Hacked on

wordpress

#1

All of my sites are down (about 6). Replaces with a black page from the “Simiens Crew”. Looks like they hacked.

Linux zuma 2.4.28-grsec w fhs6b gr0501 nfs p4 c4 gr2b-v6.188 #1 SMP Fri Jan 14
11:19:12 PST 2005 i686 unknown


#2

I have the exact same problem on my sites too.


#3

ftp into your site, delete everything that starts with index (php, htm, html etc.). Upload your real index.php or whatever. It affects all the sites you host. That will fix the pages but not the vunarability. If your running wordpress you need to update. To fix that check your emails from a few days ago.


#4

Update… How I fixed wordpress after the hack.
First I backed up any templates I have modified. Then I ftp into the site and deleted all files. Then I went to the control panel and reinstalled WP (that would be the new one that has been patched (DOH!)). use the same DB as before, it was not affected so all your post should be there.
Done


#5

Okay I did what you said and got my original index pages back up on all my sites.
I do not have wordpress installed, didn’t even know what is was till I looked it up, is there anything that I can do to prevent this from happening again.
And I am new to all this so could you please explain how this happens.
Thank You for your help.


#6

If you have any pages called index.whatever in sub directories you will also need to re-uplod those as well. Even your stats!
I think this explains it a bit
Look for “i was hacked” 8/11/04

http://www.paulkimbrel.com/


#7

what exactly did you do to fix it?
we tried deleting those files, and it isnt working.
its all under root, so we cant even touch them.

  • kandice

http://www.kandiceplain.com


#8

All I did was deleted the files called index.xxx off the server, then uploaded my real index.xxx. Look at the dates for clues. Open your index in your html editor and make sure it’s yours. good luck.


#9

we cant edit them though, cant delete them, cant move them because they are all root.

:confused:

http://www.kandiceplain.com


#10

I was hacked also, something to do with awstats though, not wordpress. I logged into shell and ran a series of commands to fix things which I have given templates of below and changed my shell password from the dreamhost control panel. Depending on when you see this message you may have to change nightly.0 to night.1 or something else. See here for info >> https://panel.dreamhost.com/kbase/index.cgi?area=2585&keyword=restore

It’s very combursome to go through all the folders for my domain (and I only have one) and issue these type of commands for them all. Anyone good at shell, I wonder could we write a script to restore everything recursively, as all the index.php,html,shtml etc were changed at the same time. 18:28 on the 28th Janauary.

cp ~/.snapshot/nightly.0/yourdomain.com/index.html ~/yourdomain.com/index.html
cp ~/.snapshot/nightly.0/yourdomain.com/yourfolder/archive/index.php ~/yourdomain.com/yourfolder/archive/index.php
cp ~/.snapshot/nightly.0/yourdomain.com/yourfolder/index.html ~/yourdomain.com/yourfolder/index.html

You will have to first remove all your index.php,.shtml,.html etc before running commands like this.

http://www.akamarketing.com - Over a year with dreamhost, happy man!!!


#11

from the highest shell run this command to find out all infected files
grep -r ‘Por Um Mundo Melhor’ | less
it should return all infected files, but may take a long time, I suggest you scan for the most important ones and fix those first.

http://www.akamarketing.com - Over a year with dreamhost, happy man!!!