Been Hacked! Need Help!

[Gerry]

Example of hacked site/page:

ceuq dot com/KinG.htm

This is appearing on other sites of mine.

Is this something that had been set in the themes downloaded? Is it in the server?

I need to get rid of these.

Any help is widely appreciated.

 

[Johnn]

There are some free themes from WP would trigger the hack too. Do you rent the dedicated server or VPS or just suscribe to hosting plan?

PM me the info if you don't want to post here.

 

[Bill F.]

Download all the site files, and then search through them. First, for the obvious (what you can see), and then for altered php code (more difficult, and look for anything encrypted). And, of course, change your passwords - not just on this site, but on all sites.
Besides the themes, plug-ins can carry hacks, but they are usually less obvious than this one, and place spam links on your site.
Did you visit your hacker's Facebook page. Very generous of him to leave a calling card.

 

[Johnn]

I would not recommend to download them to your PC.
Use Cpanel and check all the files and FOLDERS - The recent date should tell you what files/folders have been recently created/uploaded.

Agreed on changing the passwords.

Download all the site files, and then search through them. First, for the obvious (what you can see), and then for altered php code (more difficult, and look for anything encrypted). And, of course, change your passwords - not just on this site, but on all sites.
Besides the themes, plug-ins can carry hacks, but they are usually less obvious than this one, and place spam links on your site.
Did you visit your hacker's Facebook page. Very generous of him to leave a calling card.

 

[Shane]

Gerry I had the same problem a month of two ago. It's probably a security issue with one of your wordpress plugins. I was actually unable to removed the files so I had to wipe the entire server and start from scratch.

 

[whitebark]

There are other sites on your same shared hosting that are hosting nasties like JS/Obfuscus.AACB that don't appear to be your websites so it very well may be the entire account.

Whats lunar pages got to say about it?

 

[chipmeade]

Look for hacked php commands in your wp folders. It is a big pain in the ass. You will need to check all the sites that you are hosting on that server. Not only on one affected.

 

[copper]

I had those before :uhoh:
Perhaps you need to spend some time hardening your wordpress sites?

 

[Gerry]

Lunar Pages is the host, shared hosting. I am not going to like this at all. I am taking three classes and barely have time for them.

Pissy situation.

 

[Gerry]

I had those before :uhoh:

I saw your siggy. So what do you think of your fellow countryman Psy?

Outrageous fun.

 

[vinsdomains.com]

Happened to me a couple months back and it was a number of php files that were altered. While the edit dates on the files made it clear which were touched, I decided to use my hosts backups and delete/reinstall all from the day before my hack. Crazy thing was it was over a dozen of my sites at once and I do suspect it was a plugin that let him in. I must say, I felt violated! Anyway, best of luck and back up often, including databases!

 

[Gerry]

Crazy thing was it was over a dozen of my sites at once and I do suspect it was a plugin that let him in.

That is exactly what is going on.

Thanks for the advice, everyone. I may need some hand holding to walk me through the steps.

 

[Gerry]

Okay, it appears NOT to be in the Server or cPanel of my host.

TroutFish dot org was a site project loaded but not developed yet. The page TroutFish dot org/KinG.htm does not exist.

The same is true for eComputes.com. No page extension like that exists as nothing has been done.

So it must be a malicious file in an add-on or actually embedded in some themes I've been using.

 

[katherine]

Probably a vulnerable wordpress plugin. Make sure is everything is up to date.
And restore from a backup perhaps. A backdoor might be left somewhere.

 

[Gerry]

Probably a vulnerable wordpress plugin. Make sure is everything is up to date.
And restore from a backup perhaps. A backdoor might be left somewhere.

I do have a couple of sites with minimal plugins. I'll delete to see if the KinG.htm page disappears.

I am also suspicious of some of the themes I use being free. To be quite honest, that is where my strongest suspicion is.

 

[Makis77]

#

 

[Gerry]

After hours of looking inside templates for the files, I finally found the attachment.

I was wrong. It is installed in the cPanel. I have no idea how these installs got there but I have notified LunarPages. I had checked cPanel previously but never saw the file until I doublechecked again.

Okay, several hours wasted that I should have dedicated to studying.

Larger image:

 

[Johnn]

I would not recommend to download them to your PC.
Use Cpanel and check all the files and FOLDERS - The recent date should tell you what files/folders have been recently created/uploaded.

Agreed on changing the passwords.

I thought I said you want to check the Cpanel?

 

[Gerry]

I thought I said you want to check the Cpanel?

You did. And I did. And I was looking at the wrong place, in the wrong files.

 

[EM @MAJ.com]

Hi Gerry,
How things going for you?

Hope your site is back up.