Page 1 of 2 12 LastLast
Results 1 to 10 of 15

Thread: Have I been hacked?

  1. #1
    Thread Starter
    Member Almost's Avatar
    Join Date
    Jul 2010
    Posts
    97
    Thanks
    14
    Thanked 3 Times in 2 Posts

    Have I been hacked?

    Sorry I know maybe repost but this is different question.

    Ive been experiencing a really slow website and admin dashboard gone since yesterday.

    Whenever i move between pages, i see at the bottom of bar "transferring data from "pulpic dot com" and "waiting for "pulpic dot com".

    Tried accessing the site pul pic, it gives me a 403 message.

    Do you think the site has been hacked?

  2. #2
    Thread Starter
    Member Almost's Avatar
    Join Date
    Jul 2010
    Posts
    97
    Thanks
    14
    Thanked 3 Times in 2 Posts
    Looks like I was, found a massive file core.14089 file, check it up online and its a bug :S

    Now to sort rest out, going to contact hosting company see what they can do.

  3. #3
    jomarkosabel's Avatar
    Join Date
    Mar 2009
    Location
    Philippines
    Posts
    35,706
    Thanks
    158
    Thanked 2,843 Times in 2,721 Posts
    You may also check your server log for some access clues.
    Please help our moderating team work more efficiently by not sending us support questions via PM. You can read more about how AppThemes support works here. However, you can send a PM to follow up and remind me if I missed your support request/thread.

    Thank you and have a nice day.

  4. #4
    Thread Starter
    Member Almost's Avatar
    Join Date
    Jul 2010
    Posts
    97
    Thanks
    14
    Thanked 3 Times in 2 Posts
    Same with 2nd site, i think they must have found the second one from my links section lol.

  5. #5
    Veteran bellboy's Avatar
    Join Date
    Apr 2010
    Location
    Tokyo, Japan
    Posts
    515
    Thanks
    132
    Thanked 43 Times in 36 Posts
    If you manage to track down the cause please let us all know. Best of luck.

  6. #6
    Thread Starter
    Member Almost's Avatar
    Join Date
    Jul 2010
    Posts
    97
    Thanks
    14
    Thanked 3 Times in 2 Posts
    ^^ Looks like I was hacked, dont know how or why, but going to have to reset the content, doing that today actually.
    2nd time and it looks like its always my classipress sites that are taking the hit.

    Could there be a reason for this guys? (mods) like a weakness in the theme or something? back end settings?

    I believe im not the only one experiencing the problem.

  7. #7
    Veteran bluecafe's Avatar
    Join Date
    Apr 2010
    Location
    Berlin
    Posts
    1,563
    Thanks
    58
    Thanked 359 Times in 273 Posts
    Could it be that you have used a compromised version of w3 total cache or another compromised plugin?
    WordPress › Passwords Reset

  8. #8
    Veteran vienna's Avatar
    Join Date
    May 2010
    Location
    Vienna, Austria
    Posts
    718
    Thanks
    19
    Thanked 177 Times in 118 Posts
    If you have phpmyadmin installed as a plugin you should remove that one.

    This kind of hack does not need any compromised plugin to take effect. It COULD be a plugin that carried some hacking tools with it, but the most common hack being done these days involves a SQL injection of "bad code" and often uses a known vulnerability in phpmyadmin, which was the most popular tool for looking at your database and exporting tables.

    Wordpress itself has taken down the last phpmyadmin plugin because it had so many hacks to so many sites that used that plugin.

    I still have this plugin but only activate it just long enough to look at my database and then I deactivate it.

    What usually happens is that a script is automatically loaded onto your account that rewrites hundreds of files to include a javascript call to a bad site. You will see the javascript either in the header or footer.

    You will probably find that every day or night at about the same time the script re-infects a "cleaned" installation. If you have been hacked again you will find one time listed for all files that is later than your re-install.



    One of the best things to install after you think you are really clean is BulletProof Security which you can find in the Plugins at http://wordpress.org/extend/plugins/...roof-security/

    I have WordPress 3.2 installed and it works for this latest version. The plugin will warn (if you have WP 3.2) that it is NOT compatabile, but that is a false message. This plugin is installable to the latest WordPress.

