SitePoint Sponsor

User Tag List

Page 1 of 2 12 LastLast
Results 1 to 25 of 35
  1. #1
    SitePoint Addict skyhigh007's Avatar
    Join Date
    Jun 2006
    Posts
    363
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    wordpress blog got hacked or virus

    Hi

    I just notice that there's a load of text on my blogs side bar and it seems like got virus? I just published the blog post today before the wordpress 3.3.1 update and now i updated and the small texts are still there. Here's the link, any one know how to fix this issue?

  2. #2
    SitePoint Wizard
    Join Date
    Oct 2005
    Posts
    1,768
    Mentioned
    5 Post(s)
    Tagged
    1 Thread(s)
    Damn it. I just checked Wordpress about 3 or so hours ago and they had not released an updated. If my Wordpress is hacked, I am going to be furious.

  3. #3
    #titanic {float:none} silver trophy
    molona's Avatar
    Join Date
    Feb 2005
    Location
    from Madrid to Heaven
    Posts
    8,024
    Mentioned
    211 Post(s)
    Tagged
    1 Thread(s)
    Did you have it fixed? I don't see anything unusual there, to be honest... but then I don't know which text was there before the problem arisen.

  4. #4
    SitePoint Addict skyhigh007's Avatar
    Join Date
    Jun 2006
    Posts
    363
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by molona View Post
    Did you have it fixed? I don't see anything unusual there, to be honest... but then I don't know which text was there before the problem arisen.
    Before there were so many pill, viagra texts on the sidebar below the poll and after i updated the wordpress to 3.3.1, it was still there. So i purged it from the cache and it was gone by now. Kind of fixed it i guess.

  5. #5
    Life is not a malfunction gold trophysilver trophybronze trophy
    TechnoBear's Avatar
    Join Date
    Jun 2011
    Location
    Argyll, Scotland
    Posts
    5,325
    Mentioned
    214 Post(s)
    Tagged
    5 Thread(s)
    I don't know enough about WordPress to help you out with the specifics of making sure your site is clean, but remember to change all your passwords. If you've been hacked once, you don't want to make it easy for them to have another go.

  6. #6
    SitePoint Addict skyhigh007's Avatar
    Join Date
    Jun 2006
    Posts
    363
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    It's happening again. You can see it here Look at the left side of the blog under the poll using Firefox browser. Any suggestions ?

  7. #7
    Life is not a malfunction gold trophysilver trophybronze trophy
    TechnoBear's Avatar
    Join Date
    Jun 2011
    Location
    Argyll, Scotland
    Posts
    5,325
    Mentioned
    214 Post(s)
    Tagged
    5 Thread(s)
    I don't see anything amiss. (I'm a little confused, though, as the poll is on the right side of the blog...) Can you post a screen-shot of what you're seeing? And did you change all your passwords after the last incident?

    Edit. Doing a site:drinkwhat.com search in Google produced odd results under drinkwhat.com/archives/ and drinkwhat.com/search/. I didn't look beyond the first page of results.

  8. #8
    SitePoint Wizard rguy84's Avatar
    Join Date
    Sep 2005
    Location
    Durham, NC
    Posts
    1,659
    Mentioned
    5 Post(s)
    Tagged
    0 Thread(s)
    Possibly contact your host. Maybe they are getting DDOS'ed and even though you changed your WP password they can still get in at the server level.
    Ryan B | My Blog | Twitter

  9. #9
    SitePoint Addict skyhigh007's Avatar
    Join Date
    Jun 2006
    Posts
    363
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Can you see it now in here. Look at the right side of the website and scroll down under the poll. You will see so many small texts. Make sure use FireFox browser.

  10. #10
    Life is not a malfunction gold trophysilver trophybronze trophy
    TechnoBear's Avatar
    Join Date
    Jun 2011
    Location
    Argyll, Scotland
    Posts
    5,325
    Mentioned
    214 Post(s)
    Tagged
    5 Thread(s)
    No, I'm still not seeing that, although as I said before, there clearly has been a problem because it's showing up in Google's search results. If you're still seeing it, post a screen-shot. What steps have you taken to clean up the site?

  11. #11
    SitePoint Addict skyhigh007's Avatar
    Join Date
    Jun 2006
    Posts
    363
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I contacted the web server company and they told me that there may have been entry into your WordPress MySQL database and they noticed that I used a Cache plugin (W3 Total Cache). So backup the Database and emptied all the caches using the W3 Total cache. As result, the unwanted small texts under the poll survey has been removed or at least it's gone for now. However, i do no know what causes this problem. Any suggestions?

