Comments on: 8 Steps to clean a hacked WordPress blog http://knowit.co.nz/2010/01/8-steps-to-clean-a-hacked-wordpress-blog Tech, Apple and WordPress Mon, 07 May 2012 23:07:29 +0000 hourly 1 http://wordpress.org/?v=3.3.2 By: Brett Bumeter http://knowit.co.nz/2010/01/8-steps-to-clean-a-hacked-wordpress-blog/comment-page-1#comment-15768 Brett Bumeter Sun, 13 Nov 2011 02:30:27 +0000 http://knowit.co.nz/?p=3835#comment-15768 Great article, helped me find something a little similar. The article above gave me the idea to download large groups of files from a new client (referred to me after they got hacked so I did not already have a copy of all their files). They had dozens of plugins and half a dozen themes loaded, which made for a very large haystack to investigate. I sampled (download several likely folders) and then ran a find using Dreamweaver on base64 Came up with a some hacked code pointing to an ip in germany all loaded up in the header file. I also found some very strange code (still puzzling over) in the 404.php file. I think this was the payload, but haven't deciphered it yet. From the perspective of clean up, I'll likely nuke all the files on the site and re-install everything fresh. With so many plugin folders, that are just too many other places things can be hidden. I had previously searched the db and it seems to be clean, but I'm going to cleanse that anyway running a WP export/import and check the xml file before uploading it to a fresh install on a new db. This site was running some very very secure settings, one of the best I've seen that was still hacked. The only thing I would have done differently was to run the site through CloudFlare. Site originally had Incapsula which I have no personal experience with but is supposedly similar to Cloudflare maybe more of an emphasis on security rather than speed. Great article, helped me find something a little similar. The article above gave me the idea to download large groups of files from a new client (referred to me after they got hacked so I did not already have a copy of all their files). They had dozens of plugins and half a dozen themes loaded, which made for a very large haystack to investigate.

I sampled (download several likely folders) and then ran a find using Dreamweaver on base64

Came up with a some hacked code pointing to an ip in germany all loaded up in the header file. I also found some very strange code (still puzzling over) in the 404.php file. I think this was the payload, but haven’t deciphered it yet. From the perspective of clean up, I’ll likely nuke all the files on the site and re-install everything fresh. With so many plugin folders, that are just too many other places things can be hidden.

I had previously searched the db and it seems to be clean, but I’m going to cleanse that anyway running a WP export/import and check the xml file before uploading it to a fresh install on a new db.

This site was running some very very secure settings, one of the best I’ve seen that was still hacked. The only thing I would have done differently was to run the site through CloudFlare. Site originally had Incapsula which I have no personal experience with but is supposedly similar to Cloudflare maybe more of an emphasis on security rather than speed.

]]> By: wp-popular.com » Blog Archive » 8 Steps to clean a hacked WordPress blog — KnowIT http://knowit.co.nz/2010/01/8-steps-to-clean-a-hacked-wordpress-blog/comment-page-1#comment-5017 wp-popular.com » Blog Archive » 8 Steps to clean a hacked WordPress blog — KnowIT Fri, 19 Feb 2010 00:22:49 +0000 http://knowit.co.nz/?p=3835#comment-5017 [...] more: 8 Steps to clean a hacked WordPress blog — KnowIT Tags: hack, [...] [...] more: 8 Steps to clean a hacked WordPress blog — KnowIT Tags: hack, [...]

]]>