My site got hacked - please help
 

My site got hacked and it is looks like i am unable to get into the dashboard with this URL:
www.blueginger.com.au/wp-admin

Is there another way to get to the dashboard? This is the first time i have been hacked so any help/info would be much appreciated.

look at the site and see if there is a 'index.html' file in the wordpress root - if so, rename it to index.old and see if you can get in.

I would change all FTP passwords for your site and the cPanel password
Next I would use FTP to manually reinstall a copy of ALL the wordpress files except the wp-contents folder

I would then go thru the wp-contents folder and replace every plug in and install a fresh copy of Atahualpa (save your header images first)

That would be my starting point. -

Do you have a database backup?

I have a version of the site at www.blueginger.judyly.com.au
Would it be possible for the URL to be redirected to here while i work on the real site?

you can create a file and put this in it
then put it in the wordpress root older and call it 'index.html'

if it doesn't work, rename 'index.php' to 'index old.php' and see if it works then

p.s. you must have mis-spelled the URL since it gets a 'not found'

Thank you so much - It works now. The above link is supposed to be www.blueginger.judyly.com

I have gone to www.barasia.com.au though and Firefox says that the site is deemed as an attack page and so it blocked me from viewing it. Both blueginger.com.au and barasia.com.au have the same web host. Do you think this site got hacked into as well?

I would suspect that it was hacked as well. Do a google search with 'wordpress what to do if your site is hacked' and read up on what you should be doing.

This is a painful thing and I wish you luck in getting it corrected. You should contact your host to see if anyone else was hacked and see what they can do to help you

I'd agree the de-hacking is not fun, but not too hard. See blog post here: http://digitalchoke.com/digitalchokeblog/?p=415 on what I did to fix a couple of sites that got hacked with the tim-thumb hack (in one case, it was the 'Related Posts" plugin that was the entry point).

If you have mutliple sites on your host, then you need to check all of the content/sites.

Once you can get into the Admin dashboard, do a re-install of the latest WP version to fix any related problems. Then do the other things in my post.

Good luck! ....Rick...

Thanks for the information.

Am i able to fix barasia.com.au with the information provided in this thread for blueginger.com.au?
If so, I am trying to get into the dashbord by looking for index.html at the wordpress root but am not able to find it. I then renamed index.php to index.old and it still didnt work.

I have a copy of the website at www.barasia.judyly.com
Because i have a copy, should i replace all the wordpress files with the ones in this copy?

I have created the html file at the root wordpress directory so it directs to www.barasia.judyly.com
I tried replacing the wp-config.php and index.php files with the ones at the copy site (barasia.judyly.com) but it came up with "error establishing a database connection" page. I realised that i need to replace the database information with the same one at the real website. I did that but the site still came up with "error establishing a database connection". Am i doing this right? Am i going along the right direction?

If you can't get into a site because the theme is messed up, you can rename the index.php IN THE THEME FOLDER.

There should be no index.html in the wordpress root folder, but there is an index.php - this is what starts wordpress

wp-config.php contains the
database name
the database user and password
If you copy an wp-config.php from one site to another, you must make sure you have changed these three items to pint at the new database and user.

Thanks for the information, Juggledad.

I have used your html code to produce an index.html to direct it to the copy site for now.

When i try to go into:
www.barasia.com.au/wp-admin
It comes up with "Error establishing a database connection" page.

I have replaced the database information (database name, user name and password) in the wp-config.php to the same info at the host server, so i am puzzled as to why the error is coming up.

this means that the database name, userid or password is wrong

Hi Juggledad,

with www.barasia.com.au:
The error message doesnt appear anymore, so I think i have fixed the database issue. I have gone to the copy site and exported the database. Then i emptied the one on the live host and imported it into there.

When i go into www.barasia.com.au/wp-admin i get the attack page warning, but when i choose to ignore it i can see the Wordpress log in page. I am now however unsuccessful in logging in with the password.

I have tried the instructions at this page:

http://codex.wordpress.org/Resetting_Your_Password

I have tried the myphpadmin way, ftp way and automatic emailer (i dont get an email to retrieve the password in my email) and have been unsuccessful. I dont want to use the last option (Emergency password reset script) because it sounds like i may not be at the techinical level to fix it, if it stuffs up.

I think with your redirect html file you suggested it is still going to the copy site so i can buy some time to fix this.

Im not quite sure what to do now. Are you able to help at this stage? Many thanks.

www.barasia.com.au still pops up the warning for me but if I ignore it I go to http://barasia.judyly.com

If you have exported barasia.judyly.com and plan on importing it to www.barasia.com.au you will run into an issue because once you do the import, the site will be barasia.judyly.com not www.barasia.com.au (all the internal links etc.

When moving an export from one domain name to another there a couple things that must be done. There is a writeup in the WordPress documentation that explains this. Before proceeding, you really need to find it, read it and understand it.

If this is over your head, you really should hire someone to do it for you.

Hi Juggledad,
For the mean time i have created the html file you gave me to redirect to www.barasia.judyly.com. The html file is there and it seemed to redirect on the night i created it. Now it seems to show the attack page again. Do you know why it is doing this and is there a way around it so i can get the redirected site to show while this is being fixed?

I have followed your instructions to replace all the Wordpress files via FTP. I have exported the database from barasia.judyly.com, opened it in Textedit and renamed all the links from www.barasia.judyly.com to www.barasia.com.au. At barasia.com.au i have deleted the old database and created a new one and uploaded the new one, then gone into wp-config.php and updated the database details. With this done i am now able to access the dashboard, but the page still says it is an attack page. Any ideas on what to do from here? I do have some knowledge of getting around. Thanks a million.

well if you have cleaned everything up, did you read the 'attack' page and follow the directions google tells you about?