    Weird-Text-under-Poll-Survey.jpgWeird-Text-under-Poll-Survey-2.jpg

  12. #12
    SitePoint Addict skyhigh007's Avatar
    Join Date
    Jun 2006
    Posts
    363
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    OMG! It's back again! Can you guys see it here? Make sure use a Firefox. Is my site got virus or what?

  13. #13
    From space with love silver trophy
    SpacePhoenix's Avatar
    Join Date
    May 2007
    Location
    Poole, UK
    Posts
    4,904
    Mentioned
    93 Post(s)
    Tagged
    0 Thread(s)
    I don't see it. Have you cleared your local browser cache?
    Community Team Advisor
    Forum Guidelines: Posting FAQ Signatures FAQ Self Promotion FAQ
    Help the Mods: What's Fluff? Report Fluff/Spam to a Moderator

  14. #14
    Life is not a malfunction gold trophysilver trophybronze trophy
    TechnoBear's Avatar
    Join Date
    Jun 2011
    Location
    Argyll, Scotland
    Posts
    5,325
    Mentioned
    214 Post(s)
    Tagged
    5 Thread(s)
    Quote Originally Posted by skyhigh007 View Post
    OMG! It's back again! Can you guys see it here? Make sure use a Firefox. Is my site got virus or what?
    Ok - this time I do see it, and it makes no difference which browser I use. There is a <div> in your sidebar with all these links in it, and if you didn't put it there, then someone else did.

    Somebody else may be able to give you more precise help in cleaning up a WordPress site, but as far as I know, the only sure way is to delete all files, restore a clean backup copy, change all your passwords and run an antivirus scan.

  15. #15
    SitePoint Wizard
    Join Date
    Oct 2005
    Posts
    1,768
    Mentioned
    5 Post(s)
    Tagged
    1 Thread(s)
    Quote Originally Posted by skyhigh007 View Post
    OMG! It's back again! Can you guys see it here? Make sure use a Firefox. Is my site got virus or what?
    Yes, it looks like somebody hacked your site. Exactly where your site was hacked is unknown. Could it be the plugin that was hacked or another file? Do you host any other websites on your hosting account? One or more of those could have been hacked. Those hackers don't like to go away easily. They can and often do stash backdoors all over your hosting account so if you find one, they will have another point of entry.

    Your only option is to install every thing clean. Backup everything first including all files and database tables and then delete everything and reinstall Wordpress fresh along with all plugins. Also, take a look inside your database tables for any rogue code like iframes or javascript that shouldn't be there. Somebody may have snuck an iframe into the post field of your posts table or something. You never know until you look.

    That's your only option. If you aren't willing to go through the time and effort of deleting everything and installing everything fresh and clean, you can take a look at file modification times and see if you can find any that are out of the ordinary. If all of your file modification times in a folder are on the same date and one is much newer, that could be a clue that file has been compromised. But, hackers can change the file modification time to anything they want so this is not a fool-proof way of tracking down the problem.

    I've been hacked, too. More than once. It sucks, I know. The only way to be sure you got rid of the exploit is to delete everything and install fresh. Be sure to change all of your passwords including your cPanel or other control panel password, your billing password, and your database passwords which are easily readable in the config files.

  16. #16
    SitePoint Member
    Join Date
    Aug 2010
    Posts
    21
    Mentioned
    1 Post(s)
    Tagged
    0 Thread(s)
    I would do what is suggested as a new setup of wordpress and import the database in ... also i would install all these plugins

    wordpress security plugins
    wp-malwatch
    bps security
    wp security scan
    better wp security
    BulletProof Security
    Secure wordpress
    Ultimate security checker

    Also make sure you are not using timthumbs.php. Make sure you have updated version. Always keep plugins up to date. I have fixed tons of wordpress sites because of viruses. One particular site was down every 5 hours. After install fresh WP and above it did not happen anymore . You have to do what the plugins asks to help mask things.

  17. #17
    SitePoint Addict skyhigh007's Avatar
    Join Date
    Jun 2006
    Posts
    363
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by cheesedude View Post
    Yes, it looks like somebody hacked your site. Exactly where your site was hacked is unknown. Could it be the plugin that was hacked or another file? Do you host any other websites on your hosting account? One or more of those could have been hacked. Those hackers don't like to go away easily. They can and often do stash backdoors all over your hosting account so if you find one, they will have another point of entry.

