serious hack – political in nature

More Information;

It appears that the second hack altered only files in the WP-Includes directory.

The first hack only showed the Turkish Flag at the URL for the dance studio, the second hack is redirecting the user away from the dance studio site and asking the user to click on a link – there is an audio of gunshots playing at the redirected site.

Have a look and let me know what steps I should take. The hosting service provider has been working on this for 8 days now…

Thanks!

-Linda

You are correct! It seems someone has gone to extra effort to damage this site. It could be that your restore was too new and it had hacked code.

Did you restore the database when you restored everything else?

Did you change all the passwords – ftp, cpanel, wordpress script, database and on your local machine you use to access the server? It might be a good idea to virus scan your local machine as well as the server.

It’s also possible the hacker never left between the first and second hack.

It’s time to start the hack removal process and when it’s finished then additional security.

Start with these:https://codex.www.ads-software.com/FAQ_My_site_was_hacked
https://smackdown.blogsblogsblogs.com/2008/06/24/how-to-completely-clean-your-hacked-wordpress-installation/ https://sakinshrestha.com/wordpress/fix-if-your-wordpress-site-is-hacked/
https://www.wpbeginner.com/wp-tutorials/how-to-find-a-backdoor-in-a-hacked-wordpress-site-and-fix-it/

Best of luck…

Thanks for the information;

The restore was a copy from files created January 15th which appeared to be unaltered, the site was first hacked Feb 2 the second today. The site was new the backups I have are all from January 15th.

I have altered all of the passwords so that’s not it. Will do a scan on my computer – unlikely that this is the cause but will try it.

The new hack only altered files in the WP-Includes directory.

I can still access CPANEL. Is there a chance the hacker code is resident on the host service provider servers?

Let me know…
-Linda

If this is a shared server, there is the possibility that your site is being accessed by way of the shared environment. You said the hosting company had been aware of the issue for 8 days. I would hope they scanned the server and took action to prevent a recurrence from their side. It wouldn’t hurt to ask what they have done so far and for assurance they are not the source of the problem.

I have no ties to the hosting industry but I can say that very often they are a convenient target for blame and suspicion. I can definitely say that other users with outdated and unpatched software has been a source for damage to sites like yours that are up to date.

The reason I suggested a scan of your desktop(s) is that viruses often harvest ftp credentials from these machines.

Unfortunately, it looks like you will be restoring again. But first it may be worth your time to study the server logs for ideas of how the server was attacked. I prefer to use the raw logs when I’m looking for this type of information.

Good luck, please let us know what you find.

I was able to get rid of the hacker code via repeated restore from backup. I also signed up for a year of Sucuri which includes malware removal and blacklist removal.

Good news! I’m glad you got it working.