10 jilicc withdrawal.REGISTER NOW GET FREE 888 PESOS REWARDS!

gonsteaddoc
(@gonsteaddoc)

8 years, 8 months ago

My webspace has been hacked and now I cannot access wp-admin. How do I go about fixing the problem if I cannot access my wordpress dashboard? This is the info I got from 1and1 security:

It has come to our attention that your web space has been hacked:

access.log.22.gz:185.129.148.208 – – [05/Jun/2016:03:27:18 -0400] “POST /wp-content/plugins/wp-mobile-detector/resize.php HTTP/1.1” 200 43 perryhallchiropractic.com “-” “Mozilla/5.0 (Windows NT 6.1; rv:34.0) Gecko/20100101 Firefox/34.0” “-“
access.log.22.gz:185.129.148.208 – – [05/Jun/2016:03:27:39 -0400] “POST /wp-content/plugins/wp-mobile-detector/resize.php HTTP/1.1” 200 43 perryhallchiropractic.com “-” “Mozilla/5.0 (Windows NT 6.1; rv:34.0) Gecko/20100101 Firefox/34.0” “-“
access.log.22.gz:185.129.148.208 – – [05/Jun/2016:03:27:50 -0400] “POST /wp-content/plugins/wp-mobile-detector/cache/timthumb.header.php HTTP/1.1” 200 15 perryhallchiropractic.com “-” “Mozilla/5.0 (Windows NT 6.1; rv:34.0) Gecko/20100101 Firefox/34.0” “-“
access.log.22.gz:185.129.148.208 – – [05/Jun/2016:03:27:58 -0400] “POST /wp-content/plugins/wp-mobile-detector/cache/timthumb.header.php HTTP/1.1” 200 278 perryhallchiropractic.com “-” “Mozilla/5.0 (Windows NT 6.1; rv:34.0) Gecko/20100101 Firefox/34.0” “-“
access.log.22.gz:185.129.148.208 – – [05/Jun/2016:04:00:08 -0400] “POST /wp-content/plugins/wp-mobile-detector/cache/timthumb.header.php HTTP/1.1” 200 15 perryhallchiropractic.com “-” “Mozilla/5.0 (Windows NT 6.1; rv:34.0) Gecko/20100101 Firefox/34.0” “-“
access.log.22.gz:185.129.148.208 – – [05/Jun/2016:04:00:10 -0400] “POST /wp-content/plugins/wp-mobile-detector/cache/timthumb.header.php HTTP/1.1” 200 181 perryhallchiropractic.com “-” “Mozilla/5.0 (Windows NT 6.1; rv:34.0) Gecko/20100101 Firefox/34.0” “-“
access.log.23.1.gz:188.40.81.84 – – [06/Jun/2016:07:58:29 -0400] “POST /wp-content/plugins/wp-mobile-detector/cache/timthumb.main.php HTTP/1.1” 200 108136 perryhallchiropractic.com “-” “Mozilla/5.0 (Windows NT 6.2; rv:21.0) Gecko/20130331 Firefox/21.0” “-“
access.log.23.1.gz:188.40.81.84 – – [06/Jun/2016:07:58:30 -0400] “POST /wp-content/plugins/wp-mobile-detector/cache/timthumb.main.php HTTP/1.1” 200 10800 perryhallchiropractic.com “-” “Mozilla/5.0 (Windows NT 6.2; rv:21.0) Gecko/20130331 Firefox/21.0” “-“
access.log.23.2.gz:74.91.28.19 – – [07/Jun/2016:07:15:29 -0400] “POST /wp-content/plugins/wp-mobile-detector/resize.php HTTP/1.1” 200 – perryhallchiropractic.com “https://perryhallchiropractic.com/” “Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2312.122 Safari/537.36” “-“
access.log.23.2.gz:23.90.191.237 – – [07/Jun/2016:21:21:02 -0400] “POST /wp-content/plugins/wp-mobile-detector/resize.php HTTP/1.1” 200 – perryhallchiropractic.com “-” “Mozilla/5.0 (Windows NT 6.1) AppleWebKit/536.11 (KHTML, like Gecko) Chrome/20.0.1132.47 Safari/536.11” “-“
access.log.23.5.gz:23.90.191.237 – – [10/Jun/2016:06:16:47 -0400] “POST /wp-content/plugins/wp-mobile-detector/resize.php HTTP/1.1” 200 – perryhallchiropractic.com “-” “Mozilla/5.0 (Windows NT 6.1) AppleWebKit/536.11 (KHTML, like Gecko) Chrome/20.0.1132.47 Safari/536.11” “-“
access.log.23.5.gz:23.90.191.237 – – [10/Jun/2016:20:26:39 -0400] “POST /wp-content/plugins/wp-mobile-detector/resize.php HTTP/1.1” 200 – perryhallchiropractic.com “-” “Mozilla/5.0 (Windows NT 6.1) AppleWebKit/536.11 (KHTML, like Gecko) Chrome/20.0.1132.47 Safari/536.11” “-“

