Site has been hacked

Community Forums Forums General Discussion Site has been hacked

This topic is: not resolved

Tagged: , ,

This topic contains 8 replies, has 5 voices, and was last updated by  Summer 10 months ago.

Viewing 9 posts - 1 through 9 (of 9 total)
  • Author
    Posts
  • #80316

    docstw
    Participant
    Post count: 8

    My site healthyworkplaces.info is hacked because on IE (only, not Firefox or Safari) it is showing with some porn link text and changes to images, etc.

    I have noticed in the source code for the home/index page (healthyworkplaces.info) that there is a section of code that is responsible for this.

    How do I remove this? The home page is the only page in my Genesis design that isn’t listed as a ‘page’ and I don’t know how to make changes to it’s code.

    Thanks. Scott

    http://www.healthyworkplaces.info
    #80318

    songdogtech
    Participant
    Post count: 67

    Hopefully you have a backup of your child theme and any customizations you made to it, because you need to upload fresh copies of all files. Your home page in Enterprise is a template file; download a new copy of it from your account at Studiopress.

    Basically, work your way through these resources and follow all instructions to completely clean your site or you may be hacked again. See FAQ: My site was hacked « WordPress Codex and How to completely clean your hacked wordpress installation and How to find a backdoor in a hacked WordPress and Hardening WordPress « WordPress Codex.

    Change all hosting and site access passwords. Scan your own PC. Use http://sitecheck.sucuri.net/ before and after. Tell your web host you got hacked, and consider changing to a more secure host: Recommended WordPress Web Hosting


    I’m on WordPress Answers (Stack Exchange) and WordPress.org Support Forums and check my consulting and portfolio site at markkratledge.com

    #80326

    docstw
    Participant
    Post count: 8

    I’m wondering if I can simply create the home page (static) fresh in ‘pages’ area. And then make the new home page active. Any advice please?

    #80359

    Terri
    Participant
    Post count: 30

    Hi Scott,

    Just changing the home page won’t solve the problem. Here’s a great article on how to tell if your WP site (theme and/or plugins) has been hacked, how to resolve the issue, and how to protect your site (at least as best as possible) from future hacks.

    http://www.nutsandboltsmedia.com/how-to-find-out-if-your-wordpress-site-has-been-hacked/

    Terri

    #80365

    docstw
    Participant
    Post count: 8

    Thank you but I have investigated those avenues and I know exactly what I need to change on my homepage (I have done all of the other steps for protection…but that still leaves the same site pages intact and I must the code at the top of my homepage.

    It is the third line of my code that begins:

    </script>
    <style type=”text/css”> dofollow { display: none; }</style><dofollow>
    netmirc

    The ‘netmirc.com’ should not be there, and following this there is a lot of porn linkage (I am not pasting it all here). I just don’t know how to change this part of the page. That’s why I thought changing the page (starting anew) would help. If the security steps are taken, shouldn’t this be the next focus for me?

    Thank you for any more help. I’m surprised it’s taking me so long to figure this one change out. Scott

    #80371

    Summer
    Participant
    Post count: 1105

    Do you have a home.php in your theme folder? That seems like the most likely place that the code was inserted into. Are any of your other templates infected as well?


    #80375

    workky
    Participant
    Post count: 76

    I would do as summer suggested , I had the same thing happen to a friend of mines web site and we looked through all the php files and found the code, deleted it and we were good to go. From that point on I keep a backup once a week, so incase it happens I can just back it up from a good copy


    life’s tough, its a lot tougher if your stupid

    #80445

    docstw
    Participant
    Post count: 8

    Thank you and I think you are both right. I know that on the home/index landing page http://www.healthyworkplaces.info, that is where the problem is.

    So I have looked at the file structure but am totally confused. There are many ‘home.php’ and ‘index.php’ files in the structure. Some are under the ‘themes’ subfolder of my wordpress site, under “enterprise” (my theme) and some are at a higher level, outside/above the themes level (www. or public_html). But I have looked through those and there are hundreds of files and subfolders. I really don’t know where to begin looking. And every one I have opened so far that says ‘home.php’ or ‘index.php’ is instructing WordPress or the theme to do something, and not the actual page I am looking for.

    Any thoughts where this file is specifically in the WordPress file structure?

    Thanks again. You can imagine how worried I am to get this fixed.

    #80466

    Summer
    Participant
    Post count: 1105

    If you are using the Enterprise theme, then the files you are looking for would be in themes/enterprise.

    The file home.php is the code that creates the home page for your site, and the code should be in there. it won’t look exactly like what you’d see in a view source beause all that PHP code generates the HTML you see. Which likely means that they snuck some code into that PHP file, or some code to call it from another file.

    If it’s not in there, also check your functions.php.

    Looking at the page source for your homepage, that code was slammed at the very beginning of your page, before the DOCTYPE declaration, but I don’t see it at the top of any of the other few pages I’ve clicked on. So it has to be in one of the files in your enterprise theme folder. Can you do a search on all the files in that folder for “mirc” or one of the other domains in there? I see about 20 links to questionable sites, most of them with adult entertainment type domain names.


Viewing 9 posts - 1 through 9 (of 9 total)

You must be logged in to reply to this topic.