sattan.org has royally messed up my blog

See if there is anything useful for you in this thread.

https://www.ads-software.com/support/topic/220840?replies=14

I would download the WordPress ZIP file, and FTP upload/overwrite ONLY that wp-header file.

Same thing happened to me. Here’s the solution I found:

https://www.newcoolthang.com/index.php/2008/12/wordpress-hack-alert-sattanorg-spam-redirect-in-wp-blog-headerphp-files/588/

Someone else said I need to do more but I haven’t looked into that yet:

https://www.ads-software.com/support/topic/220840

man.. bummer to hear you got this.

it may also be worth asking your webhost to delete the offending header.php file and then upload your last known good copy.

Thanks everyone. I’ve read all the threads listed, several times, and the problem is – I can’t access my dashboard at all, even with two new passwords, clearing out my cache and cookies from two different computers. I even had my husband try to log in from his work computer and he’s NEVER been to my blog’s dashboard so he was completely starting fresh, and he kept getting the login screen too.

I’m talking with my host, maybe she can delete the offending text from the header php file for me, since I can’t edit my files via ftp. I guess the hackers have removed my edit rights. As it looks now, I’ve probably lost 2.5 years of blogging. My blog doesn’t even generate revenue – they did this to me for nothing.

And – before someone yells at me for running an older version of WordPress – yes, it’s true, I was. I was of the opinion that if it isn’t broke, don’t fix it, and it was working fine until last Wednesday. So yeah, my bad, but I still didn’t deserve this – none of us did.

what the hack does is change file permissions. so with your ftp program change permissions of your wp-login.php and any of the files you need to change. as you will see the hackers unchecked the “write” box.

if you don’t know how to change file permissions just google your ftp client and “file-permissions.”

good luck. this hack is pain but you’ll get it sorted ; )

ps: this hack is an royal pain. i thought i had it cleared but it came back last night.

Oh man. Bob, I’ve been following your progress in hopes that you’d figure it out and maybe I’d be able to figure it out too!

Here’s a question for ya. Is this strictly a WordPress problem? My host tells me that my blog isn’t hacked, yet I can’t edit the wp-blog-header-php file from my ftp site, so I’m curious. I just double-checked and I have write permissions for everything EXCEPT the header file.

As far as I can tell, this hack has been aimed pretty much directly at wordpress installations. Although there are no doubt variations out there for other popular CMS.

It seems they’ve logged in anon, edited your file, then CHMOD the permissions to stop changes being made.
You should be able to CHMOD your permissions back (you should still be listed as the file owner).

I’m so sorry to hear that this happened to you!! I’ve been researching how to prevent this from happening. I just installed wp-super-cache plugin and am wondering what permissions are safe.

Does anyone know what permissions should be used on all WordPress blogs?

Sorry, I wish that I could help! All I’ve figured out is how to change the permissions in cpanel. If you need help with this, let me know;)

Also, this is a great opportunity to remind everyone to back up their server files often!

Thanks!

Well, in a matter of 4 seconds I answered my question:) Should anyone need to know, the permissions should be set at 755.

Here is a link if anyone wants to learn more about permissions;) (For CPanel) https://www.siteground.com/tutorials/cpanel/file_permissions.htm

Question, were your permissions set at 755 when you were hacked?

Thanks!

Thanks, Susan!

I’ve never messed with my permissions, so they were set at whatever was the WordPress default. I had not upgraded WordPress in who knows how long, and my understanding is that this wouldn’t have happened to me if I had. Lesson learned.

My blog is still down. My hostess is talking to Dreamhost about deleting all my old files (I have a backup from three days before the hack hit) and doing a fresh install. I’m not sure that’s the best way to go about reclaiming my site, but it’s the only thing we could figure out to do, particularly as I’m not well-versed in WordPress or code and my hostess doesn’t provide support for WordPress.

I’m sure I’ll be back on the forums as soon as the fresh install is run, trying to figure out how to reload my 2.5 years of content. Sigh.

you should be able to use your web server account’s control panel (cpanel or plesk or whatever the hosting server has) and the File Manager or whatever tool they provide and reset the permissions for the affected files, right?

Or, the hosting company’s tech should, if you can’t.

You should disable anonymous FTP, make your password really hard to guess, don’t use the default “admin” name when setting up a WordPress blog (make that hard to guess, too), and change the permissions of some key files from 0755 until you need to edit them again… DreamHost (DH) does use Fantastico, so you can pick something other than “admin” as the administrator username. Pick something hard to guess, including some caps and characters.

And of course, always keep WordPress up-to-date, particularly if security fixes are included in the release.

Is there any reason you cannot use DH’s cpanel to access phpMyAdmin and export out your data tables? That IS your content and frankly, you don’t have to rely on WordPress to backup your data. In fact, I never do.

DH should be able to delete that wp-blog-header file. Or, you can use your cpanel’s File Manager tool to locate it and do it, after resetting its permissions to 0755. (using the File Manager, navigate to the web root or where you installed your blog, look for wp-blog-header.php. Click it. There should be some means to see the current permissions or to “change permissions” when the file is selected.

Google file permissions to understand what is needed.

Then upload a fresh wp-blog-header.php file in the same location.

You should be able to get into your blog after that. I’ve never had this hack happen to me, but if it’s just a single file and being able to overwrite it, you have to delete that file and replace it with a fresh copy… then make sure that no users except yourself are administrators (once you can access the wp-admin)…

NOTE: you have to export your data tables using phpMyAdmin to get your current data into the fresh install. This is very easy.

1) find your phpMyAdmin tool in the cpanel at DreamHost.
2) Navigate to your database.
3) Click the Export tab.
4) Select All tables listed in the menu (they are probably pre-selected, but you should see a Select All link).
5) Scroll down to the Save as File and check that option. Export with “none” for compression. This produces a .sql file.
6) Save the file to a location where you can find it.
7) In the text editor of your choice (I use Dreamweaver CS3 and modify its preferences to add .sql to the File Types/Editors it understands how to open) try a Find on sattan.org to see if that shows up anywhere in the actual data fields… I’ve never experienced this hack, so I don’t know if they put something into the data.

You also need to save your theme files and plugins unless you plan a whole new theme. Theme files are stored in wp-content/themes/

To get the data into your fresh install:

1) install in the same location as the previous install. (technically, you don’t have to but you’d need to do more Find/Replace in the data before using it if you don’t)
2) Using phpMyAdmin, navigate to the new database.
3) click the name of the database.
4) in the first screen, find the link that says “check all” below the list of tables.
5) In the menu that says “with selected”, choose Drop.
6) Click the Go button and OK the next verification.
7) Click the Import tab.
8) Browse to find the .sql file from your original database export.
9) Click the Go button.

All should work well. However, in 2.5yrs of blogging, your database could be quite huge and there could be issues importing the data. Additionally (you didn’t say what happened after the updating to a newer version was done) there could be strange problems with html entities or characters, which happens if you wait a really long time to upgrade your install of WordPress… and DH isn’t the best host for WP, imo. I used them for a while, but they are more expensive than necessary and you have to pay extra to get phone support.

midphase.com, anhosting.com and many others work as well or better (same cpanels, fantastico, etc) and 24/7/365 support by email or phone.

If you change hosts, you can move your blog using the exported data tables, but you will have to do more Find and Replace on the sql file depending upon where you install the WordPress application.

HTH
Casey