1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

HELP My WP websites are all Hacked!

Discussion in 'Blogging' started by girlpsychic, Nov 1, 2009.

  1. girlpsychic

    girlpsychic Newbie

    Joined:
    May 29, 2009
    Messages:
    13
    Likes Received:
    0
    Hey Guys,

    This has never happened before, I own a few wordpress websites hosted by hostgator. Today I went to login and each one is not recognizing the passwords. I receive this message:
    Hacked By Spiral
    For-Hacker@Hotmail.Com

    Another issue - Last week my broadband usage showed over 9gig download in 10 hours - It was not me - could this be related?
    Big question - What do I do to fix this!!

    Some of the websites:
    http://patriciamary.com
    http://happygeekgirl.com

    I always update to latest version of WP - how do I fix and stop from happening in future?
     
    Last edited: Nov 1, 2009
  2. trapmuzik

    trapmuzik Junior Member

    Joined:
    Mar 20, 2009
    Messages:
    192
    Likes Received:
    22
    no backups? sounds like your site was/is hosting some file downloads. why not just copy the default wp files back to your site and reupload your theme.
     
    • Thanks Thanks x 1
  3. zonecrash

    zonecrash BANNED BANNED

    Joined:
    Sep 30, 2009
    Messages:
    72
    Likes Received:
    70
    AS SUGGEST THIS IS THE BEST SUGGESTION.

    why not just copy the default wp files back to your site and reupload your theme.


    TO GET YOUR SITE ONLINE

    CHECK The files in the root

    .htaccess
    index.*

    !!!!!! CHANGE !!!! ALL YOUR PASSWORDS !!!!




    .
     
    • Thanks Thanks x 1
  4. maryoto

    maryoto Junior Member

    Joined:
    Sep 20, 2007
    Messages:
    195
    Likes Received:
    223
    - change File Permission
    - Deactivate All Plugins

    Dont forget, if if you use share host and the hacker gain access to control another web on your hosting account, you can't do nothing.
    Its possible if they access your hosting account from another hacked site. Just my opinion. they can scan site base on IP address.
     
    • Thanks Thanks x 1
  5. Standard Toaster

    Standard Toaster Regular Member

    Joined:
    Aug 29, 2009
    Messages:
    335
    Likes Received:
    190
    This was possibly a File-Zilla password stealer (search for iStealer)...
     
    • Thanks Thanks x 1
  6. johnyz

    johnyz Newbie Premium Member

    Joined:
    Sep 23, 2008
    Messages:
    48
    Likes Received:
    5
    Sorry to hear that. It's best that you have backed your site data.
     
    • Thanks Thanks x 1
  7. letusgo

    letusgo Junior Member

    Joined:
    Nov 15, 2008
    Messages:
    199
    Likes Received:
    125
    Do your neighborhoods in the same IP got hacked?
    Go here whois.webhosting.info to check out your neighborhoods
     
    • Thanks Thanks x 1
  8. Cyber_Demon12

    Cyber_Demon12 Junior Member

    Joined:
    Apr 16, 2009
    Messages:
    182
    Likes Received:
    50
    Tisk Tisk Tisk. This is what happens when you watch a lot of porn. :/

    ..... And also from downloading a lot of files and opening them before scanning them like (drawing a blank)... virusscan.jotti.org or whateva.

    Good Luck.

    And remember to change all passwords and scan your computer well to make sure you don't have a keylogger or else it will be pointless.
     
    • Thanks Thanks x 1
  9. girlpsychic

    girlpsychic Newbie

    Joined:
    May 29, 2009
    Messages:
    13
    Likes Received:
    0
    Wow you are all so wonderful, thank you so much for your advice.

    Im still researching a fix. I will post back with (hopefully) an easy solution. But never the less, I have learnt a valuable lesson! I will secure my server files, change permissions and tighten the passwords.
    I just have two questions - Trapmuzic mentioned this - "sounds like your site was/is hosting some file downloads" - what does this mean exactly Im needing to learn?

    Also Zonecrash advised: 'CHECK The files in the root.htaccess index.*' - Can someone please advise what I should look for, I guess any weird looking mumbo jumbo? :)

    Your replies have been magic - thanks again!!
     
  10. zonecrash

    zonecrash BANNED BANNED

    Joined:
    Sep 30, 2009
    Messages:
    72
    Likes Received:
    70
    X-XS - cro-ss site scr-ipt-ing, VERY COMMON. took down about 80 of a lot of sites I was working.... my problem stress me for a week to resolve.

    Also had issues with S-qL injectios on "WPress" sites and VB sites.

    I was suggesting you access your server (Your Website) Cpanel Filemanager and check some of the key root file.


    LOOK FOR;
    ANY THING LOOKING odd. if you are not sure talk to your hosting.

    * Focus on contact your hosting provider, Mass change all paswords FIRST. email, FTP passwords, site admin and user names, etc. go wild


    You may want to contact your HOSTING ... and make them work with you.
    Ask your hosting for help.
     
