Hacked – Twice

To further this , I have just found that nothing has changed since the deleting/uploading of the new files/ upgrade. Today/Tomorrow are very important days for my blog with information regarding legal action against the site being shown to readers as well as an updated skin/site expansion. I feel extremly downheartened.

Though I believe the issue should be fixed it’s not.

My knowledge of coding is pretty limited so all my attempts at searching through each file for a line with a redirect script to the website has been futile and seeing as i reuploaded all the files it can’t be from there.

you would be surprised where ppl hide things. I found malicious code in a guys wp-settings.php, once .. They also like to use javascript encoding to hide things.

If you want, zip up all of your WordPress files, including the config, (you can xxx out anything that you dont want me to see) and I’ll happily find the ‘evil code’ for you.

send it off in a zip to :

whoo AT (remove all of this please) village-idiot.org

that is awesome whooami
I don’t know how you do it but that is neat if you can find it like that

good luck MacNumbers

p.s. from what I’ve been told you need the permissions (chmod) 644 on files, others can tell you more, also check the Codex under “Hardening WordPress”

Check your e-mail Mike .. its in your database..

you will need to find that link, its been added to your blogroll.

then you need to change ALL your passwords

then you need to upgrade to 2.2.1

2.1.x is not a secure version of WP to be using

I’m off for a while but if you need anything just give me a shout.

actually, scratch that, I fixed it for you..

this is what I did:

your main page redirects, so what you do is go straight to your wp-login.php ..

I logged in, went into your blogroll and deleted the link.

See image here:

https://www.village-idiot.org/broke/mike.gif

now, I also noticed that that says your running 2.2.1 however the version.php that I saw in your rar said you running 2.1.3

I hope that you are doing the upgrade and thats why I see a different version ??

Hey , Just emailed you and the problem isn’t really solved. Some of the links in my admin still redirect to the hackers page . I can’t seem to find any code in the actual files .

Regards and thanks alot for helping.

Did you upgrade all your files to 2.2.1 as Whooami suggested in a previous post?

Replacing all the files will reset the settings in your admin to their default locations.

Did you also change all your passwords (including your FTP one)?

Yes I did. It hasnt been rehacked this is from yesterday . It’s when I click on Users in the admin panel , it loads the page and redirects it straight after to the hackers page. I think they have inserted something into the database…

I have also found out how they got access. Via the upload folder perhaps the permissions weren’t set correctly. … This is so stressful.

Pffffffffffffff. Finally got access to mysql and sorted out all the redirection scripts he had inserted into the database. thanks everyone for the help you have given me.

I now need to know exactly what folders need permissions and which ones dont.

Regards
Mike

I now need to know exactly what folders need permissions and which ones dont.

safe (for the most part) and sane:

directories: 755
files: 644

that WILL prevent you from using the inline uploader and the theme editor.

i had the same problem then i crated a new MSQL User and deleted the old one.