1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

site hacked, cant figure out where the bad code is

Discussion in 'Black Hat SEO' started by dakota5369, Nov 22, 2013.

  1. dakota5369

    dakota5369 Regular Member

    Joined:
    May 19, 2010
    Messages:
    345
    Likes Received:
    31
    my site got hacked and its killing me. i am computer stupid, so this code stuff is foreign to me. i just use a wordpress template. anyway, i changed all passwords, updated plugins, etc. but i have no idea where to go to find this bad code. i keep hearing the htp access file, but there is nothing there. i checked it on sucuri and i get stuff like this:

    Web site defaced.
    Details: http://sucuri.net/malware/entry/MW:DEFACED:01
    </br><script type="text/javascript" src="http://K4C3-Undetected.googlecode.com/files/K4C3 Undetected.js"></script><TITLE>MFP'./Saints.R-H4CK</TITLE> <br/><font face="Nosifer" size="7" color="red" class="a">PLEASE PATCH </font><font face="Nosifer" size="7" color="white" class="a">YOUR SYSTEM NOW!!!</font><link href='http://fonts.googleapis.com/css?family=Averia+Sans+Libre' rel='stylesheet' type='text/css'><link href='http://fonts.googleapis.com/css?family=Orbitron%3A700' rel='stylesheet' type='text/css'><link href='http://fonts.googleapis.com/css?family=Nosifer' rel='stylesheet' type='text/css'><meta name="Description" content="Has Been Hacked by Saints Hacker Team "><script language="JavaScript">function tb5_makeArray(n){ this.length = n; return this.length;


    and

    Web site defaced.
    Details: http://sucuri.net/malware/entry/MW:DEFACED:01
    </br><script type="text/javascript" src="http://K4C3-Undetected.googlecode.com/files/K4C3 Undetected.js"></script><TITLE>MFP'./Saints.R-H4CK</TITLE> <br/><font face="Nosifer" size="7" color="red" class="a">PLEASE PATCH </font><font face="Nosifer" size="7" color="white" class="a">YOUR SYSTEM NOW!!!</font><link href='http://fonts.googleapis.com/css?family=Averia+Sans+Libre' rel='stylesheet' type='text/css'><link href='http://fonts.googleapis.com/css?family=Orbitron%3A700' rel='stylesheet' type='text/css'><link href='http://fonts.googleapis.com/css?family=Nosifer' rel='stylesheet' type='text/css'><meta name="Description" content="Has Been Hacked by Saints Hacker Team "><script language="JavaScript">function tb5_makeArray(n){ this.length = n; return this.length;

    and

    Web site defaced.
    Details: http://sucuri.net/malware/entry/MW:DEFACED:01
    </br><script type="text/javascript" src="http://K4C3-Undetected.googlecode.com/files/K4C3 Undetected.js"></script><TITLE>MFP'./Saints.R-H4CK</TITLE> <br/><font face="Nosifer" size="7" color="red" class="a">PLEASE PATCH </font><font face="Nosifer" size="7" color="white" class="a">YOUR SYSTEM NOW!!!</font><link href='http://fonts.googleapis.com/css?family=Averia+Sans+Libre' rel='stylesheet' type='text/css'><link href='http://fonts.googleapis.com/css?family=Orbitron%3A700' rel='stylesheet' type='text/css'><link href='http://fonts.googleapis.com/css?family=Nosifer' rel='stylesheet' type='text/css'><meta name="Description" content="Has Been Hacked by Saints Hacker Team "><script language="JavaScript">function tb5_makeArray(n){ this.length = n; return this.length;



    so where the hell is this script and how do i fix it? its driving me crazy and my host (siteground) is willing to help for just $200. i dont have the money to pay that. any help would be appreciated
     
  2. nikiobicata

    nikiobicata Regular Member

    Joined:
    Mar 4, 2011
    Messages:
    443
    Likes Received:
    365
    Occupation:
    IT Director
    Location:
    New York
    Home Page:
    If you are using wordpress just login on your FTP and search for files which are not from wordpress. Just open the other website you have and see what are the defualt wordpress files (PHP, folders)
     
  3. FirstNotice

    FirstNotice Registered Member

    Joined:
    Apr 3, 2011
    Messages:
    88
    Likes Received:
    75
    This plugin should help...

