Hacked By Badi

To change the charset – look under Settings/Reading. This doesn’t display for versions since 3.5 but if you have been hacked then it should be there.

It looks like if you delete the the widget first you may not be able to see the UTF option.
(if you can’t see the char set details under Settings/reading then you need to go into your wp-config and edit out the following code.

// define(‘DB_CHARSET’, ‘utf8’);

Then delete widget & change title back
The widget is a text widget with a script which you will find if you look under Appearance/Widgets – you should be able to delete that.
To change the title back – Settings/General under Site Title

One of my client sites had this hack and after checking with the hosting company we found it to be a symlink exploit involving cpanel which they patched.

https://whmscripts.net/misc/2013/apache-symlink-security-issue-fixpatch/

Because this is a cpanel problem it is unlikely that other WordPress files will have been compromised but you should do a full security audit anyway.

I experience the same “Hacked By Badi” issue.

Jason, I checked the symlink exploit trail with my hosting (Webhosting Pad) and they answered

I can confirm our servers are secured ageinst these types of attacks. Our server configuration does not allow symbolic links to be abused in this mater.

Should I believe them?

@ymf I assume you gave them the full whmscripts link mentioned above

The hosting company I dealt with confirmed that only a single account being unsafe can lead to other accounts on the same server being exploited.

There are some steps you can take yourself. You could and should reset your cpanel passwords and set a separate password for your database making sure that is not the same password as noted in that link & make your wpconfig file permission to be 600.

I’m not sure if this will protect your site if the cpanel patch has not been applied to the main server but it can’t hurt.

If your site has been attacked in this way then it has come via cpanel I use a fair number of server hosting companies around the world and some are better than others. Unfortunately some companies are more helpful than others.

You may want to escalate from a customer service person to an actual engineer. If the hosting company is credible than they should be happy to double check that their processes have indeed been fully checked out.

Also note above: I can see I made a small but important mistake where I mentioned

“need to go into your wp-config and edit out the following code.”

// define(‘DB_CHARSET’, ‘utf8’);

Of course you just have to edit out the // at the front so that the charset is restored because it has been commented out. Whichever way you do it the charset in wpconfig need to be restored back to utf8.

I compared the before- and after-the hack backups; the hack is completely DB-related, no file in the file hierarchy was changed. Apparently, somebody saw my DB password in the wp-config.php file.

I think my web host lied to me. Itching to prove them that their server configuration does allow symbolic links to be abused.

Anyway. I protected myself by changing permissions on wp-config.php file to mode 600, then changing the DB password (all this after having restored the site from a good backup). Issue closed.

Correct. For this breach only widget & utf charset & title get changed so sounds like same symlink exploit. Your changes will help but you may want to use succuri scanner plugin to keep an eye on site and also lockdown uploads, includes & content.

Jason, thank you. Your fix – delete text widget, fix charset, fix title, was exactly what I needed.

Thank you again! I was just hit by this hack, and I am glad you had a solution at hand. I have also changed my cpanel password, if this is indeed the path being used to hit the crown jewels.