Yes! MyScrawls (wordpress blog) was hacked! It all happened last Saturday when I was leisurely browsing my site. I noticed that all the links in my blog (including images) were redirected to some weird website. I was shocked! I tried to google “myscrawls.com”. Unfortunately when I clicked my page (from google results) it took me to the same “weird” website. I understood that somebody had hacked my site!! I was totally worried and confused. I have put my heart and soul in this website! I didn’t want google to penalize my blog for spreading some malware which I was not aware of.
As I sat bewildered not knowing how to proceed further, It occurred to me that I post a query in google Webmaster. Here is the screen shot of my query to which I got a quick solution from a responsible person. Click on the images to see the zoomed text.
I did notice that my .htaccess file was corrupted! The hackers had included “some code” in the file. I deleted all the hacking code that was added to the .htaccess file. Here is the screen shot of the hacking code that was present in the .htaccess file.
Note: You can find .htaccess file in your root folder. Login into your hosting account to access the file.
If you go through the hacking code, you can find that all the links to my site (from google, bing, blog, facebook, twitter, flick, etc) was made to redirect to some other website (in the rounded section). After deleting the unwanted code from the .htaccess file, I checked my site. It was working fine! I was happy, but not for long…!
After about an hour I checked to see if everything was working fine. I found that the problem occurred again. I quickly checked .htaccess file. OMG I could see that the hacker had again placed the hacking code (shown above)in the file. That was absurd! Just then I saw another reply in Webmaster for my query regarding hacking of my site. I really thank the person for pointing me the solution.
Yes! Most of the wordpress sites were hacked. Especially the wordpress sites that uses timthumb.php or thumb.php were hacked. Mine being one among them! Timthumb/thumb.php is used by wordpress for image resizing. The hackers have found this as a back-door to enter into the wordpress site and infect it with their malicious code.
Note: Here are the links that I found really useful in cleaning my site after being hacked. I would like to thank the fellow bloggers for helping us to revamp our site after a malware attack.
- http://redleg-redleg.blogspot.com/p/example-of-backdoor-script.html (website marked in the picture above)
I went through the links to find what I should do to stop being hacked. Here are the steps.
STEP 1: I cleaned the .htaccess file and saved it. I also changed its permissions making it read only for the web users
STEP 2: I deleted the file FUNCTIONS_EXTRA.PHP from /wp-content/themes/your theme/ folder. This file had the code given below.
This is one of the back-door script that the hackers use to get into your site. Basically the file FUNCITONS_EXTRA.PHP is used for custom functions.
STEP 3: If your wordpress theme uses timthumb/thumb.php for image resizing, use the latest version of thumb.php You can get the latest code here.
STEP 4: In the latest thumb.php, search for the variable “$ALLOWED_SITES“. This would be an array. Remove all the items in the array (including ‘flickr.com’, ‘picasa.com’ etc). The code snippet should look like this.
You can find the file Thumb.php in /wb-content/themes/your theme/ folder.
STEP 4: The latest version thumb.php puts an index file in the cache folder that the timthumb/thumb.php uses. Change the permissions of the CACHE folder to read only (by web users).
STEP 5: Change your hosting account password. Make sure to delete all unwanted plugins and try to update wordpress (if possible).
These are the steps that I followed to restore my site (http://www.myscrawls.com) from being hacked. The site is working fine now 🙂 I hope my article would help you in cleaning your site from malware attack. Thanks for stopping by!
Share & Enjoy! -