—

The above was taken from your access logs. It shows that timthumb.php was used to perpetrate the hack.

Please contact the developers for this script/application. You will likely need to install a version update and/or security patch to prevent further abuse.

Your vulnerable plugin includes obsolete scripts and it resulted in the upload of these malware files:

./clickandbuilds/PerryHallChiropractic/wp-content/plugins/shariff-sharing/context.php
./clickandbuilds/PerryHallChiropractic/wp-content/plugins/wp-mobile-detector/functions.php
./clickandbuilds/PerryHallChiropractic/t97ADNGUPY/K1dbTtIM.php
./clickandbuilds/PerryHallChiropractic/version.php
./clickandbuilds/PerryHallChiropractic/Q8x25k/0Baqjz8K.php
./clickandbuilds/PerryHallChiropractic/ZbMcl6Rxk9/atLP6kgFKmoEq.php
./clickandbuilds/PerryHallChiropractic/TSLN3/MQ7xB3DoUrTI.php
./clickandbuilds/PerryHallChiropractic/WnrHFL/mxo7ZyB6JdrbIith.php
./clickandbuilds/PerryHallChiropractic/6mWCBYZ/f1M7wDa.php
./clickandbuilds/PerryHallChiropractic/lM2emBnfA/71Ql503.php

Sincerely,
Security Team
1&1 Internet Inc.

Viewing 2 replies - 1 through 2 (of 2 total)

esmi
(@esmi)

8 years, 8 months ago

Don’t panic. Just start working your way through these resources:
https://codex.www.ads-software.com/FAQ_My_site_was_hacked
https://www.ads-software.com/support/topic/268083#post-1065779
https://smackdown.blogsblogsblogs.com/2008/06/24/how-to-completely-clean-your-hacked-wordpress-installation/
https://ottopress.com/2009/hacked-wordpress-backdoors/

Anything less will probably result in the hacker walking straight back into your site again.

Additional Resources:
Hardening WordPress
https://sitecheck.sucuri.net/scanner/
https://www.unmaskparasites.com/
https://blog.sucuri.net/2012/03/wordpress-understanding-its-true-vulnerability.html

Thread Starter gonsteaddoc
(@gonsteaddoc)

8 years, 8 months ago

thanks for the info. I am still a bit lost and confused about how to get into the site to fix things. can you give me a starting point? when I go to wp-admin, all i get is a blank white page. I do not know how to get into the page to start fixing.

Viewing 2 replies - 1 through 2 (of 2 total)

The topic ‘Webspace has been hacked and now I cannot access wp-admin’ is closed to new replies.

Webspace has been hacked and now I cannot access wp-admin

Tags

Topics

Topics with no replies

Non-support topics

Resolved topics

Unresolved topics

All topics