Calling all site owners hacked by walangkaji/ Badi etc. – Need some help

Any thoughts on how to fix this ASAP?

@devinhsmartin Putting aside the “You-really-should-open-your-own-topic-as-that’s-the-best-way-to-get-assistance-for-you” mantra for a minute, I think you’ll find all you need to know at this link.

Rossagrant, I am in the same boat. Quit my dull job to take on wordpress development full time to support my family. I don’t know why somebody would do something like this. My 3 year old is trying to get my attention to play with him and I CANT BECAUSE of this incident.

Whatever… Thank you for the info though. I need to know about Vulnerabilities too. My livelihood is on the line also.

My Clients are asking me why somebody would do this… What is the motivation behind hacking like this?

Thank you Jan!

Not sure Dev,

I though the protocol on this kind of stuff was to let the core team know at WP with a ‘we’ll put this out in the wild in x days’ kind of thing.

I still don’t know for sure if it’s a server side thing(very widespread across loads of different hosts) or a core WP thing.

I have spoken to a few site owners and can’t see a plugin correlation, so it’s either WP or servers.

Rossagrant; do you mean UTF-.. in the style.css?
I am running WP3.5

No UTF-8 is the charset you need to set your database to in order for it to display some characters correctly.

UTF-7, which the hack sets it too allows for code to be passed through the DB and isn’t good from a security aspect.

From what i found with my sites, if you go into the Settings—>Reading screen in the WP dashboard BEFORE you delete Badi’s text widget with his script in, then you will see an option to set the charset back to UTF-8.

If you delete the script then that option disappears and I guess you will have to set it through PhpMyAdmin.

The option was taken out of the dashboard in WP 3.5.

This hack seems to reinstate it until you delete the script found in the text widget that is also created upon the hack getting into your site.

OK, unfortunately I don’t understand where to change UTF-7 (I use Cpanel)

When I go to my Cpanel and select PhPadmin, the same hack screen from Badi appears…. does this input help?

Klap, the UTF option should be in your WP dashboard, not in CPanel.

Do you still see the text widget in the backend of WP in the Appearance—>Widgets section.

It will be under a heading down the page that says unregistered sidebar?

Don’t delete it just yet, but see if it’s there.

No, no UTF option under dashboard and no text widget (only Fancy text which I bought.
Yhe strange thing is that my widget page keeps loading and my sidebar dissappeared

The text widget won’t be in one of your sidebar areas, it will be in a long panel under the list of widgets on the LEFT.

It will be in an unregistered sidebar.

If it’s not, I’m not too sure, that’s just what I experienced.

no nothing there, also no UTF under dashboard….

Not too sure exactly what has gone on there then. Is yous ite title still messed up? Change it back.

Are you showing weird characters on your site. Try typing a ￡ sign and see what it displays as. Are you definitely set to UTF-7?

Just notice that my hosting previder helped me out with a backup.
Caracters appear normally
I don’t know what Charset I use – the Style.css says Charset UTF-8 though…

Klap if ￡ signs appear normally you are good to go.

That backup will have cleared out the hack I guess.

Keep a close eye on things though.

Sure, still a problem after the hack with te widget page – sidebar is completely dissappeared and site keeps loading AND when I select phpMYadmin in Cpanel the screen of Badi appears – no way to acces phpMyadmin…..