Site Hacked... any ideas?

**mgallone** · March 28th, 2011, 3:06 PM

Lovely surprise as I went to the wp-admin for my site, found that it's been hacked by some Turkish guy.

It was the latest build of WP, so not sure about the security flaw that let him in, though a brief Google search suggests that it may have something to do with the Linux instalation server side.

Anyone have any ideas on how to fix this?

*In my hurry I noticed I've posted this in the wrong forum. Clinton or a moderator, please move it if you so wish. Also, its this site that's been hacked.

**mgallone** · March 28th, 2011, 3:10 PM

(Apologies for the rapid double post)

I've found that I can access my WP dashboard if I go through the plesk panel at the host. Doesn't look like I've lost my site, just that it's being blocked/overode from display by this 'hacked' message.

**Clinton** · March 28th, 2011, 3:12 PM

Before you fix it, change all your passwords. Not just to the site but to the server/CP/email at this domain/everything. Sorry if it seems obvious, but it's surprising how often people aren't thorough enough with changing passwords after such an attack.

**mgallone** · March 28th, 2011, 3:15 PM

So surprising that I've only just done it after your suggestion... geez, my mind's racing in so many different directions its just not going straight

Cheers for that, Clinton.

**Clinton** · March 28th, 2011, 3:20 PM

Now find the last backup of your site on your hard disk or ask your host for the last copy they made. Check it for scripts and other nasties and then replace all existing content with that copy.

**mgallone** · March 28th, 2011, 3:24 PM

Right, progress update...

I've found and removed the offending script and HTML file using an FTP program. Now, if you look at the page its just showing the Apache test confirmation message. Hmm. I may have to completely remove WP and start over before uploading the backup.

**mgallone** · March 28th, 2011, 3:28 PM

And done.

Turns out in removing the script I also got rid of the WP index.php, which had been modified. All seems well now for the time being.

Cheers for your help Clinton.

**grynge** · March 28th, 2011, 4:09 PM

Sorry to be late to the party,
your server has been hacked.
No matter what you do now the guy who hacked the server can undo any changes and re infect the site.

2b-intune.com
1st-car.co.uk
4-specialpigeonsonly.com

these are just 3 sites on your server and each one has been infected.

NOTE: Please DO NOT look at these sites if you don't know what you are doing they could be running scripts to infect your pc.

**mgallone** · March 28th, 2011, 4:32 PM

Thanks for checking that out- wouldn't have had the faintest idea how to do that.

I've done a bit more research on this guy (I don't want to use his name in case it turns up in Google and draws his attention to EP... though I'm sure these servers are orders of magnitude better than the ones used for that site... but I digress

) and it seems that he/she drops that modified index onto a bunch of sites, but does nothing else. I have no idea why this is the case, but it seems very odd, and I'll be contacting the hosting provider to let them know if they aren't already aware.

**grynge** · March 28th, 2011, 4:49 PM

Originally Posted by mgallone

Thanks for checking that out- wouldn't have had the faintest idea how to do that.

This is DEFINITELY a hosting company problem. Somehow the whole server has been compromised.

You need to do a reverse-dns on the ip and it normally shows you other domains hosted on the 1 server. I can give you a list of the ones I found just PM me. I found about 390 sites hosted on the same ip as yours and each one I looked at around 15 random ones (sorry don't have time to look at all of them) all of them had the same guys message.

I gather because there is no payload this guy is just after infamy. I only saw youtube code as the infect message (tho it is possible he has found a way to infect via youtube?)