WordPress 1.5.2 hacked with “\” signs everywhere

  • I love the support forums and love WordPress so please understand that I am not trying to create a panic.

    It appears that tonight the latest version of WordPress (1.5.2) has been hacked. I don’t know how but on both of my domains (1 is the main, the other is a subdomain) someone ran some script that inserted the \ symbol everywhere in my code. There was also a new bogus theme installed in my themes directory. Both sites were almost useless and I am having to have everything restored from tape backup from my hosting service.

    The sites are https://www.timandtony.com and https://www.mustardnut.com. I upgraded to 1.5.2 weeks ago and haven’t messed with anything plugin, setting, codewise or the like. I had only 1 posting too.

    As soon as I have some resolution from my hosting service, I will post it here. I just wanted it documented in case it happens to someone else.

    Ciao!

Viewing 5 replies - 1 through 5 (of 5 total)

  • Have you got server access logs that you can examine? Have you got any examples of the damage that was done? Do you use strong passwords everywhere? Do you have any other software installed?

    It’s a bummer that you got hacked but lets not go jumping to conclusions until at least a little investigation is done.

    Are you talking about this sort of thing?

    To be honest, that\a€?s why there have been a lot less posts lately. The stuff with Tiff and I is too personal to put up here and other than that, I feel uha€| dumb. I don\a€?t want to ramble on about our fuck of a president and I don\a€?t watch or read the news so it\a€?s just life as usual. Maybe I should watch the newsa€|

    If so, relax, you haven’t been hacked. Your ISP has probably just changed the PHP configuration (most likely magic_quotes_gpc) settings.

    See https://php.mirrors.ilisys.com.au/manual/en/function.addslashes.php for more.

    And the OP’s ISP/Web Host should have been able to figure this out and so advise the OP pretty much immediately. Since the OP hasn’t posted back here, hopefully, that’s what it was and all’s well.

    Thread Starter mustardnut

    (@mustardnut)

    Thanks for all of the quick responses as usual. My Web Hosting company could not figure out the problem last night but the individual did seem rather ‘green.’ He referred the ticket to a WordPress expert and this morning everything seems to be back to normal.

    The link above doesn’t work so I will assume — as stated above — that I wasn’t hacked. Thank goodness, one of the beautiful things about WordPress is knowing that it is so secure.

    Again, apologies if I caused undue concern, I just wanted the issue documented in case anyone else had the same problem.

    Thanks all for your astute and gracious help.
    -Tim

    Thread Starter mustardnut

    (@mustardnut)

    If so, relax, you haven’t been hacked. Your ISP has probably just changed the PHP configuration (most likely magic_quotes_gpc) settings.

    You guys and gals are good. I called up my Web Hosting service this morning and that was it.

    Thanks again!

Viewing 5 replies - 1 through 5 (of 5 total)
  • The topic ‘WordPress 1.5.2 hacked with “\” signs everywhere’ is closed to new replies.