Bilbo101

Thanks for stating the obvious. We are not referring to any WordPress log but the site access logs which were deleted by the hack. We have already ruled out an insecure plugin as there is no plugin in common to all the sites that was hacked so the hacker must have got in via a WordPress vulnerability. Also as many of us have security plugins in place like WP-Better-Security which in itself is pretty good, it is hard to see where the vulnerability lies as the .htaccess and wp-config are secure. All we are trying to do is establish how a crude hacker got past all out defenses. Comments like “Generally speaking, there are only 2 ways the hacker could have penetrated your site:1. via another insecure site or application on the server. 2. via your site itself.” don’t help anybody because I think we all pretty much sussed that one out by ourselves!!! If your going to contribute something then please let it be constructive and worth reading.

HI, Thanks for the update. I have managed to clean it from one site, however for some reason on another site I have had no joy so far even though I have uploaded a backup copy of all the files. I have got the webmail package Roundcube installed on one site and when I go to login to the webmail I get the hackers message, I have deleted the roundcube files off the server and re-uploaded a backup copy and my hosts tell me they have uploaded a backup copy of the DB but still the hackers message remains, very puzzling. With regards to the plugins none of my sites were using the plugins you mentioned above so it is probably not a plugin vulnerability that is allowing the hacker in. However I had not got round to updating my sites to the latest version of WordPress and they were running the previous update so that might be the issue. I found out that this hacker originates from Indonesia, and as my target audience is 99% in the UK then I think I am going to block the usual suspects country IP’s from accessing my sites in the future, like Russia, China, Nigeria, Ukraine etc.

Hi, I have had the same problem and not come across a hack like this before. I restored a backup of the database to a time before the hack happened and I uploaded a backup copy of all the files to overwrite all the changes the hacking script had made and I STILL get the message “Ownz by m4dsx”, surely I must have missed something because restoring all the files and db would normally sort everything ( scratch head ). Next I went to check the log files to see if I could find where and when the hacker was gaining entry but unfortunately the logs folder was empty. This is all very odd and took down all my WordPress sites but did not touch a bog standard HTML or ASP site, so I guess the vulnerability is something to do with WordPress or a plugin. I will keep searching and trying to solve and if I find out anything useful I will update you here.