Wordpress Themes - WP Forum at BFA
Click here to register or to donate.
Auto self-registration is not available here - far too many spammers. This forum has many, many backlinks and because of that there is an intense desire among spammers to drop their links here.

Wordpress Themes - WP Forum at BFA » WordPress Themes » Atahualpa 3 Wordpress theme » New Versions, & Updating »

Help - Recovering from major hack


  #1  
Old Aug 21, 2010, 11:47 AM
mandrakeman1965
 
3 posts · Aug 2010
UK
Hi,

I am hoping someone can help me restore - or upgrade to latest version, the Atahualpa theme.

After a good few hours wrestling with a very annoying hack/virus as per AVG screen grab attached here, an Exploit Script Injection, I seem to have finally stopped it by replacing the Wordpress files - which you could see extra PHP code at the top of the infected files, and also as the theme seemed to be actually kick-starting the hijack, I've had to replace the code via FTP from the original install, but now it's very obviously not working quite right and I can't get into the 'admin log-in dashboard' to update etc!

If I were to get in and auto-update the theme, do i lose everything, as I don't really understand this system? I mean, the lightboxes, pictures, posts etc? I gather the posts are on the server database, so they shouldn't be touched, but the lightboxes, header images??

If someone can help me sort this out, I'm happy to donate. I oddly enough can/do build websites for loads of people but am new to Wordpress, this site being set-up about a year ago. The attacks started a few months back, but updating the plug-ins and Wordpress always seemed to right things until now. You can see the website as it currently is here: www.marinecourtapartment.co.uk
I've attached the log-in screen as it appears to me and the screen beyond it if you input your details and try to log-in.

I'm now very keen to get rid of this stupid hack and get the site functioning cleanly again and hopefully avoid this happening again, so all help very very much appreciated. Plus, any advice on how to avoid it happening again.

Thanks
Chris

p.s. i didn't really describe what was happening: If you could get onto the site, you could see by the status bar the a website 'dudecars' or something was madly trying to do something, but more often, you couldn't get to the site, or log-in screen, you'd be taken to a site pretending to be a windows folder that was 'scanning' for virus problems... may the bastards who wreck peoples hard work rot!
Attached Thumbnails
Click image for larger version

Name:	avg.jpg
Views:	522
Size:	106.4 KB
ID:	692  Click image for larger version

Name:	wp.jpg
Views:	527
Size:	192.7 KB
ID:	693  Click image for larger version

Name:	current login screen.jpg
Views:	377
Size:	154.3 KB
ID:	694  Click image for larger version

Name:	if you try to login.jpg
Views:	370
Size:	175.4 KB
ID:	695  
  #2  
Old Aug 21, 2010, 01:25 PM
lmilesw's Avatar
lmilesw
 
10,174 posts · Jul 2009
Central New York State USA
What version of Atahualpa and WordPress? Can you login to the dashboard? Do you have a database backup?

I would not auto upgrade Atahualpa. I would instead upload Atahualpa 3.5.3 into it's own folder. If you unzip the 3.5.3 from wordpress.bytesforall.com and unzip it you will have a folder called atahualpa353. Just upload that folder into the same place the atahualpa folder is now. You can then switch to this theme to see if it fixes the layout. If it does you will have to move an theme images to the new theme folders. Those are header images, favicons, etc.

Here is a link to the complete instructions for a manual upgrade of the theme.

You also might try "reinstalling" WordPress using the Re-install Automatically button for WordPress.
__________________
~Larry (CNY Web Designs)
This site should be a membership site since it so full of good stuff.
Please consider donating which gives you access to even more good stuff.
  #3  
Old Aug 22, 2010, 04:42 AM
mandrakeman1965
 
3 posts · Aug 2010
UK
Hi,

I can't get into the dashboard at present, as per attached images on previous post.
Wordpress was up-to-date as of a few days back. Atahualpa was version 3.4 from getting on for a year ago, i must admit it was the only thing i didn't update as i wasn't sure if i did an auto update i'd lose everything.

