HELP My WP websites are all Hacked!

Hey Guys,

This has never happened before, I own a few wordpress websites hosted by hostgator. Today I went to login and each one is not recognizing the passwords. I receive this message:
Hacked By Spiral
[email protected]

Another issue - Last week my broadband usage showed over 9gig download in 10 hours - It was not me - could this be related?
Big question - What do I do to fix this!!

Some of the websites:
http://patriciamary.com
http://happygeekgirl.com

I always update to latest version of WP - how do I fix and stop from happening in future?

no backups? sounds like your site was/is hosting some file downloads. why not just copy the default wp files back to your site and reupload your theme.

AS SUGGEST THIS IS THE BEST SUGGESTION.

why not just copy the default wp files back to your site and reupload your theme.


TO GET YOUR SITE ONLINE

CHECK The files in the root

.htaccess
index.*

!!!!!! CHANGE !!!! ALL YOUR PASSWORDS !!!!




.

- change File Permission
- Deactivate All Plugins

Dont forget, if if you use share host and the hacker gain access to control another web on your hosting account, you can't do nothing.
Its possible if they access your hosting account from another hacked site. Just my opinion. they can scan site base on IP address.

This was possibly a File-Zilla password stealer (search for iStealer)...

Sorry to hear that. It's best that you have backed your site data.

Do your neighborhoods in the same IP got hacked?
Go here whois.webhosting.info to check out your neighborhoods

Tisk Tisk Tisk. This is what happens when you watch a lot of porn. :/

..... And also from downloading a lot of files and opening them before scanning them like (drawing a blank)... virusscan.jotti.org or whateva.

Good Luck.

And remember to change all passwords and scan your computer well to make sure you don't have a keylogger or else it will be pointless.

Wow you are all so wonderful, thank you so much for your advice.

Im still researching a fix. I will post back with (hopefully) an easy solution. But never the less, I have learnt a valuable lesson! I will secure my server files, change permissions and tighten the passwords.
I just have two questions - Trapmuzic mentioned this - "sounds like your site was/is hosting some file downloads" - what does this mean exactly Im needing to learn?

Also Zonecrash advised: 'CHECK The files in the root.htaccess index.*' - Can someone please advise what I should look for, I guess any weird looking mumbo jumbo?

Your replies have been magic - thanks again!!

X-XS - cro-ss site scr-ipt-ing, VERY COMMON. took down about 80 of a lot of sites I was working.... my problem stress me for a week to resolve.

Also had issues with S-qL injectios on "WPress" sites and VB sites.

I was suggesting you access your server (Your Website) Cpanel Filemanager and check some of the key root file.


LOOK FOR;
ANY THING LOOKING odd. if you are not sure talk to your hosting.

* Focus on contact your hosting provider, Mass change all paswords FIRST. email, FTP passwords, site admin and user names, etc. go wild


You may want to contact your HOSTING ... and make them work with you.
Ask your hosting for help.

trapmuzik said:

no backups? sounds like your site was/is hosting some file downloads. why not just copy the default wp files back to your site and reupload your theme.

Click to expand...

Not at all, why would his website hosting files, effect his broadband connection? The chances are your infected with a trojan or similar RAT, the best way to combat this, is to run a anti virus scan, if you don't already have a anti virus, AVG offer a free anti virus, it should do the job.

ouch.... always do backups, surf porn and warez in a guest account and not an admin one to prevent these types of problem in the future

Some of the indications are that you were the victim of SQL injection, based on the fact that you can't login. However, the amount of traffic you describe indicates that you have virus/trojan on your PC that has stolen your FTP login credentials, downloaded your websites, infected some of the files and re-uploaded to your websites.

Hopefully as some have already suggested, you have a good, clean back-up available. If not, you'll have to find the infectious code remove it and then re-upload.

Often times I've seen .php files uploaded that have this string in them:

eval(base64_decode

Not all files with this string are malicious. Some programs and some plugins use this string for hiding their code. But at least it can get in started.

Then look for files that changed around the same time that you saw all that traffic. It might be that all the files were downloaded but only a few, the infected files, were transferred back to your sites.

You might also check all of your databases for unusual strings in them. I usually start by doing a sqldump to a text file, then scanning them for unusual strings. Sometimes it's helpful to look at the sqldump in a spreadsheet so you can view the columns of data in nice clean format. Really long strings are always suspect.

If you have more questions or need further help, please post back here.

WeWatch - I think I may have the Sql injection and trojan problem - I run Kaspersky Internet 2010 and malwarebytes and they have detected and cleaned trojans etc but now Im unsure what to do about the sql injection on my cpanel (hostgator) sites. Also how do I know if I got rid of the trojans - how do I do a complete check on my files I have read that some malware can imbed in the root and almost impossible to remove!

What do you suggest I do first? I have contacted hostgator but they just wrote back a very general email - "change your pw and upgrade wordpress".
Most of the sites were on the latest version of wp. Should I wipe my PC clean and start again? I back up every week onto an external HD - but what if that is infected too....argh!

Starting to freak out here - I have too many issue and very little time (and knowledge)!

If someone who could be so kind to provide me the antidote for all these problems I will swap graphic design work for your solution - banner/logo/squeeze page whatever your looking for. Im a graphic/web designer so would love to exchange my skills for your skills??

Why do you think you have SQL injection?

Let's not panic here all of this is totally repairable.

Can you PM me so I can help you get this cleaned?

Mods, if that's not acceptable can you tell this person how to provide the URL to her site so that others won't see it? I'm thinking she doesn't want it known???

Just trying to help...

Is This it?

http://supersupplementsdaily.com/

Cuz that one got hacked too! lol

i think you are using nulled version of script, template from warez etc. use only reliable source for your site. Mostly nulled script, plugins come with unsecure code. hackers easily control your site with that. So from now use only reliable source or genuine script/plugins.

If you are taking backups then that's easy to recover your site. Restore with early stage, change sql password and username, change all your password, disable all your plugins.

One most important try to reinstall all your file's again. Also if possible check sql table's may be there is sql code for rehacking.

Hope this will help you.

#1 change all your passwords... this includes your hostgator account passwords. make them hard to figure out Example: 4bhw!worKs?1

#2 read through this

using the above guide try to figure out how it was hacked, if you know 'how' you can stop the next attempt. If you just blindly setup your blogs the way you set them up originally, you might be setting yourself up for yet another hack.

No I don't own http://www.supersupplementsdaily.com - but looks like they were victims of the same hacker. I don't understand what the person expects to get out of doing this, but I will persevere.
WEWATCH, HIJINX, EXFILIUS and TDMTID - I will be PM you each separately today after I have followed your excellent advice, I am still struggling with this as Im not sure of what I am doing when it comes to checking for malicious code - but believe me Im determined to learn it back to front!
I will have a few questions about what you each suggested as I try them out if that is ok - I also want to offer you all some Graphic Design for your support.

Oh and I will delete the url's I provided in the first post for extra security (paranoid now) I will PM you all today - Im in Australia so may be flipside time to you Thanks again!