Urgent Wordpress hack help!

SilverPenguin

SilverPenguin

SilverPenguin

Associate
Joined
21 Feb 2003
Posts
1,348
Hi all, my site was hacked this evening and I'm trying to re-upload all Wordpress software. However, as soon as I upload the wp-admin and wp-includes folders, the modified date for all the php files in those folders reverts back to the time they were hacked and not the time I uploaded the files.

Also, once new files are uploaded, when I go back to my admin login page it takes me there but via a redirect, with the URL having an extension to it that shouldn't be there.

I'm not that good with this stuff, hacks in the past have just required re-installing all files and plugins but this time round there seems to be a bigger problem.

Any help appreciated asap! :(:(
 
I'm not sure, all my php files were modified at the same time this evening and visitors started getting malware warnings.

Usually I just re-install but this time I'm getting the above problem.
 
Um, it's hosted with webfusion, not sure off top of my head.

I've just checked the source code for the blog home page and the nasty extra code that was there is gone, but I'm concerned a lot of my php files still revert to time of hack.

Any help would be appreciated big time!!
 
I've noticed this code is still in the bottom of my blog code when you view source:

<!--stats_footer_test--><script src="http://stats.wordpress.com/e-201037.js" type="text/javascript"></script>
<script type="text/javascript">
st_go({blog:'5341917',v:'ext',post:'0'});
var load_cmc = function(){linktracker_init(5341917,0,2);};
if ( typeof addLoadEvent != 'undefined' ) addLoadEvent(load_cmc);
else load_cmc();
</script>

I have no idea how to remove this though. As stated above half my files revert back to hack time and date when uploaded from fresh.

Really at a loss here so hope you can help... :)
 
Well, no idea what was going on but checking this morning and all my files have now reverted back to the correct modified time i.e. when I re-uploaded them, and not the time of the hack.

No idea what happened there but seems everything is back to normal now!?
 
The code I posted above was from the blogs home page. Someone on another forum suggested that code is part of the tracking code for the wordpress stats plugin and should be there though so I'm a bit confused to be honest!
 
Last edited:
Izi said:
that above JS code doesn't look malicious. Its on the wordpres domain for starters:

http://stats.wordpress.com


when you say hacked, is the only symptom that the file modified dates have changed?
Click to expand...
Cool!

Well, usually when my blog is hacked (if that is the right word?) I first find out either from someone emailing to say they got a virus warning from the site, or notice because my dashboard is all messed up.

This time, the dashboard was fine, but the featured content gallery on my front page stopped working and again I got emails and tweets from people saying a virus warning was coming up again.

The source code was also full of extra code at the top of the page and all the .php files had the same modified date stamp.

As of right now though, there are fresh copies of all files uploaded, the featured content gallery is working again, there appears to be no extra code in the source and finally nobody has reported any problems today.
 
You must log in or register to reply here.
Back
Top Bottom