Hi,

I am hoping someone can help me restore - or upgrade to latest version, the Atahualpa theme.

After a good few hours wrestling with a very annoying hack/virus as per AVG screen grab attached here, an Exploit Script Injection, I seem to have finally stopped it by replacing the Wordpress files - which you could see extra PHP code at the top of the infected files, and also as the theme seemed to be actually kick-starting the hijack, I've had to replace the code via FTP from the original install, but now it's very obviously not working quite right and I can't get into the 'admin log-in dashboard' to update etc!

If I were to get in and auto-update the theme, do i lose everything, as I don't really understand this system? I mean, the lightboxes, pictures, posts etc? I gather the posts are on the server database, so they shouldn't be touched, but the lightboxes, header images??

If someone can help me sort this out, I'm happy to donate. I oddly enough can/do build websites for loads of people but am new to Wordpress, this site being set-up about a year ago. The attacks started a few months back, but updating the plug-ins and Wordpress always seemed to right things until now. You can see the website as it currently is here: www.marinecourtapartment.co.uk
I've attached the log-in screen as it appears to me and the screen beyond it if you input your details and try to log-in.

I'm now very keen to get rid of this stupid hack and get the site functioning cleanly again and hopefully avoid this happening again, so all help very very much appreciated. Plus, any advice on how to avoid it happening again.

Thanks
Chris

p.s. i didn't really describe what was happening: If you could get onto the site, you could see by the status bar the a website 'dudecars' or something was madly trying to do something, but more often, you couldn't get to the site, or log-in screen, you'd be taken to a site pretending to be a windows folder that was 'scanning' for virus problems... may the bastards who wreck peoples hard work rot!

What version of Atahualpa and WordPress? Can you login to the dashboard? Do you have a database backup?

I would not auto upgrade Atahualpa. I would instead upload Atahualpa 3.5.3 into it's own folder. If you unzip the 3.5.3 from wordpress.bytesforall.com and unzip it you will have a folder called atahualpa353. Just upload that folder into the same place the atahualpa folder is now. You can then switch to this theme to see if it fixes the layout. If it does you will have to move an theme images to the new theme folders. Those are header images, favicons, etc.

Here is a link to the complete instructions for a manual upgrade of the theme.

You also might try "reinstalling" WordPress using the Re-install Automatically button for WordPress.

Hi,

I can't get into the dashboard at present, as per attached images on previous post.
Wordpress was up-to-date as of a few days back. Atahualpa was version 3.4 from getting on for a year ago, i must admit it was the only thing i didn't update as i wasn't sure if i did an auto update i'd lose everything.

Thanks

Chris

You need to check (and probably replace) every theme file, and every plugin file in addition to all the wordpress files.
If you look at the code you should see garbage at the begining

It looks like the lightbox2 plugin is causing some problems. I'd disable or delete that one. You can delete it via FTP if you can't login. See if you can then login to your dashboard.

Is the path shown in the screen captures the correct one?

Your posts and images uploaded via the dashboard media library should be fine, nestled within the database. The only files you'll need to handle again are the ones used by the theme, primarily the /images/header files. If you have them on your hard drive, just FTP them into the new /images/header folder once you have uploaded atahualapa353. Or put them in before you upload them, first removing the default images.

I am sorry this happened to you. Did you ask your web host if they can restore your site to before the hack? One time I royally messed up my site and I was surprised that they were able to do that easily.

The site seems to be operating OK now. Was this really a hack? The AVG notice says the script was blocked. Has anybody read anything about WP 3.0.1 being vulnerable to hacks yet?

Hi,

Thanks for all the advice here. In the end I updated everything manually through FTP. Wordpress, Atahualpa and finally the plug-ins, as it seems Lighbox was also corrupted. All seems to be operating ok at present.

Is there anyway to prevent hacks in the future, or is it a case of facing this every so often??

It seems my database is still set to WP_ which according to that exploit scanner is bad, so any tips on changing that and any other things to make the site more hack proof are very welcome.

Thanks to everyone who took time to post here, i really do appreciate the support.

Best
Chris

First thing you should do is change all your passwords wordpress/ftp/host all of them.
do a google search of 'hardening wordpress' and 'wordpress hacked' and read and institute some of the suggestions.