sahdes

username: sahdes server: Stevie domain: sahdes.heliohost.org / sahdes.org thank you

Done. Meanwhile (before you renamed aa.php), on an automatic scan wordfence had found this [sep 01 22:35:46] Adding issue: File appears to be malicious: wp-content/aa.php [sep 01 22:35:46] Adding issue: File appears to be malicious: wp-content/isis.php So it's effective, it was me that missed the alerts. Sorry about that, henceforth I'll be on guard. Both deleted, a new scan produced Congratulations! No security problems were detected by Wordfence. So all should be OK. Thank you very much.

Sorry, a clarification: I didn't try, I just updated WP and everything looked ok, my bad. This time I will. I've run this site for years and it had never happened something like this. UPDATE: I've found a backup from a year ago. If I fail to clean the site as it's now, I'll just restore that one.

(sorry for my bad english) If you can, just please give me a couple of hours to try to get the site clean, whithout losing years of posts. I have the wordfence plugin which is pretty good on that. I have to use WP because it's for a non-profit NGO blog, I have to rest in some patform that allows the team to post stuff without depending on me. But I keep it always updated, with just a few and well known plugins and this wordfence to keep it secured, I don't know what happened. If I don't manage to clean it at first, I will erase everything. Let me know if that's possible.

Thank you for your information. As you said, the site's heavily hacked, down again, and having changed the passwords was useless, I've even lost access to my CP. Now, when I try to reset password it doen'st work. I receive the mail, enter the code, and nothing happens, it keeps asking for the code. Direct link neither works. What can be done?

I know, and I've installed wordfence to avoid those issues. But it's weird. This time, eveyithing within WP was intact, they just changed index.php, and it doen't seem have been done trhough the WP editor, as if they had gained access to my CP and replaced it there...

Now the site's online again but it's been hacked by some terrorists!! I'm working on it That may have caused the high server load... update: I just updated wp and everything went back to normal

username: sahdesserver: Steviedomain: sahdes.heliohost.org / sahdes.org No idea why. Thank you. Plus, I cannot access my CP either (I got the renew pw mail but the sent code doesn't work).

Everything working fine. Thanks a lot!

Hi. My database's gone. Here's the data: user: sahdes server: stevie database: sahdes_wp52 Regards.

I installed wp by softaculous. I have no idea how that file got there. The site may have been hacked, it already happened once, some months ago. I did all that scans to make sure that wp-admin/config.php was the only infection. The plugin I installed (wordfence) detected the malicious code, indicated that it wasn't an actual wp file, and deleted it; and said that everything else was just ok. Thanks for your advice.

Well, I scanned the full backup with antivirus (nothing) and anti malwares (nothing), the site itself with online scanners (nothing), and with a WP security plugin that just found a file with a line of malicious code, so I deleted that file. And I've changed all the passwords. Please let me know if now it's clean. Tank you.

I'm already working on it, thank you very much.

username: sahdes server: Stevie domain: sahdes.heliohost.org / sahdes.org Hi, I have no idea why my account has been suspended. Thank you.

Look at my (hacked) htaccess: So, the hack's gone deeper than merely creating that folder... I've restored from the backup, it's all clean now. Thank you.

Wolstech, I've found a homedir backup dated 01/03/14, in which not only there is no index.php in "images" folder, but there is no such folder at all. Into this "images" folder there is a .js file that contains, hello!, some russian url... So, I'm going to get a clean break and restore my home form that backup. I think that's the thing to do.

I'm using the last version of WP; all themes & plugins are only from the WP official repository, and all up to date. I made a full backup and scanned the whole site with antivirus, plus many anti-malware tools; nothing was found, not even on the file you told me. Then I scanned the site with 3 online malware url scanners: https://www.virustotal.com/es-ar/url/6dcdc3d20a987b5a6a2816bfee832d84e3a79b72a6deb2ea8009103a7bdbfb37/analysis/ http://app.webinspector.com/public/reports/20289098?cache=true http://www.quttera.com/detailed_report/sahdes.org Nothig wrong. Anyway, then I removed /public_html/wp-content/images/index.php (I don't know how it's gonna affect the site; so far all seems to be ok). Please let me know if now it's clean. But, I wonder... couldn't it have been just a false positive?

It's already suspended again...

Done. Solved.

The site doesn't seem to have been hacked at all. Just some update of the wordpress theme I'm using made a mess with my homepage. Please don't suspend the account again, even if it looks "hacked" for a while, it's not, it's just me trying to fix it, that's all. Thank you very much.

I'm on it, ty.

Well, I'm ready, please unsuspend. Thank you.

Understood. I'll let you know when I'm ready to work on it. Thank you wolstech.

username: sahdes server: Stevie domain: sahdes.heliohost.org / sahdes.org I'm starting a new topic because the first one's been blocked: I'm back home, but the account is already suspended again... Thank you.

weird... now it says just "404"... I'll work on it next week (I'm away right now), please keep it active until then Thank you very much