Thread: hacked by ./pH4TH0rM0n

hacked by ./pH4TH0rM0n

Apparently someone thought it be funny to try to hack my network of websites. Has anyone run into this hacker? I had a few sites that weren't up to date with Wordpress.

The hack did add some files and I also can't remove a directory for some reason.

+ added wp-trackback2.php
+ modified wp-login.php
+ replaced index.php and wherever else it could with a hacked by page.

Akismet plugin had a few files added and replaced too so advised to remove the plugin and replace.

Any of my sites that were using a under construction plugin and was active, had not been compromised except for just the index.php in root (so the script that was used to replace the index.php files I guess just said no you can't write files in here).

If anyone has any information on this hack (complete removal information) as I don't know if there may be something injected into the mysql database either, as one of my sites still shows hacked by if you link via facebook, although I removed files.

In your admin, click reinstall Wordpress.

Then install wordfence, scan & repair.

Then you should be all fixed.

If you can't get into admin then download a new Wordpress version and upload it manually.

I believe the exploit occurred through akismet to begin with, I kept the files. I guess I should send them to security@wordpress.org . They installed a shell called BlackOrchidz Shell .

This is the hacker who hacked my websites. Going to report to FBI because he is defacing more sites then just mine. http://www.facebook.com/agung.danu.p...11759795544597

http://exploitarchive.com/wordpress-...ite-scripting/

Most recent akismet vulnerability from October 2nd. I just would like to understand this to possibly figure out how to prevent it. For now I'm just deleting akismet plugin from websites as I have no use for it.

Install a plugin that checks for file changes and can restore file back to original version.

I recommend Wordfence.

wordfence isn't working for non paid members, and I'm choosing not to pay for it at this time. My solution for the time being is to remove akismet plugin, however there is also a remote execution exploit within wordpress that was discovered October 4th (which I figured would eventually be found as it occurs within a weird set of wordpress files I don't understand the purpose of anyways for the last several months).

So pay the $18 then.

Or spend many hours constantly chasing your tail fixing things.

Well right now wordfence won't fix the problem because it could also be a wordpress problem itself, a vulnerability was found on October 4th, so paying for something that won't fix the core files of wordpress won't do me no good. http://packetstormsecurity.org/files...Execution.html

It can block and unwanted traffic by country. That might help?

You can set some pretty strong levels with it.