My site was hacked

  • Resolved particlepat

    (@particlepat)


    6 years ago

    Hi all, our website was hacked sometime within the past week where it loaded a Javascript file located at [ Redacted, do not share that here ], which prompted visitors to update their browser, but actually directed them to a website to download a .exe file.

    No assistance is needed, but I wanted to report this here since several of my searches returned zero google results. Hopefully, this post will help someone who stumbles across it in the future.

    This attack added or changed files in various files throughout our wp and theme folders. Some of the file names include:

    blog-post-date.php
common_config.php.suspected
eqwdbkvz.php
lmubcysj.php
post_controller.php
qcyrvpcu.php
qijtzugl.php
rieifhob.php
sealodux.php
yfrghujw.php
83d099271b8965fa29f7c9b20785f320.php
961f2e11f7cc15babcc4633ea36b6c2c.php
wc-product-search-form.php
wcspinky.php

    We restored from a backup, but that didn’t solve the problem. I went through and deleted unused plugins, removed outdated admin privileges and updated passwords for admins, updated passwords to SFTP and our webhost (Flywheel), then I used Wordfence to scan the website and delete the files in question. Should that fail, I’m going to do a fresh install of our Avada theme and then a clean install of WP. Good luck to whoever finds this in the future.

Viewing 2 replies - 1 through 2 (of 2 total)
  • Moderator Steven Stern (sterndata)

    (@sterndata)

    Volunteer Forum Moderator

    Get a fresh cup of coffee, take a deep breath and carefully follow this guide. When you’re done, you may want to implement some (if not all) of the recommended security measures.

    If you’re unable to clean your site(s) successfully, there are reputable organizations that can clean your sites for you. Sucuri and Wordfence are a couple.

    Thread Starter particlepat

    (@particlepat)

    A couple of people asked how I fixed this, but their replies are being removed by a moderator and they’re being instructed to start a new thread.

    1. Restore to a previous backup if you have it (if not no worries!)
    2. Change WP passwords for any admin user on your website. Remove outdated admin if you have any.
    3. Change the password to your web host and FTP server.
    4. Back up your website.
    5. Install the WordFence plugin and run a scan.
    6. Delete any suspicious files.

Viewing 2 replies - 1 through 2 (of 2 total)
  • The topic ‘My site was hacked’ is closed to new replies.