Hacked by Hmei7

I think you can update the users table and left the field user_pass blank of all users except your admin.
So, update the password of your admin:

update wp_users set user_pass = md5(‘new password’) where ID = XXX;

Search for backdoors/malicious code mainly in plugins and themes.

Unfortunatelly, if the hacker used an vulnerability on some plugin or theme, the “door” may be open!

Hi, i also was Hacked by Hmei7. I did end up resetting my passwords and was able to login to my WP account. Only thing is, its a mess in there ?? I had a friends, friend set WP up for me, who he is no longer in contact with ?? He has sent me the ‘wordpress theme’ files for my website.
Can anyone point me in the right direction or give any suggestions of what i’ll need to do, to get rid of ‘Hmei7’ doings?

Thanks

Hi, some of my sites have been hacked too.
I searched whole FTP trying to find the source…nothing. But then I did this.

SOLUTION:

1) Reset your CPanel/FTP password. It should come to e-mail u registered with your hosting provider. Give them a call if u forgot.
2) Login to CPanel and open PHPMyAdmin
3) Open your wordpress database (wrdp1 or whatever u named it), have a look at wp_posts table
4) Delete all instances of <script>…., it hides in post_title column on my site.
5) change your wp-admin pass in wp_users, user_pass field.

I suggest changing your database password to a very strong one, and backing up your SQL database as well, so next time all u have to do is import it back.
Regards,
Lana ??

After you’ve done all above, 2 things need attention.
My admin pass still didn’t change.
So I changed user_email in wp_users table to my e-mail. And in mysite.com/wp-admin click Lost Your Password and input the e-mail.
Another thing, after the hackers <script>… is removed from databse post_title, you will have to put ALL Page titles in Pages, Menu labels, Post titles etc. Easy way to do that is Quick Edit –> and have a look at your slug.

Thanks so much for your fast reply! ??

This is what i found hidden in the post_title column..

<script>alert(‘hacked by Hmei7’)</script><h1>hacked by Hmei7
</h1><div style=background-color:black;>
<h1><font color=cyan>hacked by Hmei7</font></h1>
</div>

should i delete the whole lot?

Hi, yes it’s the same thing I had – delete the whole thing.
But be careful – this means you are deleting a Post/Page title.

If you see the column next to it says post_name, say for example it’s hello-world. You can delete the hacker code and put “Hello World” instead in post_title. ?? Or login to your wp-admin and do it from wordpress pages/posts.

Excellent!! i see it ?? Thanks so much Lana! you have made my day much easier!! I was meant to go to the beach 2day..but instead i’ve been trying to fix my site ;/ Thanks a mill ??

Another question… How do i prevent this from happening in the future?

I was told i could clone my theme?

Haha, no problem ??
Yes, you can backup your theme folder, just copy it from your FTP program.
Then login to /wp-admin, go to Tools–> Export –> All content.

I would also advise you to backup your database. Go to PHPMyAdmin (click home icon) and click Export –> SQL. So in the future, you can import it. Try to back it up after major changes or once every few weeks.

Also, would be good to change your Database password. in CPanel –> MySQL Databases create a new user. Generate a very strong password. Click Add User To Database. Tick all privileges.
Now you can remove the old user from database.

Important! Download the wp-config.php file from server and change the DB_USER & DB_PASSWORD fields to new ones, or you’ll get an error.

Sorry for my ignorance ?? ..i just want to make sure i’m doing your way..
FTP program is within the host right? There is a section that has “FTP Accounts”, “FTP Session Control”, “Backups” etc. When i click on Backups this is what is say..

Backups
Backups allow you to download (to your computer) a zipped copy of either you entire site (your home directory, databases, email forwarders configuration, email filters configuration) or one of the previously mentioned parts of your site. These are not automatically scheduled backups. Automatically scheduled backups need to be enabled by the server owner / administrator.

Full Backup
Full backups can only be used for moving your account to another server or keeping a local copy of your account.

Is the the backup i am meant to be doing?

Thanks again ??

This is also what i found about the wp-config.php & DB_USER & DB_PASSWORD..it says i can not download it but create a new one?
https://codex.www.ads-software.com/Editing_wp-config.php

I swear this was so gay ??

they hacked into our forum to access our website which we don’t even use.
I went in the backend, index.php deleted what they put in there, as they took over our whole website.

I have fixed it all. just matter of backing up I guess.

I then went to cpanel and reinstalled fantastico wordpress coz i thought stuff it might as well see what happens if I try and my website came back up. then had major issues with my login and did what Loldig suggested.

it worked and you saved the day for me. appreciate it heaps.

i deleted the forum..unsure if there is anywhere else I need to go to prevent these things happening again.

let me know what else i need to do other than backup of website.

Sim

Missmagica,
Regarding the wp-config.php, they are simply saying that in the beginning it was named wp-config-sample.php but depending on manual or auto wordpress installation at the start, it is renamed to wp-config.php. You can download one from your server via FTP/ Cpanel file manager and replace DB_USER & DB_PASSWORD (if you created a new user of course, see my prev post).

Backups – yes, if you have a CPanel simply click Backups icon in Files tab. Full Backup would be best option if you have WordPress. I chose ‘Home Directory’ – local server backup. It will generate a .rar archive in your home (/) directory.

After that, either go back to Cpanel –> Backups –> Full Backup. You’ll see Backups Available for Download. Download the file. Or is the site’s too big, connect to your server via FTP program (like Filezilla). You will see .rar archive called backup-[date]-tar.gz. Download a copy to your PC.

Warning: if you have a shared hosting, you cannot restore a full backup. You have to ring up your hosting company and ask to do that. If you do own a server, you can restore backup from your WHM panel (link).

Hope this helped. ??

I had a site hacked by this guy, too. After a bit of poking around I found that he had replaced the header.php file (that’s where all the code for his ugly flashing black “you’ve been hacked” stuff was.

I uploaded a copy of the original header.php for the theme via FTP, and voila! – the site was back up.

Meant to mention – I also (after changing all passwords) installed the BulletProof Security plugin, which I think should protect against this type of thing in the future.