action

thanks for the info. I’ll redo one with data + structure.

Yes!! they had a backup of the site and restored it. First thing I did was backup the database file, however it’s only 500kb? is it normal to have such a small file for all the content? thanks!

Hi 123, I got the site database restored by the domain provider and it’s up and running. However they only had a backup of the site after the hack was injected, but before I deleted everything by accident. I’ve added a .htaccess file limiting wp-admin access only from my IP, created some blank index files, and also enabled Bulletproof security. I hope these measures will prevent the malicious code from re-injecting the pill links.

However exploit scanner still shows the malicious code present on my blog, I’ve went through, changed the password and secret key but looking through coding is a bit over my head for this noob..

Hopefully the precautions I did will prevent the code from activating and injecting links until I figure out how to clean it.

I backed up the database via mySQL and via Export under tools in WP-admin, however the files are only 500kb from mySQL and 1mb from WP-admin. Is it normal for the database to be that small? It seems to be a lot of content to fit into such a small file. I don’t want to risk loosing everything again when I’m ready to dive in and attempt deleting code.

Thanks!

yes phpmyadmin shows my posts are gone =( I inquired with my provider last night and they said they restored a backup, however checking this morning it still seems the same.. I’m gonna see if they can restored to an earlier version.

How do i pull the blog from google cache? I can see all the original content from it.

Thanks!

hi 123, I checked out your site and did what I thought was backing up the database by copying the ‘blog’ folder. Unfortunately it’s the mySQL database that’s needing the backup and I deleted it by reinstalling wp…

I contacted my host provider yesterday before going to bed and they restored to an earlier version of it this morning, however it wasn’t early enough as I think they restored it to the reinstalled state. I emailed them again to see if they have an earlier database they can through in.

If not i think im stuck in loosing a blog or rewriting everything =(

I will contact them and inquire and update with what they say. Thank you so much for all your help and tips sledge! As much as I hate whoever hacked my blog, I take it as a good schooling.

Yes that is how it’s structured.
I think I just deleted my whole blog =(
when i reinstalled wp it looks like cleared my mySQL database…

when I selected remove wp installation i think it auto deleted my database as well !!!

there is nothing under mySql Database…..

Thnx for the link sledge. I googled some remedies and did something I’m not sure benefited me.. I copied and backed up the “blog” folder under my domain, then deleted the WP install via Cpanel and reinstalled WP. I then copied back all the content in “blog”. Running exploit scanner no longer gives me a huge list of ‘eval’ and ‘base64_decoder’, only 2. Both on the WPbook plugin (it makes a post on my facebook page automatically when i post on my blog).

This move however made my blog useless, because now nothing shows up when I go to my blog, just a white page. I can still log into my wp-admin and it shows all my old plugins there, however non of my posts nor comments are there anymore…

here is the 2 strings when i used that converter:
$signature = base64_decode($signed_data[‘sig’]); =
JHNpZ25hdHVyZSA9IGJhc2U2NF9kZWNvZGUoJHNpZ25lZF9kYXRhWydzaWcnXSk7

* Javascript, and can be directly eval()’ed with no further parsing =
KiBKYXZhc2NyaXB0LCBhbmQgY2FuIGJlIGRpcmVjdGx5IGV2YWwoKSdlZCB3aXRoIG5vIGZ1cnRo
ZXIgcGFyc2luZw==

please help! this is really stressing my out. and online tutorials are pretty vague

anyone? know how i can remove the backdoor and hack codes? or a good noobie tutorial? Most sites I read are saying “remove eval… basecode64” then change password.

but doesnt really go about in a noob friendly way. Thanks!

I am not sure. It happened after I installed “Facebook comments for wordpress” and “facebook Like”. I’ve disabled those atm and changed password, set new security key, changed permission, and added a .htaccess to only allow wp-admin to my static IP.

How would I go about in removing the malicious code? is there a plugin/program I can run?

Read the link you posted, I changed the permissions in wp-config from it. thanks!

i got the site back up and running and ran exploit scanner and got all this:

https://www.jacksonzhao.com/images/Other/code.jpg

any advice how to remove the scripts? thanks

I will try restoring the default WP permalink structure. I recall that’s in the settings for wpadmin?

I dont have any .htaccess folders under wp-admin. The only .htaccess are under my main site directory and not the blog.

sledge81: i never thought about deactivating the plugins. I just went ahead and deleted the whole ‘blog’ folder under my site directory in dreamweaver.. which .htaccess should i delete? there seem to be a bunch. I’ve been upgrading everything except the Thematic theme version because I didn’t like the look of the new one… that could be the reason.

123: i read through that prior to posting. Most of the stuff I don’t have experience with haha. I searched a bit more and will through in a .htaccess file limiting wp-admin only to my IP after, but now the main thing is getting all my posts back and cleared from the hacks…

how are the posts structured? Are each individual posts stored in a file under the blog directory?

Thnx for helping out a noob!

that was what I was getting. After putting the ID, the “no post ID returned from Facebook is fixed”