2.5 – maybe hacked

  • I think I’ve been hacked, but I’m not sure.

    I have found at least 3 files, added to my site on Apr. 15. ad_wp-password.php, and then in plugins ad_hello.php and inside plugins/akismet there was ad_akismet.php.

    So – I’ve removed or renamed the files in question. (They all seem to be the same php code with the different names).

    I changed my admin password. Deleted all of my subscribers (they are all questionable anyway); checked the user table with PHPMyAdmin and there is only one user which is the admin. I changed the mysql password as well.

    I’ve not seen any posts with hidden iframes (guess that’s the next thing to look for);

    The thing that made me look for something was the presence of some off the wall incoming links (spammy looking comments from non-existent websites like demoniashoes.yourshoestore.com/2008/04/06/emmaus (the title and the date are appropriate for a post on my site, but host is all wrong – not even in the ballpark).

    Is there anywhere else I should look? I think this might be something that is indeed left over from being hacked under 2.3.2 or 2.3.3 a couple of months ago. that one just put a whole hidden folder of pages in wp-content.

    I have a copy of the code if anyone should see it in order to figure this out.

Viewing 6 replies - 1 through 6 (of 6 total)

  • Good so far, you should probably check all of the php files in your theme looking for the iframe insertion. Also check your plugins.

    Good luck

    Thread Starter nicollb

    (@nicollb)

    Thanks – theme files are next.

    The dates on the plugin files seem ok, other than the ad_*.php files which were added on april 15. but I’ll look there as well.

    You might want to consider setting up some logging..

    https://www.ads-software.com/support/topic/169715?replies=4

    Out of curiosity, how exactly does one go about checking for an iframe insertion? what would that look like? Thanks!

    You can search on iframe and find quite a few threads. Here’s one that will show in general what this hack looks like.

    hi
    i also believe i have been hacked. i have been experiencing problems with my site for some time now, perhaps the most noticible symptom was this:

    WordPress database error: [User ‘???????’ has exceeded the ‘max_questions’ resource (current value: 50000)]
    SHOW TABLES;

    there is a discussion on this forum where i also posted my problem. then occassionaly my database would be hacked so that i would have to restore from a backup. this happened a few times over a month or so. i also noticed that i was getting high volumes of spam mail (viagra, watches, shoes and penis emlargement)

    i then checked the files and folders on my site and removed ones that looked suspect, restored my database and changed all user names and passwords. it worked….then all i got was a blank page but i am able to log in so i reselect my theme and view the site. its back and works perfectly….for a while then a blank screen again. so i select the classic theme and it works….until now when i tried to access my site i get the installation page, enter blog title and email. i am given a user name and password and am told my new blog has installed successfully. of course the database is gone.

    so i suspect that there must be some hack file within the plugins that i have installed or within the database backup that i keep restoring as i deleted all the other wordpress files and theme files, loading “clean” files.

    my question now is, how will i be able to screen the backup and plugin files (plugin not so important because i can download from original sites) but the backup contains all my posts, etc!!

    appreciate any help.

    thanks.

    clive

Viewing 6 replies - 1 through 6 (of 6 total)
  • The topic ‘2.5 – maybe hacked’ is closed to new replies.