Restoring Hacked Site

  • Apparently someone hacked into one of my wordpress sites running 2.0.2, https://www.SydneysBluesandJazz.com. They were able to upload an obnoxious index (I’ve already removed it and stuck a coming soon page up) and it looks like they trashed most of the WP files that live outside of the folders.

    I’ve uploaded the files but I am still getting a bunch of weird errors, including having https://www.sydneysbluesandjazz.com/wp-admin/install.php at the top of the page if I remove the temporary index. Can anyone talk me through how to save this?

    I’m also concerned about fixing it so this isn’t possible in the future – I have several wordpress sites and now I’m concerned that my permissions are wrong or something to have had this happen.

    I do have a backup of sorts, but it was done before I did about 3 additional hours, so a straight restoration isn’t my first choice of options.

    Thanks in advance!

Viewing 6 replies - 1 through 6 (of 6 total)

  • Backup your database FIRST – very very important you do.
    Download all the wp files.
    On the server, delete those WP files
    Once you have downloaded the wp-content folder, delete it.
    Keep wp-config.php

    Upload the new WP files and wp-config.php
    That will get your blog working – albeit with a default theme.

    The most likely files to have been damaged are in /wp-content/themes.
    You can examine those for extra code that has been added, or you can trash the whole lot – and get new copies from wherever they came from.
    Once you have those, upload and put theme and plugins back together.

    It was very probably a rogue script on the server that did this. To protect yourself, no Directory should have permissions greater than 755, and no File greater than 644.

    Ask anything you need ??

    Thread Starter Sue

    (@kadian)

    Podz thank you so much – I already backed up the db, I’m waiting for the templates now and will try these fixes once they’re in hand. Thank you!!

    Thread Starter Sue

    (@kadian)

    This happened again today on a fresh install I just finished. All the directories are at 755 or lower, no files are greater than 644 and it *still* got hacked.

    Will removing the install.php file help? Are there any known plugin issues that could be faciliating a hacker?

    Any assistance greatly appreciated. You can see the hacked site here (I’ve left the hack up): https://mariaangeline.com/

    Sue

    Thread Starter Sue

    (@kadian)

    Update:

    I just heard from my hosting company and they’re saying the problem is that it’s WordPress and a vulnerable script. Help! I am running 10+ wordpress sites and am not minded to change.

    Sue

    The hacked file is an index.html file. If there is an index.html and an index.php file at the same place, the server may serve the html file first. When, I type:
    mariaangeline.com/index.php , I got your WP site. When I type:
    mariaangeline.com/index.html, I got the hacked page.

    I guess the hacker got your FTP password. Change it. Or, do you have a script somewhere that allows to upload, create files online? Or, maybe the hacker put this script somewhere on your site.

    Have you removed the .htaccess file? (there may be a backdoor there).

    Is your password a dictionnary word or a combination of 2 words that can be found in a dictionnary? Invent a long password (10-12 characters) with numbers in it.

    Blaming WordPress? How many security alerts with WP? Quite a few, and quickly fixed. This cheap talking is very easy for people who try to hide their ignorances. Maybe you can blame your provider for not securing its servers enough?

    Kadian,

    Get a new host. I don’t see any evidence wordpress was the vulnerability. And I don’t think they know enough about where the problem is. Unless they can tell you exactly how it happened, and can reproduce it, don’t believe their conclusion. It’s easier to throw blame around than it is to close security holes. I would bet the whole account is compromised n0ow, and possible the entire server. Wipe it clean and start fresh is my recommendation.

Viewing 6 replies - 1 through 6 (of 6 total)
  • The topic ‘Restoring Hacked Site’ is closed to new replies.