home page hacked

Start by contacting your hosting provider and get logs for your domain.

Second when your in your cpanel or what ever you have with your provider look for any weird named files chances are they renamed your index.php and it is still there.

Third there are various tools you can use for a 15-30 day trial to scan your site for open vulnerabilities look into Nessus and also look into scanning with nmap…ask your hosting provider first before using nmap as it may scan more than just your site there might be multiple sites hosted on the same IP and it would be considered malicious to scan the IP with nmap without permissions first.

Nessus and few other tools can scan just your domain only after you get your site functioning again I suggest the wp-sentinel plugin it has saved my site a few times.

Also if your using cpanel there is a option in the file manager to see hidden files check that option and look for anything out of the ordinary there could be a hidden shell script that gives them full access to everything if you find a weird file there is a code editor built into cpanel open the file in it and look for words like port with numbers after it and email user name etc.

If you can verify its a shell with the info I provided to look for then make a backup and delete it immediately and email your host provider with details of it.

Also Check the logs very carefully for ip addresses around the time it was hacked if using cpanel you can filter ip addresses with wild cards but talk to your hosting provider before filtering IP’s especially in the case if it came from a IP in their network.

Hope this helps.
Brandon

read carefully and calmly:

https://codex.www.ads-software.com/FAQ_My_site_was_hacked
https://www.ads-software.com/support/topic/268083#post-1065779
https://smackdown.blogsblogsblogs.com/2008/06/24/how-to-completely-clean-your-hacked-wordpress-installation/
https://ottopress.com/2009/hacked-wordpress-backdoors/

I’ve been able to get into my site via ftp, but I can’t get to my cpanel…still working on it and contacted my provider.

Thanks for the help…what a crappy situation to be in.

When you contact them, also discuss with your server as to how their server can allow this to take place.

I can’t get access to my pages through WordPress. Is it possible they hacked into my account and have changed my WordPress login password?

Ok, I was finally able to reset the password and I can get to all my pages on my site except the home page.

So, it appears this is the only page that is messed up or somehow getting redirected to a new page.

Any ideas?

So, it appears this is the only page that is messed up or somehow getting redirected to a new page.

Any ideas?

As I stated above login and set it to show ALL files look for anything with a weird name to it chances are they uploaded a hidden shell script in your root dir or one of the other dirs that allows them total root control of your space you lease from the provider.

Also ask your provider to have a tier 3 admin scan your site for any ports open that should not be.

Please trust me on this I used to be in that scene I gave it up because I have kids and a life and do not want to be involved with illegal activities any more.

I am going to school to help prevent this sort of thing and if those Saudi hackers are apart of another group that used to rival mine I know they have a hidden shell server on your box.

Some times they rename the shells to match the name of another file that is supposed to be there.

Download as much of your site as you can if not all of it and use a program that can edit php files like the freeware notepad++ and look inside each file for random things like user name password port etc stuff that should not be in any file that normally runs your site.

Also look for files with screwed up names and extensions they might be your main index.php or the shell server.

If you need more help please feel free to email me westnile at inbox.com if you live in the US or Canada and have free long distance
I would be open to letting you call me to help you fix this.

Brandon