Thread: Have I been hacked?

Have I been hacked?

Sorry I know maybe repost but this is different question.

Ive been experiencing a really slow website and admin dashboard gone since yesterday.

Whenever i move between pages, i see at the bottom of bar "transferring data from "pulpic dot com" and "waiting for "pulpic dot com".

Tried accessing the site pul pic, it gives me a 403 message.

Do you think the site has been hacked?

Looks like I was, found a massive file core.14089 file, check it up online and its a bug :S

Now to sort rest out, going to contact hosting company see what they can do.

You may also check your server log for some access clues.

Same with 2nd site, i think they must have found the second one from my links section lol.

If you manage to track down the cause please let us all know. Best of luck.

^^ Looks like I was hacked, dont know how or why, but going to have to reset the content, doing that today actually.
2nd time and it looks like its always my classipress sites that are taking the hit.

Could there be a reason for this guys? (mods) like a weakness in the theme or something? back end settings?

I believe im not the only one experiencing the problem.

Could it be that you have used a compromised version of w3 total cache or another compromised plugin?
WordPress › Passwords Reset

If you have phpmyadmin installed as a plugin you should remove that one.

This kind of hack does not need any compromised plugin to take effect. It COULD be a plugin that carried some hacking tools with it, but the most common hack being done these days involves a SQL injection of "bad code" and often uses a known vulnerability in phpmyadmin, which was the most popular tool for looking at your database and exporting tables.

Wordpress itself has taken down the last phpmyadmin plugin because it had so many hacks to so many sites that used that plugin.

I still have this plugin but only activate it just long enough to look at my database and then I deactivate it.

What usually happens is that a script is automatically loaded onto your account that rewrites hundreds of files to include a javascript call to a bad site. You will see the javascript either in the header or footer.

You will probably find that every day or night at about the same time the script re-infects a "cleaned" installation. If you have been hacked again you will find one time listed for all files that is later than your re-install.



One of the best things to install after you think you are really clean is BulletProof Security which you can find in the Plugins at http://wordpress.org/extend/plugins/...roof-security/

I have WordPress 3.2 installed and it works for this latest version. The plugin will warn (if you have WP 3.2) that it is NOT compatabile, but that is a false message. This plugin is installable to the latest WordPress.

It installs some .htaccess rules to prohibit the kind of attacks that probably got you infected in the first place.

By the way, in all likelihood, you were not singled out by a real live hacker. You were hacked by a program that just looks, finds, attacks, installs, and then is automated to come back and to hack you again in the same manner.

That is why I recommend BulletProof, it is very good at stopping these hacks.

Warning regarding Free Wordpress Themes

Since this thread is on hacking of websites, particularly WordPress themed websites, I thought I would pass along this warning from the website that provides the BulletProof security plugin.

The main issue is this : WordPress Themes that are "pre-hacked" to infect your website as soon as you download one and try it out.

Most often they will come from FREE WordPress theme sites.

Here is a quote from the Exposed Scams blog at Exposed Scams

The author of BulletProof mentions 3 sites that he knows have way way too many infected Themes for this to simply be an accident. Strong suspicion is that many websites are set up to invite you to download and install a Wordpress theme (of thousands) that has been modified to infect your installation.

He names three and there are, according to him, many more--

wpblogskins.com
wordpresstemplates.com
wordpressthemes2.com

These are just 3 of the mirrored sites and there appear to many more. What is the smarter approach it so check your WordPress Theme for these following things:

filenames: theme_licence.php and start_template.php (which can be easily changed to something else again)

Check your WordPress Theme header.php file and sidebar.php files. If you see code like this in these files then you have a pre-hacked WordPress Theme.

require_once("theme_licence.php"); eval(base64_decode($f1)); bloginfo('html_type');


So, word to the wise.

But, understand that if you EVER upload one of these infected themes to your current installation or installations and activate it just to check it out it can infect your site with re-directs to criminal websites.

It would be fairly simple to infect the WordPress core so that even if you de-activate the evil theme the core of Wordpress could be infected to carry on its damage even if you re-activate the "good" theme, such as ClassiPress, that you intend to use.

The good news is that you can scan all theme files with a few string searches, such as using Find in Dreamweaver, for such things as "eval(base64_decode" and variants of that to inspect a theme to see if it has been hacked.

This is also a reason to stay with the better, reputable Theme providers that charge money for their Themes and create their own Themes.

This is a good advice. I don't know the bulletproof security plugin but there is also another plugin called "antivirus"
WordPress › AntiVirus « WordPress Plugins
which can be used to check theme files. It warns if some suspicious code is found.
It also warns if it finds some code such as include_once commands which some more advanced themes might use. You will have the option to disable the warnings if you found the files to be legit.