WordPress 2.7 hacked, what now?

  • One of my sites was hacked today (ScOrPiOn), which overwrote my index.php and config.php and who knows what else. The suspicious files I found were in the uploads folder, the only ones for 09, called shell.php and one.php (I can send these if anyone wants to have a look).

    Anyway I’m not sure where to go from here. I can’t just reinstall WordPress and see how that works because my database login and password were lost when the config.php was overwritten. Is there some way I can get these back or create new ones from inside phpMyAdmin?

    Otherwise the only fix I can see is to reinstall everything, including a new database, and import the old data from a backup — either from today’s backup which is questionable since it was made after the break-in, or an older cPanel one from 6 days ago (this is all I have). If I have to use the old backup it’s not the end of the world, as I can re-enter the last few articles if I have to.

    Any ideas?

Viewing 4 replies - 1 through 4 (of 4 total)
  • Moderator Jan Dembowski

    (@jdembowski)

    Forum Moderator and Brute Squad

    WordPress 2.7 hacked, what now?

    There ought to be a law… Your server got is compromised; your post doesn’t show that 2.7 got hacked. Also if you were hacked before you upgraded (very likely) then going to 2.7 would not have fixed anything.

    Restore your file and database backup to when you think you are clean and then check your whole blog.

    You are on 2.7 (according to your post) so disregard the upgrade portion below. You need to look in your logs and identify where the Bad Guy came in. If you don’t close that door then you’ll be compromised soon again.

    Read this

    https://ocaoimh.ie/2008/06/08/did-your-wordpress-site-get-hacked/

    And then read it again.

    Read this too

    https://codex.www.ads-software.com/Hardening_WordPress

    Upgrade to the latest version if you have not already. You need to see if there are any users added to WordPress that you don’t know about/don’t belong there.

    You need to go through your files and find where the spammy links are being added. If it’s in wp-config.php or some other file, you’ll need to make sure that is cleaned up before you can consider yourself good file wise. Look everywhere and use fresh copies of your WordPress installation, plugins, and themes.

    Look at your posts and comments and see if there are any spammy links there. You can export your whole blog to WXR and then examine the whole thing in your favorite text editor.

    Once you have cleaned up your hacked blog, harden it so this does not happen again.

    Good luck.

    Thread Starter mattotoole

    (@mattotoole)

    Thnnks for the links! I had found that stuff already but it took time to go through it all. I couldn’t find any anomalies in the database so I wiped and reloaded everything w/ the latest database version (fingers crossed).

    But now my home page won’t load. Everything else looks fine — all the other pages, my admin pages, etc.

    Thread Starter mattotoole

    (@mattotoole)

    False alarm on the blank home page — it seems to be working now. I can’t imagine what happened — I’ve been checking my browser caches, etc.

    As far as the rest of it goes — everything seems fine now after reinstalling from scratch and importing the data from a backup made after the break-in. After spending several hours researching exploits, I couldn’t find any anomalies in my database. I can only hope all is well!

    HE/SHE hacked into my site and deleted all my files.
    i don’t think there is anything a can do:(

Viewing 4 replies - 1 through 4 (of 4 total)
  • The topic ‘WordPress 2.7 hacked, what now?’ is closed to new replies.