I HAVE BEEN HACKED!!!

March 2nd, 2012 by admin Leave a reply »

I run another wordpress blog over at http://www.mayfieldcardinals.net and lo and behold, it was finally hacked with a redirect script that would send any of my visitors over to porn sites or other places of malwareness.  Well, I am providing this post to help anybody else that runs a wordpress site and runs into a similar situation.

The first thing you should do in all situations with a site that has been hacked is CHANGE YOUR PASSWORDS.  Change every password you can think of, the ftp one, the word press admin one, the mysql passwords, all of it., chances are the originator of the script has stored that password somewhere and if you clean your files they will be right back in there in no time.  Remember if you are running a WordPress site, you should change your password located in the wp-config.php file, the line will look something like this:

/** MySQL database password */
define(‘DB_PASSWORD’, ‘password’);

That password has to coincide with the one in your MySQL db.

Make sure that your FTP client can show all the files that are in your site, I use FileZilla and you have to enable it to show the configuration files in your ftp server.  In filezilla, just got to View->Filename Filters… and then make sure that Configuation Files is unchecked on the right.   It is possible that the hacker messed with your .htaccess file and you won’t be able to mess with it unless you have this enabled.

In my particular situation, I had some index.php files modified with a Base64 encoded piece of php inserted, if you have been hacked, you more than likely have this at the top of your index.php files,  or something very similar:
<?php/**/eval(base64_decode(“aWYoZnVuY3Rpb25fZXhpc3RzKCdvYl9zdGFydC…
I have left out the bulk of it to keep this post cleaner.  I also had this script at the top of my wp-config.php file as well.    I copied and pasted  that script over on this site:  http://www.opinionatedgeek.com/dotnet/tools/base64decode/ and noticed that it has a lot of redirects to a site called lolypopholypop’dot’com and lilypophilypop’dot’com  and all I simply had to do was remove that script and all was good.

Advertisement

Leave a Reply