What Dave said. And so sorry to hear. It is such a pain. Your site still attempts to install dodgy crap on my computer. I managed to stop it but I am still busy cleaning up. Take it down, restore it from backup, apply all available patches and all lessons learned. Best of luck Ecke
2010/4/22 David Mann <dm...@bluemoon.net.nz>: > On Apr 22, 2010, at 6:14 PM, Miserere wrote: > >> Yeah, still not fixed. I'm giving up for now; I've spent 6 straight >> hours trying to figure this out and can't find that last damn script. >> I've left a message on the WP forum and hopefully someone will have >> replied by tomorrow. > > I've had to repair hacked sites for customers at work on a few occasions. > > The hard news is this: deleting EVERYTHING is the only way to be 100% sure. > Everything, including the database. Nuke it from orbit then restore from > backup. I hope you have a good backup, but I suspect the 6 hours you've > spent so far is a horrible lesson as to why you should have one. > > As for how they got in (which would be helpful to know if you plan to prevent > a recurrence), it could be any of: > - Wordpress core > - The theme > - Any one of the plugins you've installed > There are more potential places but those are by far the most likely. > > Most hacking is automated so it's likely that a dodgy bit of javascript or > php code has been simply appended into one or more template files. Bear in > mind it could be anything that puts content on the page which includes things > like sidebar plugins so switching these off may help you isolate the problem. > Maybe try switching to a different template; if the problem goes away then > you could delete and reinstall your normal one. When you delete it make damn > well sure its entire folder is gone before you reinstall. > > Last year I saw an old (out of date) Joomla site get hacked via an > SQL-injection hole in one of its extensions. The hacker had found the site > using an inurl: search in Google, looking for that particular extension which > was an events calendar, I think (another good reason to switch on > search-engine-friendly URLs). > > The popular CMS teams tend to be pretty good at keeping on top of security > but the same can't be said for some of the third-party developers, nor > webmasters who don't always keep their sites up to date due to a lack of > time, motivation, knowledge or budget. > > We actually managed to clean that site up without too much trouble but only > because we have shell access to the server so once we knew what to look for > we could run a bunch of searches to find affected files. Restoring from > backup was out of the question in that case due to the historical hackage. > After that we upgraded the core CMS. Any extension we couldn't upgrade or > find modern replacements for, we removed. > > Cheers, > Dave > -- > PDML Pentax-Discuss Mail List > PDML@pdml.net > http://pdml.net/mailman/listinfo/pdml_pdml.net > to UNSUBSCRIBE from the PDML, please visit the link directly above and follow > the directions. > -- PDML Pentax-Discuss Mail List PDML@pdml.net http://pdml.net/mailman/listinfo/pdml_pdml.net to UNSUBSCRIBE from the PDML, please visit the link directly above and follow the directions.
