WP hacked

[WillyPete]

One of my sites was hacked and now when I go to it I receive a message that says "RooteD By Dr.403".

This site isn't mine but was hacked by the same person and displays the same info. تم الاختراق من قبل دكتور فوربدن

Can someone help me out? What should I do to fix this and prevent it?

 

[mikeshinobi]

He uses toggle type and l33t speak and everything.

Is this real life?

 

[WillyPete]

yea just for my homepage. I can access the other pages just fine. I was told to reinstall my theme and WP

 

[Big Joe]

can you find the code and remove it?

 

[WillyPete]

I looked in a few different places and was unable to find it. I have since fixed it by replacing the index.php file with the original and re-installing WP.

 

[flaw3d]

Not sure if you used fantastico or some auto installer on you wp install?
Also it can be the theme or a plugin

 

[WillyPete]

fantastico was used to install WP

 

[identity_00]

Welcome to wordpress.

 

[Big Joe]

make sure you keep it updated and install a security plugin.

 

[Smidge]

This happened to me once. These guys just run bots to take down WP sites and black-mail you like $300 for 'security services'. I've pm'd you some links I now use to lock stuff down.

 

[Rage9]

Only log in under SSL, you can just as easily create self signed certificates to get it done. Just write down what the signature is, however if you ever get asked about it after the first time you access it from a browser someone is running a man in the middle attack. Do the same with phpMyAdmin if you ever log in to it.

Also your Wordpress / phpMyAdmin admin pages can be modified to only let certain IP addresses access them.

 

[danke]

Sounds like he just changed the index file...

 

[Genius101]

Check out whatever Smidge sent you. Its just a defacement, and being on WP its not that dangerous (but annoying? Yes). Had it been a defacement on a regular webpage, it might be a tad scarier

 

[Mahzkrieg]

90% of the time it's a base 64 encode injection or something in the same family.

Search your WP project folder for instances of "eval(" and "base64_decode". Deleting the injected code from your files and changing your server passwords might be enough (it was for me), but the attacker might have left some other backdoor open like some files masquerading as WP core.

So you might want to reinstall to ensure nothing else is lurking around.

Basically, if someone can hijack WP security or your server user, they can inject code like:

<? eval(base64_decode("Kj89yaJ8hTF29Hajs80..."); ?>

The long string will decode into PHP code that can pretty much do whatever it wants, but it's usually why you can't just search your source code for the defacement message.

This is a classic problem that anyone using a prevalent PHP application faces.

 

[(O_o)]

disable all plugins

Update your WP version to most current

update & reenable plugins

change your wp-admin password

contact hosting company to get them to scan your files to make sure the lil tard didnt install something like c99 or anything.

 

[ShadowCaster]

check .htaccess file, I had this exact thing when I accidentally left it 777...