    Last edited: Nov 2, 2009
  11. Alex Brooks

    Alex Brooks BANNED BANNED

    Joined:
    Mar 17, 2009
    Messages:
    1,199
    Likes Received:
    297
    Not at all, why would his website hosting files, effect his broadband connection? The chances are your infected with a trojan or similar RAT, the best way to combat this, is to run a anti virus scan, if you don't already have a anti virus, AVG offer a free anti virus, it should do the job. :)
     
    • Thanks Thanks x 1
  12. xbox360gurl70s

    xbox360gurl70s Elite Member

    Joined:
    Sep 28, 2008
    Messages:
    1,532
    Likes Received:
    349
    Location:
    In your wet dreams
    ouch.... always do backups, surf porn and warez in a guest account and not an admin one to prevent these types of problem in the future
     
    • Thanks Thanks x 1
  13. WeWatch

    WeWatch Newbie

    Joined:
    May 31, 2009
    Messages:
    2
    Likes Received:
    3
    Home Page:
    Some of the indications are that you were the victim of SQL injection, based on the fact that you can't login. However, the amount of traffic you describe indicates that you have virus/trojan on your PC that has stolen your FTP login credentials, downloaded your websites, infected some of the files and re-uploaded to your websites.

    Hopefully as some have already suggested, you have a good, clean back-up available. If not, you'll have to find the infectious code remove it and then re-upload.

    Often times I've seen .php files uploaded that have this string in them:

    eval(base64_decode

    Not all files with this string are malicious. Some programs and some plugins use this string for hiding their code. But at least it can get in started.

    Then look for files that changed around the same time that you saw all that traffic. It might be that all the files were downloaded but only a few, the infected files, were transferred back to your sites.

    You might also check all of your databases for unusual strings in them. I usually start by doing a sqldump to a text file, then scanning them for unusual strings. Sometimes it's helpful to look at the sqldump in a spreadsheet so you can view the columns of data in nice clean format. Really long strings are always suspect.

    If you have more questions or need further help, please post back here.
     
    • Thanks Thanks x 1
  14. girlpsychic

    girlpsychic Newbie

    Joined:
    May 29, 2009
    Messages:
    13
    Likes Received:
    0
    WeWatch - I think I may have the Sql injection and trojan problem - I run Kaspersky Internet 2010 and malwarebytes and they have detected and cleaned trojans etc but now Im unsure what to do about the sql injection on my cpanel (hostgator) sites. Also how do I know if I got rid of the trojans - how do I do a complete check on my files I have read that some malware can imbed in the root and almost impossible to remove!

    What do you suggest I do first? I have contacted hostgator but they just wrote back a very general email - "change your pw and upgrade wordpress".
    Most of the sites were on the latest version of wp. Should I wipe my PC clean and start again? I back up every week onto an external HD - but what if that is infected too....argh!

    Starting to freak out here - I have too many issue and very little time (and knowledge)!

    If someone who could be so kind to provide me the antidote for all these problems I will swap graphic design work for your solution - banner/logo/squeeze page whatever your looking for. Im a graphic/web designer so would love to exchange my skills for your skills?? :)
     
  15. WeWatch

    WeWatch Newbie

    Joined:
    May 31, 2009
    Messages:
    2
    Likes Received:
    3
    Home Page:
    Why do you think you have SQL injection?

    Let's not panic here all of this is totally repairable.

    Can you PM me so I can help you get this cleaned?

    Mods, if that's not acceptable can you tell this person how to provide the URL to her site so that others won't see it? I'm thinking she doesn't want it known???

    Just trying to help...
     
    • Thanks Thanks x 1
  16. kayzne

    kayzne Jr. VIP Jr. VIP Premium Member

    Joined:
    Dec 26, 2007
    Messages:
    707
    Likes Received:
    1,954
    Location:
    localhost
  17. thedmtic

    thedmtic BANNED BANNED

    Joined:
    Oct 31, 2008
    Messages:
    414
    Likes Received:
    245
    i think you are using nulled version of script, template from warez etc. use only reliable source for your site. Mostly nulled script, plugins come with unsecure code. hackers easily control your site with that. So from now use only reliable source or genuine script/plugins.

    If you are taking backups then that's easy to recover your site. Restore with early stage, change sql password and username, change all your password, disable all your plugins.

    One most important try to reinstall all your file's again. Also if possible check sql table's may be there is sql code for rehacking.

    Hope this will help you.
     
    • Thanks Thanks x 1
    Last edited: Nov 3, 2009
  18. Hijinx

    Hijinx Junior Member

    Joined:
    Apr 13, 2009
    Messages:
    142
    Likes Received:
    87
    Location:
    New Jersey
    #1 change all your passwords... this includes your hostgator account passwords. make them hard to figure out Example: 4bhw!worKs?1

    #2 read through this
    Code:
    http://codex.wordpress.org/FAQ_My_site_was_hacked
    using the above guide try to figure out how it was hacked, if you know 'how' you can stop the next attempt. If you just blindly setup your blogs the way you set them up originally, you might be setting yourself up for yet another hack.
     
  19. girlpsychic

    girlpsychic Newbie

    Joined:
    May 29, 2009
    Messages:
    13
    Likes Received:
    0
    No I don't own http://www.supersupplementsdaily.com - but looks like they were victims of the same hacker. I don't understand what the person expects to get out of doing this, but I will persevere.
    WEWATCH, HIJINX, EXFILIUS and TDMTID - I will be PM you each separately today after I have followed your excellent advice, I am still struggling with this as Im not sure of what I am doing when it comes to checking for malicious code - but believe me Im determined to learn it back to front!
    I will have a few questions about what you each suggested as I try them out if that is ok - I also want to offer you all some Graphic Design for your support.

    Oh and I will delete the url's I provided in the first post for extra security (paranoid now) I will PM you all today - Im in Australia so may be flipside time to you :) Thanks again!