Wordpress Blog Hacked

**elishevadpw** · 1 January, 2009, 17:29 PM

All of our Wordpress sites in our servers got hacked.

The index.php file was overwritten by the hackers code and this shows up instead of our sites:

We tried recovering the index.php file but it didn't help. How do I restore this?

Thanks.

**Aquarezz** · 1 January, 2009, 17:33 PM

Why can't you just reupload the original index.php to your server?

Greets

**Shenron** · 1 January, 2009, 18:24 PM

What version are/were you using?
Do you have a backup?
Is the database still there?

**Mike Dammann** · 1 January, 2009, 18:28 PM

2.6.5
and yes to both other questions

**Shenron** · 1 January, 2009, 18:32 PM

then:
http://www.netbuilders.org/programmi...-new-post.html

**elishevadpw** · 1 January, 2009, 19:18 PM

Originally Posted by Shenron

then:
http://www.netbuilders.org/programmi...-new-post.html

No backups but the database are all still there.

ALL sites in our host account got hacked not just the WP blog but the joomla as well.

We tried overwriting index.php and succeeded but that annoying black page is still there.

Will helped me find all the index.html and index.htm etc and we deleted them all.

But it's still there!

**Shenron** · 1 January, 2009, 19:20 PM

Have you checked your .htaccess file for redirects?

**elishevadpw** · 1 January, 2009, 19:37 PM

The .htaccess file is just this:

# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /home/
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /home/index.php [L]
</IfModule>

# END WordPress

**elishevadpw** · 1 January, 2009, 19:43 PM

We found 3 files with the defacement message:

mainbody.php, default.txt, and x.htm.

We deleted them all but it kept recreating itself

Like, Mike deleted them and when I checked they were still there. Then I deleted them, and when Will checked they were still there. Then Will deleted them and he checked again and they're still there.... so strange.