Home>Support>Site Hacked (by T1G3R_TR4C3)

Site Hacked (by T1G3R_TR4C3)

Hi

Sorry to bother you, but yesterday I noticed that my website (www.rossgardens.co.uk) had been hacked. My homepage had been replaced with a big message informing me that it had been hacked (by T1G3R_TR4C3).

I contacted A Small Orange who host my site. They sent me the following message:

“I’ve fixed the ‘hacked page’ at rossgardens.co.uk
I noticed that in both the /home/rossgard/public_html AND the /home/rossgard/public_html/wp WordPress installations are severely outdated and are the cause for the compromise.
To secure your account, we request that you apply all steps of the following checklist:
1. Check your account for any additional unfamiliar files and remove them.
2. Update all scripts (WordPress, Joomla! etc.) and their plugins to the latest secure versions.
3. Change your cPanel and your script admin passwords.
4. Ensure all computers used to access your accounts are frequently scanned for viruses and malware.
5. Uninstall any plugins, modules, or themes you are not using. Even if they are disabled the script resides on the server and can be exploited if there is a vulnerability.”

I’d much appreciate any advice regarding the following issues:

1. I presume this means I should look for unfamiliar files in my Dashboard?
2. I’ve updated my version of WordPress and updated active plugins
3. I will change my cPanel password. How do I change my script admin password?
4. I’ve checked that my laptop has no viruses or malware
5. I’ve uninstalled all inactive plugins. How to I know if I have inactive ‘modules or themes’?

I’ve also noticed that this page still states my page has been hacked: http://rossgardens.co.uk/wp/. Do you know why this is?

I have also just got the following message on my Dashboard and I’m not sure what I should do:

WP Super Cache Warning!
Your server is configured to show files and directories which may expose sensitive data such as login cookies to attackers in the cache directories. That has been fixed by adding a file named index.html to each directory. If you use PHP or legacy caching consider moving the location of the cache directory on the Advanced Settings page.
If you just installed WP Super Cache for the first time you can dismiss this message. Otherwise you should probably refresh the login cookies of all logged in WordPress users here by clicking the logout link below.
The logout link will log out all WordPress users on this site except you. Your authentication cookie will be updated but you will not be logged out.

Many thanks
Ross Minett

URL: http://rossgardens.co.uk/wp/

This is our free support forum. Replies can take several days. If you need fast email support, please purchase a SiteOrigin Premium license.

  1. 6 years, 7 months ago Greg Priday Hi, I Work Here

    Hi Ross

    Very sorry to hear your site was hacked. From the WordPress side of things here is a fairly comprehensive list of things you can do to get your site back on track.

    https://codex.wordpress.org/FAQ_My_site_was_hacked

    The summary is to roll back everything to a recent backup from before the hack. Most good web hosts have this, then start following all the steps to ensure your site is secure. Updating all themes, plugins and WordPress itself is a good first step.

  2. 6 years, 7 months ago Greg Priday Hi, I Work Here

    We also recommend installing and running WordFence to keep your site secure after you’ve rolled back to a recent backup.

    https://wordpress.org/plugins/wordfence/

  3. 6 years, 6 months ago rossgardens

    Hi Greg

    Thanks for your response. I’ll try to work my way through the list of actions, and then install and run WordFence.

    Meantime, I contacted my hoster (A Small Orange) again as http://www.rossgardens.co.uk/wp still says it’s hacked. They said:

    “It looks like your wp-config.php file is pointing to an external MySQL server:
    define(‘DB_NAME’, ‘graph15_him’);
    define(‘DB_USER’, ‘graph15_him’);
    define(‘DB_PASSWORD’, ‘password’);
    define(‘DB_HOST’, ‘209.200.251.23’);
    I copied over the wp-config.php from your root directory, but that does not seem to be working. I only see one database on your account. Are you using both of these WordPress installations, the one in public_html and wp? If you aren’t using the one at /wp/ I would suggest removing it.”

    To be honest this means nothing to me and I don’t know the answer to his question. Would you be able to advise me what I should do?

    Many thanks
    Ross

  4. 6 years, 6 months ago Greg Priday Hi, I Work Here

    Hi Ross

    It seems like they’re saying you have 2 separate installations of WordPress running on the same account. Letting them remove the second installation shouldn’t hurt, as long as you weren’t using it. You could ask them to check that there’s nothing important in the /wp/wp-content/ folder.

    A Small Orange is a good web host, so you’re in good hands there. They should be able to help you get everything running as it should be.

  5. 6 years, 6 months ago rossgardens

    Thanks Greg

    A Small Orange has rolled back my site to a backup from before it was hacked.

    However I just tried to update the version of WordPress onthe site to 4.3.1 and got the following message:

    Update WordPress
    Downloading update from https://downloads.wordpress.org/release/wordpress-4.3.1-no-content.zip…
    Download failed.: Failed to write request to temporary file.
    Installation Failed

    I’ve also tried updating the Plugins but they were also unsuccessful.

    I also tried installing Wordfence Security but that was also unsuccessful!

    Do you know why this might be?

    Thanks
    Ross

  6. 6 years, 6 months ago Greg Priday Hi, I Work Here

    Hi Ross

    This looks like a file permission issue, but you should be able to ask A Small Orange to reset file permissions for you.

  7. 6 years, 6 months ago rossgardens

    Thanks Greg.

    Hopefully that’s all it is. My database bacup also failed. I’ve asked A Small Orange to reset my file permissions as you suggested.

    Much appreciated as always
    Ross

Replies on this thread are closed. Please create a new thread if you have a question, or purchase a SiteOrigin Premium license if you need one-on-one email support.

Get The Most Out of SiteOrigin with SiteOrigin Premium

Find Out More