My site got hacked… by Iran

While your site is certainly malfunctioning, it does not appear to be due to hacking attempts. A scan with sitecheck.sucuri.net doesn’t indicate anything amiss, though this is certainly not definitive. If troubleshooting does not yield any clues, the proper response may be the same as if it were hacked — wipe everything and restore from a known clean backup.

First look at the posts table with phpMyAdmin or similar and confirm the posts that are not found are indeed there. Also deactivate all plugins to confirm a faulty plugin isn’t interfering. If you’ve upgraded to 3.9, there have been reports of several plugins being incompatible.

Define WP_DEBUG as true on wp-config.php to see if any PHP warnings could be causing trouble. (Don’t leave it defined as true for too long, it’s a slight security risk)

The reason the not found message is coming up is the query is not returning any results. It could be the URL was incorrectly parsed so that an impossible query was constructed. You can eliminate some parsing code by turning off pretty permalinks.

You could also hook ‘request’ and var_dump the passed query vars and check for any vars that do not belong. Or hook ‘posts_request’ to output the actual query string that is passed. Whatever is wrong here is a clue to what may be causing the bad processing of the request URL. If it makes no sense, you are probably back to the need to wipe everything and try reinstallation again, restoring the DB from backup.

Thanks buddy!
Really good analysis.
Meanwhile, most of the posts are disabled.
They did a pretty good job on this site.
The weird thing is I can’t find anything that causes these problems.
By the way, can u give me a hand here, and look inside to see yourself?

I’d like to help you, but the troubleshooting steps I’ve outlined require FTP and phpMyAdmin access, which means if I did something stupid I could completely destroy your site. I don’t want that responsibility. You need to be very careful who you give such access to.

Since your site is fairly new, instead of spending a lot of time trying to figure out what went wrong, it may be easier to handle this as a hack (I still do not think this is a hack) and wipe everything, do a complete reinstall, then restore the DB from a backup made before the trouble started. If you do not have such a backup, before wiping everything, export only the posts table and only images in the uploads folder that you know are part of the posts. Everything else will be lost.

By limiting what content is used from the possibly hacked site, you minimize the chance of reintroducing malicious code when the data is imported into the new installation. The risk of reinfection is still there though. To be completely safe, consider starting over with new content and use nothing from the possibly infected site.

To be safe just in case there was a hack, also change all passwords before doing anything else, then change them again when the new installation is complete. More information on dealing with hacks is available from FAQ My site was hacked.

Zipsucks,

i dont believe your website has been hacked.
Try and do this.
* check on your users. If the Iranianian is one of THE users? DELETE HIM.

I can’t even post anything ??

Back up everything.
Delete everything. And start afresh.

bcworkz:

I’m ready to wipe it out and start from scratch.
I’m concerned, though, that the ayatollahs will try the same sh!t again.

I think your guess re permalinks is correct. I prob. observed them change dynamically, while I was editing.

What if I offer u the FTP access to snoop around? Would u give it a try?

My site has been hacked and I can’t access my homepage what do I do?

smithjackieline – please see FAQ My site was hacked. If you have any other questions, please start your own topic, I’d like to focus on the OP’s problem here.

zipsuckscom,

If you are going to wipe everything, there is little point in snooping around. It is a waste of time for both of us. Spend your time productively in cleanly restoring your site. As long as you use strong passwords, WP itself is very secure, there is no way access your site again unless it is through a compromised plugin or theme, or the infected site was improperly wiped, or you have spyware on your personal computer used for admin access. If you have all of these vectors protected, there is nothing to worry about.

I am still not convinced anything untoward is at play here, more likely something just got corrupted somehow without any malicious activity involved. Either way, the response is the same. A clean reinstall will correct the issue regardless of the cause.

Thnx buddy!
You were a great help.
And off we go to piss off the ayatollahs!