Website hacked by META HTTP-EQUIV REFRESH

  • mwth

    (@mwth)


    9 years ago

    My website is hacked.
    All posts has post_name and title_name like <meta http-equiv="refresh"

    At homepage i found code like this window._wp_rp_post_title = '%3Cmeta+http-equiv%3D%22refresh%22+content%3D%220%3BURL%3Dhttp%3A%2F%2Fwww.stampcenter.gr%2Fbin%2Fac.txt%22%3E';

    I have about 9000 records replaced in SQL in wp_post table (post_name, post_title) to <meta http-equiv="refresh" content="0;URL=https://www.stampcenter.gr/bin/ac.txt">

    This is my htacess

    # BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>
# END WordPress
RewriteEngine On
RewriteCond %{REQUEST_METHOD} POST
RewriteCond %{REQUEST_URI} .wp-comments-post.php
RewriteCond %{HTTP_REFERER} !whatannawears.com [OR]
RewriteCond %{HTTP_USER_AGENT} ^$
RewriteRule (.*) https://%{REMOTE_ADDR}/$ [R=301,L]

    website ur: www[dot]whatannawears[dot]com

    Please help me solve this problem. Guy who made website for me doesnt respond.

Viewing 2 replies - 1 through 2 (of 2 total)
  • MartinCDS

    (@martincds)

    Nice website. So here is what I do when I get hacked.

    First backup everything – export your database and zip and download your files through your ftp account.

    Access your website via ftp and see when last files and folders have been modified on your site. That should give you an idea of when the site was hacked – keep in mind dates when you updated the site and plugins as well. Go through your log files for that date and see where you find the word ‘POST’ and see which files were posted to – some of them will be your normal WordPress processes and some will be what the hacker put there. Write these filenames down and put them on side.

    If you have a previous backup this would be a good time to restore that backup. Some hosting companies will allow you to roll back. If you are worried about losing content export your latest posts through your WordPress export tool – you can choose only the latest ones by assigning them to a new username and then exporting only for that user.

    If you could restore a backup then immediately change your passwords as well as your username and password for your database – change your wp-config.php accordingly. Do not do it before this point as some hacks send new password changes and new user creations to the hackers automatically – you need to be sure the site is clean before doing it – otherwise leave this step to past.

    Make sure you have Wordfence installed and configured as well as a plugin that protects you against brute force attacks. Jetpack has this as one of its built in features but there are others that will limit your xmlrpc.php functionality.

    Make sure all your plugins, your theme and your WordPress version is up to date.

    Run your Wordfence scan and see if there are any WordPress files that do not correspond with the current version. Wordfence may also find some other vulnerabilities.

    Google the files mentioned in your log accessed on the date the site was hacked and see if there are any known hacks using those files and what the suggested method is to fix it.

    I would recommend though that you find a developer to fix this for you as there are other things that could go wrong while updating and fixing the site. Try these steps but if you don’t come right restore the backup and get someone experienced to help you. If your developer is ignoring you find someone else to help you, this may be a good time for you to find someone more dependable.

    Moderator Jan Dembowski

    (@jdembowski)

    Forum Moderator and Brute Squad

    This boiler plate reply is often replied with too.

    Please remain calm and carefully follow this guide.

    When you’re done, you may want to implement some (if not all) of the recommended security measures.

    The link are very good for delousing your site.

Viewing 2 replies - 1 through 2 (of 2 total)
  • The topic ‘Website hacked by META HTTP-EQUIV REFRESH’ is closed to new replies.