sahdes

thank you

Done. Meanwhile (before you renamed aa.php), on an automatic scan wordfence had found this

Both deleted, a new scan produced

Congratulations! No security problems were detected by Wordfence.

So all should be OK. Thank you very much.

Sorry, a clarification: I didn't try, I just updated WP and everything looked ok, my bad. This time I will.

I've run this site for years and it had never happened something like this.

UPDATE: I've found a backup from a year ago. If I fail to clean the site as it's now, I'll just restore that one.

(sorry for my bad english) If you can, just please give me a couple of hours to try to get the site clean, whithout losing years of posts. I have the wordfence plugin which is pretty good on that. I have to use WP because it's for a non-profit NGO blog, I have to rest in some patform that allows the team to post stuff without depending on me. But I keep it always updated, with just a few and well known plugins and this wordfence to keep it secured, I don't know what happened. If I don't manage to clean it at first, I will erase everything. Let me know if that's possible.

Thank you for your information. As you said, the site's heavily hacked, down again, and having changed the passwords was useless, I've even lost access to my CP.

Now, when I try to reset password it doen'st work. I receive the mail, enter the code, and nothing happens, it keeps asking for the code. Direct link neither works. What can be done?

I know, and I've installed wordfence to avoid those issues. But it's weird. This time, eveyithing within WP was intact, they just changed index.php, and it doen't seem have been done trhough the WP editor, as if they had gained access to my CP and replaced it there...

Now the site's online again but it's been hacked by some terrorists!! I'm working on it

That may have caused the high server load...

update: I just updated wp and everything went back to normal

Plus, I cannot access my CP either (I got the renew pw mail but the sent code doesn't work).

Everything working fine. Thanks a lot!

Hi. My database's gone. Here's the data:

user: sahdes

server: stevie

database: sahdes_wp52

Regards.

I installed wp by softaculous. I have no idea how that file got there. The site may have been hacked, it already happened once, some months ago.

I did all that scans to make sure that wp-admin/config.php was the only infection. The plugin I installed (wordfence) detected the malicious code, indicated that it wasn't an actual wp file, and deleted it; and said that everything else was just ok.

Thanks for your advice.

Well, I scanned the full backup with antivirus (nothing) and anti malwares (nothing), the site itself with online scanners (nothing), and with a WP security plugin that just found a file with a line of malicious code, so I deleted that file. And I've changed all the passwords.

Please let me know if now it's clean. Tank you.

I'm already working on it, thank you very much.

username: sahdes

server: Stevie

domain: sahdes.heliohost.org / sahdes.org

Hi, I have no idea why my account has been suspended. Thank you.

Look at my (hacked) htaccess:

RewriteEngine on

RewriteRule ^content/(.*)$ /wp-content/images/$1 [L]

So, the hack's gone deeper than merely creating that folder... I've restored from the backup, it's all clean now. Thank you.

Wolstech, I've found a homedir backup dated 01/03/14, in which not only there is no index.php in "images" folder, but there is no such folder at all.

Into this "images" folder there is a .js file that contains, hello!, some russian url...

So, I'm going to get a clean break and restore my home form that backup. I think that's the thing to do.

I'm using the last version of WP; all themes & plugins are only from the WP official repository, and all up to date.

I made a full backup and scanned the whole site with antivirus, plus many anti-malware tools; nothing was found, not even on the file you told me.

Then I scanned the site with 3 online malware url scanners:

https://www.virustotal.com/es-ar/url/6dcdc3d20a987b5a6a2816bfee832d84e3a79b72a6deb2ea8009103a7bdbfb37/analysis/

http://app.webinspector.com/public/reports/20289098?cache=true

http://www.quttera.com/detailed_report/sahdes.org

Nothig wrong.

Anyway, then I removed /public_html/wp-content/images/index.php (I don't know how it's gonna affect the site; so far all seems to be ok).

Please let me know if now it's clean.

But, I wonder... couldn't it have been just a false positive?

It's already suspended again...

Done. Solved.

The site doesn't seem to have been hacked at all. Just some update of the wordpress theme I'm using made a mess with my homepage.

Please don't suspend the account again, even if it looks "hacked" for a while, it's not, it's just me trying to fix it, that's all.

Thank you very much.

I'm on it, ty.

Well, I'm ready, please unsuspend. Thank you.

Understood. I'll let you know when I'm ready to work on it. Thank you wolstech.

username: sahdes

server: Stevie

domain: sahdes.heliohost.org / sahdes.org

I'm starting a new topic because the first one's been blocked:

wolstech

Rank VI Member

Posted 14 February 2014 - 07:58 PM

It says you were suspended because your site was hacked...first time I've seen that as the reason. Be sure to clean up the hack quickly and get it back in order so it doesn't get suspended again.

 

Your account has been unsuspended.

sahdes

Posted 14 February 2014 - 10:37 PM

I'll work on it next week (I'm away right now), please keep it active until then

I'm back home, but the account is already suspended again... Thank you.

weird... now it says just "404"... I'll work on it next week (I'm away right now), please keep it active until then

Thank you very much