Site hacked by B0Y H4CK3R

  • I really hope someone can help with this one.

    My site, focusedfirepower.co.uk, has been hacked by someone calling themselves B0Y H4CK3R. The home page of my WordPress site has been changed by them, but the rest of the website can be accessed if you go to one of the other pages rather than the homepage. As far as I can tell it’s just the homepage that’s been changed.

    I cannot log in as the hacker has obviously changed the password, and I assume a password re-set attempt would be sent to an email address they have added, it certainly isn’t being sent to me.

    I can log into my host and view the files for the site, but I have no idea what to do.

Viewing 7 replies - 16 through 22 (of 22 total)
  • Thread Starter fog99uk

    (@fog99uk)

    Here’s what I did.

    – Logged into my host site.
    – Used phpMyAdmin to reset the user details for WordPress (there’s only one user, Admin).
    – Changed the keys in the config file using the generator.
    – Logged into my WordPress site.
    – Changed to a new theme.
    – Deleted the old theme.
    – Reinstalled the theme I wanted.
    – Changed to that theme.
    – Changed the user’s password.

    This time I’ve also created a new administrator user and deleted the old one.

    The site has been kept fully up to date since I created it in March, and I’ve been using the Twenty Eleven theme. The only plugin that I am running is Jetpack.

    Looks like u have been doing good so far.

    U missed out something important though.

    Visiting yoursite.com/wp-config.php should not return a blank page. Returning a blank page means that people on web can call the wp-config.php script.

    What you should get is a 403 forbidden page when you visit this page via a web browser.

    You need to change file permissions of this file.

    Not changing the permissions could open your site to a symlink attack. Basically putting your pw-config file into a txt file which would be available for reading.

    Thread Starter fog99uk

    (@fog99uk)

    403. So that’s Read checked for User, plus Write and Execute checked for World?

    Done that now. Now when going to /wp-config.php it comes up with a 500 Internal Server Error.

    @mangomm

    Visiting yoursite.com/wp-config.php should not return a blank page. Returning a blank page means that people on web can call the wp-config.php script.

    That sure doesn’t sound good. What could they do with the script once it renders the blank page in their browser? It should return a 403 you say?

    My wp-config is in the directory above wordpress and with permissions set to 400. Trying site/wp-config.php gives a 403 error.

    Thread Starter fog99uk

    (@fog99uk)

    Is it only the config file that should have permissions set to 403?

    The rest of the wordpress files are set to 644, except for the folders, which are set to 755.

    @fog99uk

    The permissions aren’t 403, what they’re referring to is the error code you will get if you access the config file directly, from your browser. As kmessinger noted, his will return a 403 with permissions of 0400. He also noted that his config file is in a location outside of wordpress root. Your configuration and permissions may not be the same. File permissions can vary from host to host. The minimum permissions you can use in your environment may be different than someone else. Your host may have some advice for you on that. You can forbid browser access to the config file with .htaccess rules.

    You might try 644 or 640 on yours for starters, and see if that gets rid of the 500 error.

Viewing 7 replies - 16 through 22 (of 22 total)
  • The topic ‘Site hacked by B0Y H4CK3R’ is closed to new replies.