Discussion in 'Black Hat SEO' started by ahiddenman, Jan 7, 2012.
Ask your host to restore from a backup
My wordpress site was hacked, was ranked #1 for a big keyword, was a week ago, and I just noticed fuuuuuck. I even pay someone to check all my sites twice a week, and of course he didn't do it in the last week.
Usually they just put an index.html file in the main directory, (which they did to other sites o nthis account) but my main one, the hacker page still shows, even after I deleted the file. And there doesn't appear to be any other edited files in the directory. How did they do this? How can I fix it?
Okay I found it, was in the theme itself. Host doesn't have back up and my back up is old. I think I just need my password reset now actually.
If you get your site hacked, that means there is a backdoor left somewhere. Hackers usually leave a code somewhere on your host to access it easily later on.
You need to restore from backup or you need some really good programming skills to find the backdoor. Otherwise it's going to happen again & again.
Additionally, you need to find where the venerability was, to close that door as well. Restoring a hacked host takes quite a lot of time. I just had to do it for a client & it took me 2 days of work to clean & patch the whole thing.
I recommend you start with upload, image folders & look for something shady & the functions.php file.
Google "prevent wordpress hacking" .. check out the very 1st website Follow the 14 tips, implement and you should be good.
Thanks. I'm just gonna upgrade this one and hope it's okay. These sites aren't updated,so I don't care if it gets hacked. If it gets hacked again, I'll restore my oldest backup.
If you are using wordpress, try using bulletproof security plugin and login lockdown.
I have about 100 wordpress sites, that will take forever. However, it might be a good idea.
I'lll take a look thanks.
*** Quick look, looks like a good idea.
My WP sites are still up and running fine.
I've noticed my static html site's rankings have dropped.
If i go info:mydomain.com I'm seeing totallyboner.com and the hackerpage that was on my page as well.
Is there something going on that google is being redirected to a different site some how?
My ranking went from #1 to #30.
My site is only about 8 pages, and is a static .html site.
Would this not be able to be located by using FTP?
I don't think I have SSH access.
What opperating system do you run on you're server/vps?
log in via ssh and install rootkit hunter then scan you're server/vps to make sure its clean.
1)Make sure you have set you're folder permissions right.
2)check you're .htaccess file to se if it contains any line of code linking you to the hackers web page.
3)I'd also recommend you to run suphp and apache suexec via WHM for additional security
let me klnow if you need any help .
Still need help on this.
It;s just a small hosting account on hostable.com, which sucks.
But my wordpress sites on the same account are doing fine, but this one is now ranked #35 on a very low comp keyword, and it's an EMD.
google manageWP for managing multiple wp sites, you can try it for free.
My WP sites got hacked few times, most important is not to store ftp passwords in ftp client you use and definetely is important to change them after attack. Also update wordpress and ask your hosting support to find all the malicious code for you. Bad code can be in every wp file, in themes, plugins, really just everywhere, very important is also htaccess. ¨
Look for code with this line text, very often it is bad code base64_decode
You mentioned you pay someone to upload stuff twice a week? You don't see that as a problem? If someone has access to your hosting account or even FTP then can gain access to a WP blog.
WP blows for this main reason. . . Its a gaping hole into your server if not updated and maintained. Once they breach your site. . .your done. It will often replicate inside a lot of your files. So even once you knock out the base 64 code (which its probably obfuscated in) your other files often have things in the footer. Plus if they got in through site1 (wp blog) and you have 50 other domains on that server. . . they are all possibly compromised as well.
I got hit via a wp one time. . what i did was this. I created silos with different users isolating each and every wp blog. . then putting my other static sites together. . then waited. Since hackers are lazy i'd often find it showing its face in a new .htaccess file just redirecting all my traffic.
If you silo your accounts you can see where the hacker actually got in and what he can actually access . . . by waiting till he strikes.
Your other options. . go through hundreds of thousands of lines of code deleting everything, storing the files offline until its complete then reupping everything. . .
ALSO . . . if your using filezilla, you better sweep your comp for the possibilty of a nasty little virus that hit you via that ftp client. . . you could do all that work only to find them back.
If your lucky this guy was a novice and just breached on small thing. . you got it off and your free. . .if not .. prepare for a long haul
There are a few security programs on the web that will actually scan all the files on your hosting account to look for code that's been added.
OSE for Joomla is good and I imagine you can use it to scan WP files as well, but it runs on Joomla and it stop hack attempts pretty much dead in their tracks.
I have a folder with over 2000 hack attempts it warned me about since I installed it like 3 months ago.
Shared hosting accounts kinda suck for this very reason, they are prone to getting hacked.
It's not WP effected, just static HTML and it's like 5 pages. None of them are showing up as edited. There is no .htaccess file there either.
lol easy fix. I've dealt with this on a friends server before.
Separate names with a comma.