In my ongoing effort to keep my word press blogs from being hacked and redirecting folks all over those interwebs, I have finally found something that can show you just what is effected in your word press blogs. Just go to your Dashboard and then to your plugins and ‘Add New’ plugin and do a search for ‘Exploit Scanner’. This little tool will do a complete scan of your sites php files and will give you a report of the ones that have the potential threat in them too, it also says it will scan your database, although I found I didn’t have any problems in mine. I found that in my particular situation, the problem was in all the themes I have downloaded in the past, the code in most of those directories was still hacked. I recommend before you run this file go look thru your wp-content directory and then down in your themes directory and delete any themes you may have in there, it will speed up this search and save you time in your effort to eradicate this problem from your site :). I hope this helps somebody out there, I know this has been pretty frustrating for me and I guess the plus side to it is that I have learned how WordPress works and a little more about php on the side. I also recommend going to your dashboard and doing a re-install of your current word press install, it will re-enable a lot of things that may or may not work in your admin.
Archive for the ‘Hacked’ category
Still Hacked!
April 18th, 2012I HAVE BEEN HACKED!!!
March 2nd, 2012I run another wordpress blog over at http://www.mayfieldcardinals.net and lo and behold, it was finally hacked with a redirect script that would send any of my visitors over to porn sites or other places of malwareness. Well, I am providing this post to help anybody else that runs a wordpress site and runs into a similar situation.
The first thing you should do in all situations with a site that has been hacked is CHANGE YOUR PASSWORDS. Change every password you can think of, the ftp one, the word press admin one, the mysql passwords, all of it., chances are the originator of the script has stored that password somewhere and if you clean your files they will be right back in there in no time. Remember if you are running a WordPress site, you should change your password located in the wp-config.php file, the line will look something like this:
/** MySQL database password */
define(‘DB_PASSWORD’, ‘password’);
That password has to coincide with the one in your MySQL db.
Make sure that your FTP client can show all the files that are in your site, I use FileZilla and you have to enable it to show the configuration files in your ftp server. In filezilla, just got to View->Filename Filters… and then make sure that Configuation Files is unchecked on the right. It is possible that the hacker messed with your .htaccess file and you won’t be able to mess with it unless you have this enabled.
In my particular situation, I had some index.php files modified with a Base64 encoded piece of php inserted, if you have been hacked, you more than likely have this at the top of your index.php files, or something very similar:
<?php/**/eval(base64_decode(“aWYoZnVuY3Rpb25fZXhpc3RzKCdvYl9zdGFydC…
I have left out the bulk of it to keep this post cleaner. I also had this script at the top of my wp-config.php file as well. I copied and pasted that script over on this site: http://www.opinionatedgeek.com/dotnet/tools/base64decode/ and noticed that it has a lot of redirects to a site called lolypopholypop’dot’com and lilypophilypop’dot’com and all I simply had to do was remove that script and all was good.