    Your only option is to install every thing clean. Backup everything first including all files and database tables and then delete everything and reinstall Wordpress fresh along with all plugins. Also, take a look inside your database tables for any rogue code like iframes or javascript that shouldn't be there. Somebody may have snuck an iframe into the post field of your posts table or something. You never know until you look.

    That's your only option. If you aren't willing to go through the time and effort of deleting everything and installing everything fresh and clean, you can take a look at file modification times and see if you can find any that are out of the ordinary. If all of your file modification times in a folder are on the same date and one is much newer, that could be a clue that file has been compromised. But, hackers can change the file modification time to anything they want so this is not a fool-proof way of tracking down the problem.

    I've been hacked, too. More than once. It sucks, I know. The only way to be sure you got rid of the exploit is to delete everything and install fresh. Be sure to change all of your passwords including your cPanel or other control panel password, your billing password, and your database passwords which are easily readable in the config files.
    No wonder I've been getting loads of spam e-mails every day ever since the wordpress want me to install Jetpack for status and also I think i didnt update the thum generator file. I only host one website for one hosting account. When I contact my hosting company they said they don't know if my site got hacked or not. They could only tell me that my database might have been changed. Anyway, so I back up my database first and then delete everything. I have to create my own theme again.

  18. #18
    SitePoint Wizard
    Join Date
    Oct 2005
    Posts
    1,768
    Mentioned
    5 Post(s)
    Tagged
    1 Thread(s)
    Quote Originally Posted by skyhigh007 View Post
    Anyway, so I back up my database first and then delete everything. I have to create my own theme again.
    Well no, you don't have to create your own theme again. You can open all the files you created and examine them to make sure all the code in there is your own. If you don't see anything unusual, then you can assume those files are safe.

  19. #19
    SitePoint Member
    Join Date
    Aug 2010
    Posts
    21
    Mentioned
    1 Post(s)
    Tagged
    0 Thread(s)
    Yeah i would not recreate the theme. I would use those files. I would download them to my pc and take a fresh copy and use araxis merge to see the difference in the files one by one. It is much faster and you would have the same theme.

  20. #20
    SitePoint Addict skyhigh007's Avatar
    Join Date
    Jun 2006
    Posts
    363
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by mmoore5553 View Post
    I would do what is suggested as a new setup of wordpress and import the database in ... also i would install all these plugins

    wordpress security plugins
    wp-malwatch
    bps security
    wp security scan
    better wp security
    BulletProof Security
    Secure wordpress
    Ultimate security checker

    Also make sure you are not using timthumbs.php. Make sure you have updated version. Always keep plugins up to date. I have fixed tons of wordpress sites because of viruses. One particular site was down every 5 hours. After install fresh WP and above it did not happen anymore . You have to do what the plugins asks to help mask things.
    If I don't use timthumb.php, what else can i use to generated the thumb image?

  21. #21
    SitePoint Member
    Join Date
    Aug 2010
    Posts
    21
    Mentioned
    1 Post(s)
    Tagged
    0 Thread(s)
    you can always upgrade the plugin or if in the theme get updated theme or just upgrade timthumbs yourself

    http://www.web2feel.com/important-timthumb-upgrade/

  22. #22
    SitePoint Addict skyhigh007's Avatar
    Join Date
    Jun 2006
    Posts
    363
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    How you do check the database to see anything unusual? I used the phpmyadmin and went through the tables, it seems fine and i didn't see any iframes.

  23. #23
    SitePoint Member
    Join Date
    Aug 2010
    Posts
    21
    Mentioned
    1 Post(s)
    Tagged
    0 Thread(s)
    From my experience it usually is not db. I just search for some of the ads in the db that you had on the side. If search shows nothing usually it is fine. I only seen one time when fixing a board in my experience db was infected. Usually it is files or the theme.

  24. #24
    SitePoint Guru bronze trophy TheRaptor's Avatar
    Join Date
    Jul 2011
    Location
    New York
    Posts
    710
    Mentioned
    40 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by skyhigh007 View Post
    How you do check the database to see anything unusual? I used the phpmyadmin and went through the tables, it seems fine and i didn't see any iframes.
    Did you check your theme files (i.e sidebar.php)?
    TheRaptor - Joe

  25. #25
    #titanic {float:none} silver trophy
    molona's Avatar
    Join Date
    Feb 2005
    Location
    from Madrid to Heaven
    Posts
    8,024
    Mentioned
    211 Post(s)
    Tagged
    1 Thread(s)
    The other possibility is that someone got the name and password of an administrator account (you didn't leave the defaults, did you?). Just in case, log in as an administrator and change the names and passwords of all accounts, specially the ones that have admin powers


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •