smartobject2

I second Jan’s approach — unless you are just curious about the hack, it’s best to backup and re-install with the proper hardening.

It can be frustrating and futile to try and pin-down the exact back-door.

I see other places have similar conditions when I search google on +ACYAIw-8217+ADs-s

Oops – I see now you’ve been here since before I had even heard of WordPress –
Cheers

Sure, but the password change is only one step. Now, back up the the files/directories. Then remove them-not wp-config.p- and re-install WordPress.
Also search on harden WordPress here at the dot org site for some other steps / advice.

If the site has been hacked, then the hacker has a backdoor somewhere in your files / directories. Only a complete remove and re-install will get you started in the right direction (in my opinion).

Don’t forget the backup step and ask someone if you’re not sure.

Especially read and do the part that advises removal of _everything_ on your site. You don’t have to physically delete it, just take an FTP application and “move” your site root files and dirs away to a new directory like “oldsiteJKL”
Then apply the other security advice in the articles as you re-install WordPress and for the images you copy them back as needed.

If you dont remove everything, then you are just leaving the hacker’s back door untouched – that’s why it happens again.

But do delete the oldsite files once your up and running.

Cheers,
let us know how it goes.

BTW – This has been running great – daily backups and I can see the new files appear each day on dropbox.

I am using the curl command on network solutions scheduled tasks:
curl "https://www.sheltonresearch.com/wp-content/plugins/wp-time-machine/cron.php?generate=1" >/dev/null

The >/dev/null means I do _not_ get emails of normal output, but I should get an email if there is an error. Errors go to a different output channel on unix and pass through the scheduler as output to be emailed.

BTW – You do have a lot of posts and comments I see on google cache – If you want, I think I can recover most of it back and we can load it in your new database.

I left a comment on your new site with contact info, if needed.
Cheers

You should be suspicious of the restored database and use some SQL select statements from the phpMyAdmin screen that search the posts and comments tables for malware.

Sorry I dont see the specific entries here, but to show any suspect entries here are some sql commands (each is a individual command):
select * from wp_posts where post_content like ‘%base64%’
select * from wp_posts where post_content like ‘%eval%’
select * from wp_posts where post_content like ‘%strrev%’
select * from wp_comments where comment_content like ‘%base64%’
select * from wp_comments where comment_content like ‘%eval%’
select * from wp_comments where comment_content like ‘%strrev%’

A positive hit is not necessarily bad, but should be investigated.

Read through all FAQ’s etc. mentioned above. They will all support each other with the to-do items, File and Directory Permissions, Auth Keys, etc.

When you login with cPanel (or use a FTP application) change the permissions on directories to 755 (numeric for Read/Write/Execute for You, execute for Group, execute for World).
All Files should be 644 (RW, R, R) EXCEPT for wp-config which will be 600. Exceptions may be the Uploads Directory.

I dont want to get too wordy — but another good point is to completely remove any themes or plugins that are not used.

I have seen log entries on my site where hackers are trying to access plugins that I don’t have — maybe they have a list of exploitable plugins.

But bottom line is – you can do it with the tools/techniques mentioned above.

Get a dropbox account and install a backup plugin to place your stuff there.
Cheers,
Keep in touch

Adam – are you really on WP 2.92 ?
https://www.adamfaragalli.com/readme.html

Let me know how it goes.
[email protected]

@ stvitusdance I second the request for a peek at your improvements. I looked at both trappers.nl and violafans.net and both are great.

I am just now trying to bring up this plugin on my localhost / dev platform.

Thank you

There should be a log file created in your wp-content directory — get a dir listing with an ftp client and view it.

Also if your backups are there (zip extension and sql extension) it means that the backup ran ok, but the files could not be uploaded to dropbox.

I think you need double quotes around the data-text value?
data-text=”<?php the_title(); ?>”

Cheers,
Lee

If your friend cannot tell you which plugin, I would suspect the friend is simply stating a hypothetical premise.

I think esmi is telling you to be sure you have the most recent versions of the plugins and the plugins should come from www.remarpro.com

After that…
If you cannot contact the friend for clarification, get a ftp copy of the plugins directory downloaded to your computer and do a text search for things like eval, base64 and the malefactor’s email address above.

Cheers,
Lee

Sure you can use FileZilla or any FTP to pull the files onto your computer. The only change I made to the plugin was to add strrev and htmlspecial to the search terms. I don’t know why I put the html thing in there – may not be helpful.