Even when everything seems right..

So I was looking at a client website that seemed to be running without any problems.

The first thing I noticed was that on Google the site had the wrong description and cache. I quickly went into Google Webmasters Tools to re-index the site, a caching issue I thought! Boy was I wrong.

It turns out the site had been hacked so that the normal user couldn’t see anything wrong but Google sees a bunch of spammy keywords.

We found a php5.php in the root directory of WordPress and the index.php had been modified to contain:

if (is_file('php5.php')) @include('php5.php');

So even when everthing looks right you might be in trouble. Hopefully I will still be here to help šŸ™‚

Advertisements

6 thoughts on “Even when everything seems right..

  1. I ran into the same issue with a site I maintain, and this particular hack has happened to us twice. I changed the FTP passwords, had all of the users change their passwords, and yet it happened again. Any ideas on how someone can upload these files to my server?

  2. Any idea how hackers can get in with this? I’ve changed FTP passwords, MySQL passwords, had every user change their passwords — and yet this has happened to me TWICE.

    • My hosting environment is shared, and this has happened twice.

      The file permissions of index.php in the root are 644 — but the hack still happened. What other permissions will prevent the php5.php file from being inserted into the root?

  3. I’ve got exactly the same and yep, it’s now happened to me twice!! I’ve still got the hack on my server as I’m trying to find out where the source might have come from and how they might have got in. We are on a shared host but it’s a small host and we’re the only wordpress site on that host. Also, you can’t access the MySQL but from a small range of IP’s and I also changed all passwords!

    I did notice though that on Saturday night there was a huge influx of contact forms being filled in through some form of script so I’m not sure if they did it through an overflow attack of some kind.

    Any help would be greatly appreciated, lets try and stop these Neanderthals!

    Thanks!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s