Thanks

Chris
  #4  
Old Aug 22, 2010, 05:22 AM
juggledad's Avatar
juggledad
 
23,571 posts · Mar 2009
OSX 10.11.5 WP 4.x Atahualpa(all) Safari, Firefox, Chrome
You need to check (and probably replace) every theme file, and every plugin file in addition to all the wordpress files.
If you look at the code you should see garbage at the begining
__________________
"Tell me and I forget, teach me and I may remember, involve me and I learn." - Benjamin Franklin
Juggledad | Forum Moderator/Support
  #5  
Old Aug 22, 2010, 07:31 AM
paulae's Avatar
paulae
 
1,333 posts · Feb 2009
Wordpress 3.4.1, Atahualpa 3.7.7
It looks like the lightbox2 plugin is causing some problems. I'd disable or delete that one. You can delete it via FTP if you can't login. See if you can then login to your dashboard.

Is the path shown in the screen captures the correct one?

Your posts and images uploaded via the dashboard media library should be fine, nestled within the database. The only files you'll need to handle again are the ones used by the theme, primarily the /images/header files. If you have them on your hard drive, just FTP them into the new /images/header folder once you have uploaded atahualapa353. Or put them in before you upload them, first removing the default images.
  #6  
Old Aug 22, 2010, 09:16 AM
lucy
 
60 posts · Aug 2009
Grayson County, TX
I am sorry this happened to you. Did you ask your web host if they can restore your site to before the hack? One time I royally messed up my site and I was surprised that they were able to do that easily.
  #7  
Old Aug 22, 2010, 09:44 AM
paulae's Avatar
paulae
 
1,333 posts · Feb 2009
Wordpress 3.4.1, Atahualpa 3.7.7
The site seems to be operating OK now. Was this really a hack? The AVG notice says the script was blocked. Has anybody read anything about WP 3.0.1 being vulnerable to hacks yet?
  #8  
Old Aug 22, 2010, 03:57 PM
mandrakeman1965
 
3 posts · Aug 2010
UK
Hi,

Thanks for all the advice here. In the end I updated everything manually through FTP. Wordpress, Atahualpa and finally the plug-ins, as it seems Lighbox was also corrupted. All seems to be operating ok at present.

Is there anyway to prevent hacks in the future, or is it a case of facing this every so often??

It seems my database is still set to WP_ which according to that exploit scanner is bad, so any tips on changing that and any other things to make the site more hack proof are very welcome.

Thanks to everyone who took time to post here, i really do appreciate the support.

Best
Chris
  #9  
Old Aug 22, 2010, 07:52 PM
juggledad's Avatar
juggledad
 
23,571 posts · Mar 2009
OSX 10.11.5 WP 4.x Atahualpa(all) Safari, Firefox, Chrome
First thing you should do is change all your passwords wordpress/ftp/host all of them.
do a google search of 'hardening wordpress' and 'wordpress hacked' and read and institute some of the suggestions.
__________________
"Tell me and I forget, teach me and I may remember, involve me and I learn." - Benjamin Franklin
Juggledad | Forum Moderator/Support

Bookmarks

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes


Similar Threads
Thread Thread Starter Forum Replies Last Post
Testing new thread, question about hack paulae Atahualpa 3 Wordpress theme 1 May 18, 2010 02:45 PM
Major SEO Problem kesbo Atahualpa 3 Wordpress theme 10 May 10, 2010 06:00 AM
admin-ajax-php hack? CHi106 Atahualpa 3 Wordpress theme 0 May 16, 2009 06:01 PM
A hack to align page navigation menu to center araneum Page & Category Menu Bars 8 Apr 9, 2009 08:48 PM


All times are GMT -6. The time now is 03:27 AM.


Powered by vBulletin® Copyright ©2000 - 2018, Jelsoft Enterprises Ltd.