pro H][FONT=@Kozuka Gothic Pr6N H]BY : Marwan al-Naimi ----> Terrorist Hacker [FONT=@Kozuka Gothic Pr6N H]----> [FONT=@Kozuka Gothic Pr6N H][FONT=Birch Std][B]IRAQ[COLOR=#00c000]@[/COLOR]HOTMAIL[COLOR=#00c000].[/COLOR]CL[/B][/FONT]

    AHHHHHHHHHHHHHHHHHHHHHHHHHHHH Now is there anything that I could to to recover my site other than reinstalling WP and starting from scratch?? Or am I screwed glued and tattooed??
    [/FONT]
    [/FONT][/FONT]
    [/FONT]
     
  2. SimoGTR

    SimoGTR Junior Member

    Joined:
    Apr 12, 2010
    Messages:
    142
    Likes Received:
    57
    Occupation:
    Lol ...your guess is as good as mine!
    Location:
    StonersVille
    • Thanks Thanks x 2
    Last edited: Feb 15, 2011
  3. M1ndfluX

    M1ndfluX Senior Member

    Joined:
    Dec 23, 2009
    Messages:
    1,119
    Likes Received:
    868
    Location:
    031010
    Busy dude...

    Code:
    http://www.google.com/#sclient=psy&hl=en&q=%22BY:+Marwan+al-Naimi%22&aq=f&aqi=&aql=&oq=&pbx=1&fp=1479d16afb7c5e23
     
  4. CyrusVirus

    CyrusVirus BANNED BANNED Premium Member

    Joined:
    Aug 20, 2009
    Messages:
    1,110
    Likes Received:
    686
    yeah, first you want to go in and change your .htacces file
    make it look something like this.

    deny from all
    allow from IP
    allow from anotherIP


    I used this for my administration on most of my sites, when my ip changed, i just go in and edit the htaccess

    also, after you get done, do as SimoGTR said. talk to your hosting and tell them someone hacked your WP login

    ok, now to get your admin login back

    what you want to do, is register a new user and then go into your sql database and copy the hash

    and then paste that hash onto the hash that guy has for himself

    pretty much you just changed his password to whatever you used to sign a new user up.

    grab his IP and lock it out.

    Change your FTP settings so only your IP can get in it.
    Change your Hosting Password to something 64 char's if you can.

    and have a great day

    CyrusVirus
     
    • Thanks Thanks x 1
  5. jbsales

    jbsales Registered Member

    Joined:
    Feb 20, 2010
    Messages:
    85
    Likes Received:
    6
    Location:
    Edmonton AB
    No i did not turn off anonymous FTP. I will have to do this now with all of my sites. Thanks for the advice, now I know what I'm up to today lol. After doing a quick google search of that email, I 'm not the only one the was hit by this clown. Which brings me to another question WHY????????? Why would you do something like this???? I don't understand arabic, nor would i want to now. If you have that much talent or skill put it to good use instead of pissing other people off!! Oh well I guess it takes all types!
     
  6. M1ndfluX

    M1ndfluX Senior Member

    Joined:
    Dec 23, 2009
    Messages:
    1,119
    Likes Received:
    868
    Location:
    031010
    Indeed. If i would have those skills i would use it for making $ and not a statement.
     
  7. jbsales

    jbsales Registered Member

    Joined:
    Feb 20, 2010
    Messages:
    85
    Likes Received:
    6
    Location:
    Edmonton AB
    Is there a backdoor to register a new user??? Cause my homepage has nothing but some jihad message.
     
  8. CyrusVirus

    CyrusVirus BANNED BANNED Premium Member

    Joined:
    Aug 20, 2009
    Messages:
    1,110
    Likes Received:
    686
    .. well, lets see.
    im not sure if this will help you out but you can try this one
    http://your url here .com/wp-login.php?action=register
     
  9. plex_brahial

    plex_brahial Regular Member

    Joined:
    Sep 30, 2009
    Messages:
    378
    Likes Received:
    319
    I hear @hotmal addreses are easy to hack...
     
  10. BugFixed

    BugFixed Junior Member

    Joined:
    Sep 24, 2010
    Messages:
    130
    Likes Received:
    39
    Possible "backdoor" can be your regular email which has a record of your CPanel and/or your WP admin credential.

    Unclean Theme will also create a hole for your site.
     
  11. Shaken not Stirred

    Shaken not Stirred Registered Member

    Joined:
    Dec 30, 2010
    Messages:
    94
    Likes Received:
    69
    Occupation:
    Search & Rescue Trainee
    Location:
    United Kingdom
    1. Reset all passwords.

    2. He could have left a shell on your hosting account, for this reason I suggest you terminate and re-create, he could have even left a cronjob that downloads a new shell/backdoor after a day or two.

    3. Scan your home computer, reset your e-mail passwords.
     
  12. jbsales

    jbsales Registered Member

    Joined:
    Feb 20, 2010
    Messages:
    85
    Likes Received:
    6
    Location:
    Edmonton AB
    Alright i was able to create a new account get in and fix what he did. Bascilly he deleted my theme, and installed a modified version of the twentyten theme. Thanks guys!! Now where can i find the htacces file???
     
  13. CyrusVirus

    CyrusVirus BANNED BANNED Premium Member

    Joined:
    Aug 20, 2009
    Messages:
    1,110
    Likes Received:
    686
    do this.
    open up notepad and type in what i have written
    with YOUR ip
    and then save as...

    txt.txt

    upload that to the /wp-admin
    and rename it to
    .htaccess


    windows doesn't recognize it because of the file extension.
    so you want to rename it on the ftp AFTER you upload it


    CyrusVirus
     
  14. dannyhw

    dannyhw Senior Member

    Joined:
    Jul 16, 2008
    Messages:
    980
    Likes Received:
    462
    Occupation:
    Software Engineer
    Location:
    New York City Burbs
    Check any scripts you're running for updates and google them to see if there are any recent vulnerabilities, especially if they've had exploit code released for them. It could be a WP plugin or something, or an old insecure version of WP itself.

    Also, check your logs. You'll be able to see the packets that ruined your shit and those will tell you without a doubt what went wrong. It could have also been something running on your host, in which case you should be pissed at them.

    Doesn't take skill to do this shit at all. One script scans for vulnerable sites and another defaces them with whatever message you want. Too easy.