    Code:
    http://wordpress.org/plugins/gotmls/
     
  4. dakota5369

    dakota5369 Regular Member

    Joined:
    May 19, 2010
    Messages:
    345
    Likes Received:
    31
    thats the problem. i dont really know what is from wordpress. i do have another site, same theme and everything. the only difference is the infected one has a ton more content and a forum was attached to the infected site as well. i compared and these are the files that are on my infected site but not on the one that is ok. i am hesitant to delete anything because i dont want to jack up my site. it is basically 2 years of info that i dont want to lose

    files maybe to be deleted:

    attachments
    css
    data
    forums
    home
    include
    installation
    pbipages (my website is pro boxing insider, so that is pbi)
    resources

    (those were all folders)

    robots.txt
    server.php
    sitemap.xml
    sitemap.xml.gz
    publication list.xml
    menu.xml
    page1.php (it has page 1 thru page 7)
    init.php
    htaccess
    gazpomag.zip
    f70a31916f6384ca30ec24e0d0a6c68b.php.
    htaccess
    htaccess.bkp
    htaccess.bk
    htaccess.old
    config.php


    like i said, without knowing what they are i am scared to just start deleting stuff
     
  5. dakota5369

    dakota5369 Regular Member

    Joined:
    May 19, 2010
    Messages:
    345
    Likes Received:
    31
    i added that wordfence plugin, put when i ran a scan, it showed nothing. is this a better option?


    also, in the backend of my site on the plug ins page, i get these messages. not sure if related and i dont know what it means

    -FTP credentials don't allow to write to file /home/proboxin/public_html/.htaccess

    -W3 Total Cache Error: Files and directories could not be automatically created to complete the installation.
    Please execute commands manually
    or use FTP form to allow W3 Total Cache make it automatically.
     
    Last edited: Nov 22, 2013
  6. Akihabara

    Akihabara Registered Member

    Joined:
    Aug 18, 2011
    Messages:
    86
    Likes Received:
    18
    Location:
    France
    Hi,
    Download all your website from your FTP to a new folder in your PC.
    Use the soft of your choice (notepad++ for example) and do a research "find in a folder" for "Saints Hacker"
    You'll find what you need ;)
     
  7. dakota5369

    dakota5369 Regular Member

    Joined:
    May 19, 2010
    Messages:
    345
    Likes Received:
    31
    i just deleted my entire forum. it appears vbulletin got hacked bad and i was using an old borrowed version. so i wasnt gonna be able to keep it secure i think. thanks for those who helped
     
  8. nikiobicata

    nikiobicata Regular Member

    Joined:
    Mar 4, 2011
    Messages:
    443
    Likes Received:
    365
    Occupation:
    IT Director
    Location:
    New York
    Home Page:
    The next time just install SMF Forum. It's free and is easy to use. When you "borrowed" scripts from the web always check them for "bad" code. You can use this http://www.fileseek.ca/
     
  9. JustUs

    JustUs Power Member

    Joined:
    May 6, 2012
    Messages:
    609
    Likes Received:
    452
    Three things: up in the left corner of the WP admin panel is a button about reinstalling WP. It does what it says this will clear any modified files.

    Then install Wordfence. Let Wordfence scan the system. It will show all files that are different than what are in the official repositories and point you in a direction.

    Number three, Siteground keeps backup copies for 90 days of your site and you can access these through cpanel. Restore your site to the day before the defacement.
     
  10. MadStacks

    MadStacks BANNED BANNED

    Joined:
    Oct 20, 2013
    Messages:
    1,494
    Likes Received:
    493
    I have heard of some people offering free templates to people because there are backdoors in them and vulnerabilities.
    So can you trust the person who wrote the template.