    It installs some .htaccess rules to prohibit the kind of attacks that probably got you infected in the first place.

    By the way, in all likelihood, you were not singled out by a real live hacker. You were hacked by a program that just looks, finds, attacks, installs, and then is automated to come back and to hack you again in the same manner.

    That is why I recommend BulletProof, it is very good at stopping these hacks.

  9. The Following 2 Users Say Thank You to vienna For This Useful Post:

    ositech (April 1st, 2014), rubencio (July 12th, 2011)

  10. #9
    Veteran vienna's Avatar
    Join Date
    May 2010
    Location
    Vienna, Austria
    Posts
    718
    Thanks
    19
    Thanked 177 Times in 118 Posts

    Warning regarding Free Wordpress Themes

    Since this thread is on hacking of websites, particularly WordPress themed websites, I thought I would pass along this warning from the website that provides the BulletProof security plugin.

    The main issue is this : WordPress Themes that are "pre-hacked" to infect your website as soon as you download one and try it out.

    Most often they will come from FREE WordPress theme sites.

    Here is a quote from the Exposed Scams blog at Exposed Scams

    The author of BulletProof mentions 3 sites that he knows have way way too many infected Themes for this to simply be an accident. Strong suspicion is that many websites are set up to invite you to download and install a Wordpress theme (of thousands) that has been modified to infect your installation.

    He names three and there are, according to him, many more--


    wpblogskins.com
    wordpresstemplates.com
    wordpressthemes2.com

    These are just 3 of the mirrored sites and there appear to many more. What is the smarter approach it so check your WordPress Theme for these following things:

    filenames: theme_licence.php and start_template.php (which can be easily changed to something else again)

    Check your WordPress Theme header.php file and sidebar.php files. If you see code like this in these files then you have a pre-hacked WordPress Theme.

    require_once("theme_licence.php"); eval(base64_decode($f1)); bloginfo('html_type');



    So, word to the wise.

    But, understand that if you EVER upload one of these infected themes to your current installation or installations and activate it just to check it out it can infect your site with re-directs to criminal websites.

    It would be fairly simple to infect the WordPress core so that even if you de-activate the evil theme the core of Wordpress could be infected to carry on its damage even if you re-activate the "good" theme, such as ClassiPress, that you intend to use.

    The good news is that you can scan all theme files with a few string searches, such as using Find in Dreamweaver, for such things as "eval(base64_decode" and variants of that to inspect a theme to see if it has been hacked.

    This is also a reason to stay with the better, reputable Theme providers that charge money for their Themes and create their own Themes.

  11. The Following 3 Users Say Thank You to vienna For This Useful Post:

    indeedrealty (April 16th, 2013), ositech (April 1st, 2014), rubencio (July 12th, 2011)

  12. #10
    Veteran bluecafe's Avatar
    Join Date
    Apr 2010
    Location
    Berlin
    Posts
    1,563
    Thanks
    58
    Thanked 359 Times in 273 Posts
    Quote Originally Posted by vienna View Post
    Since this thread is on hacking of websites, particularly WordPress themed websites, I thought I would pass along this warning from the website that provides the BulletProof security plugin.

    The main issue is this : WordPress Themes that are "pre-hacked" to infect your website as soon as you download one and try it out.

    Most often they will come from FREE WordPress theme sites.

    This is a good advice. I don't know the bulletproof security plugin but there is also another plugin called "antivirus"
    WordPress › AntiVirus WordPress Plugins
    which can be used to check theme files. It warns if some suspicious code is found.
    It also warns if it finds some code such as include_once commands which some more advanced themes might use. You will have the option to disable the warnings if you found the files to be legit.

  13. The Following User Says Thank You to bluecafe For This Useful Post:

    rubencio (July 12th, 2011)

Page 1 of 2 12 LastLast

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. My Classipress site was HACKED!
    By dulcimers in forum ClassiPress General Discussion
    Replies: 23
    Last Post: March 26th, 2012, 04:01 PM
  2. User accounts hacked?
    By bailey in forum ClassiPress General Discussion
    Replies: 3
    Last Post: April 19th, 2011, 11:36 AM
  3. Hacked site?
    By rodeoramsey in forum ClassiPress General Discussion
    Replies: 14
    Last Post: July 7th, 2010, 10:37 AM