My Website was Hacked!!!


Posted on August 29th, 2011

Yes! MyScrawls (wordpress blog) was hacked! It all happened last Saturday when I was leisurely browsing my site. I noticed that all the links in my blog (including images) were redirected to some weird website. I was shocked! I tried to google “myscrawls.com”. Unfortunately when I clicked my page (from google results) it took me to the same “weird” website. I understood that somebody had hacked my site!! I was totally worried and confused. I have put my heart and soul in this website! I didn’t want google to penalize my blog for spreading some malware which I was not aware of.

As I sat bewildered not knowing how to proceed further, It occurred to me that I post a query in google Webmaster. Here is the screen shot of my query to which I got a quick solution from a responsible person. Click on the images to see the zoomed text.

Google Webmaster Help Shot1

Google Webmaster Help Shot1

I did notice that my .htaccess file was corrupted! The hackers had included “some code” in the file. I deleted all the hacking code that was added to the .htaccess file. Here is the screen shot of the hacking code that was present in the .htaccess file.

Note: You can find .htaccess file in your root folder. Login into your hosting account to access the file.

Hacked htaccess file shot1

Hacked htaccess file shot1

Hacked htaccess file shot2

Hacked htaccess file shot2

If you go through the hacking code, you can find that all the links to my site (from google, bing, blog, facebook, twitter, flick, etc) was made to redirect to some other website (in the rounded section). After deleting the unwanted code from the .htaccess file, I checked my site. It was working fine! I was happy, but not for long…!

After about an hour I checked to see if everything was working fine. I found that the problem occurred again. I quickly checked .htaccess file. OMG I could see that the hacker had again placed the hacking code (shown above)in the file. That was absurd! Just then I saw another reply in Webmaster for my query regarding hacking of my site. I really thank the person for pointing me the solution.

Google Webmaster Help Shot2

Google Webmaster Help Shot2

Yes! Most of the wordpress sites were hacked. Especially the wordpress sites that uses timthumb.php or thumb.php were hacked. Mine being one among them! Timthumb/thumb.php is used by wordpress for image resizing. The hackers have found this as a back-door to enter into the wordpress site and infect it with their malicious code.

Note: Here are the links that I found really useful in cleaning my site after being hacked. I would like to thank the fellow bloggers for helping us to revamp our site after a malware attack.

I went through the links to find what I should do to stop being hacked. Here are the steps.

STEP 1: I cleaned the .htaccess file and saved it. I also changed its permissions making it read only for the web users

STEP 2: I deleted the file FUNCTIONS_EXTRA.PHP from /wp-content/themes/your theme/ folder. This file had the code given below.

Functions_extra_file

Functions_extra_file

This is one of the back-door script that the hackers use to get into your site. Basically the file FUNCITONS_EXTRA.PHP is used for custom functions.

STEP 3: If your wordpress theme uses timthumb/thumb.php for image resizing, use the latest version of thumb.php You can get the latest code here.

STEP 4: In the latest thumb.php, search for the variable “$ALLOWED_SITES“. This would be an array. Remove all the items in the array (including ‘flickr.com’, ‘picasa.com’ etc). The code snippet should look like this.

Screen shot of Thumb.php file

Screen shot of Thumb.php file

You can find the file Thumb.php in /wb-content/themes/your theme/ folder.

STEP 4: The latest version thumb.php puts an index file in the cache folder that the timthumb/thumb.php uses. Change the permissions of the CACHE folder to read only (by web users).

STEP 5: Change your hosting account password. Make sure to delete all unwanted plugins and try to update wordpress (if possible).

These are the steps that I followed to restore my site (http://www.myscrawls.com) from being hacked. The site is working fine now :) I hope my article would help you in cleaning your site from malware attack. Thanks for stopping by!

Share & Enjoy! -

You may also like:

One Response to “My Website was Hacked!!!”

  1. Abhishesh Pal Says:

    this information is good for any one who fears of website getting hacked… thanks dear

    Reply

Leave a Reply


+ four = ten