Anyone been “haCked By r00t-x”

  • I’m running the latest 2.8.4 and went to my admin page for my wp blog and the standard login page had been replaced by a page stating “haCked By r00t-x”

    i now have no access to my admin, after reading around a couple of forums;
    https://forum.joomla.org/viewtopic.php?f=432&t=432323
    https://forums.digitalpoint.com/showthread.php?t=766981

    the general solution seems to be server side. It would appear that;

    1. It is a server level vulnerability

    2. The hacker gains access to the server (probably embedded within a program/plugin such as ZenCart/or any other uploaded by another hosted customer) and runs a script

    3. The script recursively modified all files that start with “index” or “admin” or something like that. this may also include files that end in “admin.js” or any other admin.other ending.

    While my host server guys are trying to fix it they suggested “You will still need to update this script by looking int Wpress site or forums for known issues and updates.”
    i can see no mention of this hack on the forums. anyone else experienced it?

Viewing 3 replies - 1 through 3 (of 3 total)

  • Yes! Running latest wordpress and I’ve just tried to login to my admin and had the exact same message. Have you managed to fix it? I’m quite new to this and am unsure what to do, and likewise can’t see it mentioned anywhere else on the forums.

    Thread Starter shanehughes

    (@shanehughes)

    Hi anna,
    Not found a solution as such. My host tried to replace some files but didn’t really work. Although i think this is one solution. What i did was delete all databases and files and start again, which isn’t an option for everyone.

    I think the second question is; How did this happen?

    I initially thought that this was a problem caused by someone else on my shared server uploading a program or plugin which was infected and which infected other users like me but my host said that i’m the only one affected. This maybe them covering their back because it means that i started it rather than their vulnarability having a negative effect on my site/work. But lets imagine that it was a plugin that i’ve installed, i hadn’t installed anything in the last 3 days before the hack so perhaps the hack script is on a timer which means that it could be anything that i’ve installed at any time. My most recent installs have been;
    a theme called concept
    plugins such as contact 7
    simple image

    does any of this correlate to something you’ve installed recently?

    This just happened on Media Temple hosted accounts.

    It was a sever exploit and not a WP exploit. It looks like the common fix for this is to reinstall the index file via ftp.

    This is for the MT attack, I don’t know if it holds true in other hacks done by this person so make sure you check with your hosting provider.

Viewing 3 replies - 1 through 3 (of 3 total)
  • The topic ‘Anyone been “haCked By r00t-x”’ is closed to new replies.

Tags