Hacked & password recovery isn't working

  • Hello,
    My account was recently compromised. Thankfully, nothing on the site was confidential, but it had been reset to a file manger-like page listing files composing my site instead of my website. Fortunately, you could just toggle it back to “normal” (though the main slider graphic isn’t working right for browsers now).

    We “fixed it” by simply clicking a button on that page via iphone. Any random visitor could have done the same, so there is basically no security at the site at the moment. There was also something about an “exploit” so maybe it was shut down automatically? Can you tell I’m not a career web programmer? ??

    Anyway, so I’d like to fix that slider and secure my site, but unfortunately there is no clear path to support for this except this forum, no phone, email, or ticket. Inconvenient for sure, but as a free customer, I guess fair enough. Anyway, the problem now is that my email seems to have been changed also. My “reset password” link isn’t sending an email to any of my common emails. I don’t know where its going but in my current situation I can’t access my account except via ftp. None of these options get me to the dashboard that I’m somewhat familiar with.

    Thanks for any help or suggestions!
    -k

Viewing 12 replies - 1 through 12 (of 12 total)

  • Hey there,

    Sorry to here about your site. First and foremost I think that if you haven’t already done this, you should backup your site and your database. You can find instructions to this here:
    https://codex.www.ads-software.com/WordPress_Backups#Backing_Up_Your_WordPress_Site.

    In addition change the passwords to the accounts associated with your www.ads-software.com installation, and the passwords associated with your hosting provider. I am recommending changing both passwords because I don’t understand which party holds the blame for this error.

    To be honest, its hard for me tell what exactly has gone wrong. It would be helpful if you could tell us the URL of the site and how we can recreate the problem. Understanding which site admin software you use might also provide some valuable clues (e.g CPanel, Plesk, vDesk, Ensim).

    If for security reasons you don’t want to tell us, screenshots, and a more detailed explanation would help. It would help if you can also confirm whether the problem persits on computers outside your own.

    If the reset password link isn’t sending a link to your inbox, check the Spam/Junk folders of your email accounts. If this situation its time sensitive I would recommend re-installing wordpress after backing up your site in order to see whether the problem persists.

    Moderator t-p

    (@t-p)

    I suggest to start working your way through these resources:

    How to clean and fix hacked WP blog:
    https://codex.www.ads-software.com/FAQ_My_site_was_hacked
    https://www.ads-software.com/support/topic/268083#post-1065779
    https://smackdown.blogsblogsblogs.com/2008/06/24/how-to-completely-clean-your-hacked-wordpress-installation/
    https://ottopress.com/2009/hacked-wordpress-backdoors/
    https://www.jtpratt.com/how-to-fix-a-hacked-wordpress-blog/
    https://sakinshrestha.com/wordpress/fix-if-your-wordpress-site-is-hacked/
    https://www.wpbeginner.com/wp-tutorials/how-to-find-a-backdoor-in-a-hacked-wordpress-site-and-fix-it/

    Harden your WP installation: https://codex.www.ads-software.com/Hardening_WordPress

    Additional Resources:
    https://sitecheck.sucuri.net/scanner/
    https://www.unmaskparasites.com/
    https://blog.sucuri.net/2012/03/wordpress-understanding-its-true-vulnerability.html

    Thread Starter salukikev

    (@salukikev)

    Well, it was security reasons that I didn’t post the site, but as it had already been hacked, and there really isn’t anything confidential on it, I guess it doesn’t hurt to post it back up.
    It is caliberdesign.net

    If you visit currently, it is up, minus the proper slider graphic, which is just being strange in general as it shows up as a static image on a smartphone, and it doesn’t show up at all in a browser anymore (except in chrome, it briefly flashed the starter slide).

    Here is a link     to the “filemanager” screen that it was showing prior to yesteday.

    It’s not super-time sensitive, as the site is just promotional, and I’m preoccupied at the moment, but of course I’d like to get it back up working properly asap. Its going to take me some time to work through and understand these suggestions anyway. Of course the biggest and most pressing problem is that I can’t find nor reset my password. I’ve already checked my junk/spam folders. This is one area I think I’m going to need to actually contact someone at wordpress.
    Thanks for the help!

