hacked wp site?

  • Started
  • Last post
  • 7 Responses
  • hans_glib

    My daughter (gawd love her) has decided to resurrect her blog from a year ago... but when she looked at the site she found it has been hijacked by some vampire mmorpg game!

    I dug through our records and went back to 123-reg to see if there was any clue there, and got some message about it being so long since we had logged in they'd disabled some site features but these would now be re-enabled. The nameservers were pointing back to 123-reg, whereas the site itself was (and still is) hosted at 000webhost.

    I've repointed the nameservers from 123-reg to 000webhost as specified by webhost but as yet the parasite site is still there. The original blog files all seem to be intact.

    What has happened? I'm totally out of my depth when it comes to all this DNS / A record shit and before I get stuck in the hurt loop of 123-reg and 000webhost helplines I wondered if one of you experts might be able to point me in the right direction.

    Ta ever so...

  • hans_glib0

    Oh yes I should add that I found the
    @ A
    www A
    IP addresses were for this MMO, and have just chnaged them to the IP that webhost specify. Is this enough?

  • meffid0

    "I’ve sent you a photo of the team to include in the brochure. Rob, the guy on the right, is wearing a horrible sweater though—can you just rub his sweater out in photoshop? And if he’s not wearing anything underneath, could you paint him a nice shirt?"

  • section_0140

    WP is a big target for hackers. Obviously, there was a hole in the site that has probably been patched by a newer version. Just make sure it's up to date and you should be ok.

  • comicsans0

    WP is OK if you are aware of it's security issues, configure it appropriately and stay patched. If you're not prepared to do this, then you will get hacked.

    The altered DNS records may point to a wider problem, who held them?

  • SunSunSun0

  • Melanie0

    I just had one of my wordpress sites hacked too, and even though I deleted my site and reloaded a clean version, it was still pointing to the hack site... on further investigation I found that they had altered my httpaccess files and rerouted it to their site. Check your server for sometimes invisible files as well. - Your hosting company will do this for you if you ask them really nicely. :)

  • mantrakid0

    it honestly sounds like it wasnt wordpress but the domain that was hacked... or maybe it had expired at some point and they set it to point to just some spam bullshit so they could make $ on the ads while it sat there... If wordpress itself was hacked, it wouldnt have much to do with the DNS and shit, just the file system within wordpress and 8/10 you can recover from the hack by either installing the latest version overtop the wordpress files or else just re-installing the current files over the wordpress files. Im talking the stuff that shows up in the root, the wp-includes, and wp-admin area. Usually there are no actual wordpress 'core' files running in the wp-content folder, but thats where your theme and shit is, so if the theme was hacked you will have to either restore from a previous unhacked version, or else manually strip out any offending javascripts etc that have been injected into the theme files.

    Once you have a fresh re-install of the core wordpress system, IMMEDIATELY get a plugin called "Firewall 2" if you search for it on the Wordpress.org site you'll see it at the top of the list. Install that shit as it blocks a LOT of attempted Database injection & directory traversal attacks that are the main way a wordpress site could get compromised, aside from being on a shitty shared host that doesnt protect their shit.

    Once you have that plugin in, clean wordpress install, clean theme files, changed passwords, changed mysql passwords, changed ftp passwords, you are breathing a lot easier...

    Let me know if you need a hand, I would be willing to help for a small fee.

    • gotta pee.mantrakid
    • yes that's pretty much what I have done and it's all good now. cheershans_glib