    Moderator t-p

    (@t-p)

    You need to start working your way through the resources listed in previous reply:

    I have tried recreating the problem and I have not been given access to any file-manager like page. I have tried recreating this issue on both mobile and desktop browsers. I am investigating the source code now.

    The hack could have been for numerous reasons, it would be hart to pinpoint exactly why. I would backup the database and site, take down the WordPress installation, re-install WordPress, and the restore my backups.

    I am recommending this only because it doesn’t seem like there is any sensitive information on your site, and this by far probably the easiest solution. Make sure to reset your DreamHost password before you go through with this and pick a different password for your WordPress install.

    Here is a good tutorial: https://wiki.dreamhost.com/WordPress

    Thread Starter salukikev

    (@salukikev)

    Well part of the problem is that I can’t seem to reset my password. I have tried that reset pw link and it says it sent, but its not arriving in my email (or trash or spam) that I know of. I have upgraded systems since creating the site, so I have to try to find a backed up version of the site on my previous system, but I’ll be looking at that in the next day or two.

    Here is a screenshot of the result of the link I posted earlier (which goes to google’s wayback to show what the page looked like recently). This is what I was describing as the ‘filemanager’ looking page:
    https://imgur.com/1OtYjFo
    Thanks!
    -k

    Hey three, to clarify my knowledge about the problem:

    1. You cannot access both your DreamHost and WordPress accounts
    2. When you go to URL you sometimes are presented with a file-manager looking page” that looks like this: https://imgur.com/1OtYjFo

    Sorry for this, just a little confused about the facts.

    Thread Starter salukikev

    (@salukikev)

    Hi,
    thanks for the opportunity to clarify!
    1. I think the problem is just with wordpress as I can access dreamhost with ftp still. My usual interface was via wordpress online tools.
    2. Yes, the link in my previous msg was to googles wayback machine which shows how the page looked a few days ago. It still works for me, not sure why its not for you. Anyway, the weird thing about it is, that my friend who “fixed” it did so by simply clicking a link on that page using his phone. He didn’t login anywhere, he was just a random visitor to the site, so I expect it remains pretty insecure.

    Sorry I can’t remember quite what he did, but I will see him tonight to try to clarify further. Anyway, my theory (partly due to the “exploit” msg) is that the site was compromised, which may have triggered some type of admin mode, and stayed that way until “toggled” back. Maybe that’s a dreamhost feature or something- I don’t know. If you ever get that wayback machine link to work, you might learn more about the intent of that page as the links will be preserved.

    Thanks for the help!

    Hey there, since you can still access DreamHost and its associated site admin software, my recommendation is to backup you’re current site and its database, uninstall your current wordpress installation, and re-install WordPress, then restore from backup: https://wiki.dreamhost.com/My_Wordpress_site_was_hacked.

    When creating a WordPress account for the associated www.ads-software.com installation, make sure to use a new and more secure password. I also recommend that you change the password for the DreamHost account just for extra measure, though as per your description of the problem it seems like the DreamHost account was not the point of the vulnerability.

    I’m sorry but I am recommending this because it would take too long to solve the problem but it would be take roughly 15 minutes to backup and re-install WordPress.

    If the problem persists despite re-installation, its likely that this is an issue with DreamHost and I recommend that you have a chat with their support team: https://www.dreamhost.com/support/.

    Thread Starter salukikev

    (@salukikev)

    Thanks!

    So just to clarify, when I try to log into my wordpress account, it DOES recognize my email address, and when I do the “forgot my password” routine, it says that it sends an email there.
    The thing is that that email is never received… so I don’t get it.. even if a hacker changed my login details-

    If I just entered the email address in question, clearly the wordpress system should send an email to that email address, right?

    So how is it possible that it is not arriving in my inbox, trash, spam or any other folder? I’m quite mystified about that.

    The thing is that that email is never received

    Email can be troublesome – maybe having to do with your host/server.

    Did you ask Dreamhost?

    Other ways to reset your password:

    https://codex.www.ads-software.com/Resetting_Your_Password

    Moderator t-p

    (@t-p)

    In addition, also have a read of this codex: https://codex.www.ads-software.com/FAQ_Troubleshooting#E-mailed_passwords_are_not_being_received

Viewing 12 replies - 1 through 12 (of 12 total)
  • The topic ‘Hacked & password recovery isn't working’ is closed to new replies.